In my last year as VP of an incident response company (at Forensik), not a week has passed without having a local organization call to ask for assistance to recover from a cyber attack. Here are some thoughts that I would like to share, after having passed most of my time either leading IT professional groups into incident responses or video conferencing with executives and discussing strategies for organizations that have been compromised.
1 – COVID has been a game changer in incident response. Many organizations have been forced to embrace cloud technologies to facilitate remote work and migrated their systems within a week or two, without properly managing the technological change for their users and more importantly, for their sysadmins. IT administration and more specifically, incident response has changed. It is not because you have been in IT for 20 years that you understand how to properly secure, configure and conduct analy
sis in O365 or G-Suite for example. Advice: If you don’t know what you are doing, have the humility to ask for help because these environments are often accessible from anywhere in the world - and hackers did their homework. The more you improvise, the worse it gets for your organization.
2 – Finger pointing in a crisis management will bring delays, irrecoverable damage, and important loss of assets. I have seen many reactions from CEOs and executive boards during the first days of a major incident. Blaming the CISO/CIO has never been the most effective approach. During the incident response phase, she/he’s often the only one with the big picture and all the IT infrastructure history and their knowledge and leadership is very valuable to ensure recovery. Before finger pointing – think about the consequences. Also – maybe they asked for a budget to upgrade the system and it got denied? Maybe the lines of business (now blaming her/him?) were the ones denying the change or inducing risks into the environment through bad practices? Maybe the board never saw the interest of implementing proper IT governance, risk management and dashboard review? Advice: If I were a CEO and I had to choose between two equally qualified candidates for a CIO position – I would choose the one who went through a major hack, because that kind of experience is extremely valuable for the future.
3 – Don’t think you are safe because you have a plan on paper - hackers don’t care about your roadmap and your project chart. Most of the time, in the first hours of an incident response phase, a lot of questions are raised. And most of the time, the security feature that would have helped prevent the incident is always planned for deployment at “Quarter X”. A message to all executives – having a security plan isn’t something that will protect you until it’s implemented and completed – having it written down is only saying that you are aware of the flaws and are vulnerable until its completion. Not knowing your vulnerabilities is even worse – and if you don’t have the appropriate resources, bring these concerns to the board and share the burden.
4 – Stop thinking that you “worth nothing” for them. Many times, I have seen organizations thinking that their data is not attractive to hackers giving them an excuse for bad IT management practices. The “we are not the NASA here” mentality. I have seen internal IT resources being “abused” by hackers for a year, organizations attacking other organizations without even being aware of, and personal information being leaked by organizations that did not even know its existence. Some businesses ended up paying millions $ and, in some cases, even went bankrupt. It is sad, but it is the reality in 2021 – you are all worthy – please beware.
5 – Your security solutions are no silver bullets, and you should start investing in your people. In all the cases I was called to provide assistance, clients had firewalls, antivirus, endpoint protection, etc. security solutions. Most of the time, there is a human factor at the root cause of the incident. Organizations don’t care to pay 100-150$/year to protect a laptop (software, licence, management time, updates, etc.) but some organizations are not willing to pay a fraction of this amount to train their employees regarding cybersecurity. It doesn’t make sense considering that computers, security controls and processes are all managed and/or used by these same employees.
To conclude, through adversity, everyone should be humble. Even toward your competitors, you all gain from helping each other during such a crisis. Make deals or partnerships with organizations that have the same IT expertise as you. So, when an incident occurs, and that your IT staff is doing 15-20hours/per day during a couple of weeks, you can seek reinforcement. Cybercrime is a very lucrative and well-established business involving many stakeholders and I think that it is here to stay. What do you think?