How To Ensure Your Enterprise Security Program Is Ready For Bad Actors & Cyber Incidents
You heeded the warnings from cybersecurity experts, implementing safeguards to protect your infrastructure and ensure operational continuity. On paper, when the inevitable attack happens, your organization should be able to emerge mostly unscathed and with only minor hiccups in your enterprise, right? Not in all cases. Any small oversight can have devastating consequences. Just ask SolarWinds.
Prior to the discovery of the compromised Orion network management system in 2020, bad actors tested a snippet of code to see if they could alter sealed software code undetected, using this small-scale attack as a prelude to a larger scheme. Then, these bad actors inserted malicious code into software updates milliseconds after SolarWinds’ internal security audits, mimicking protocols to cover their tracks. What appeared to be clean and verified software contained bugs that infiltrated the systems of over 18,000 organizational clients.
This type of threat is only one avenue of access, which is worrying with the volume of security events on the horizon. A Deloitte poll last year found 86.7% of executives believed the amount of cyberattacks against their business would increase in a 12-month period.
Organizations in the healthcare payor, financial services sector, and other high-demand industries are at an especially elevated risk, due to the market value of their data or promise of high ransom payments. Here is what you need to do to verify whether your disaster recovery plan audit identifies opportunities and closes off vulnerabilities.
Testing Theoretical Plans on Real-World Offensives
Your cybersecurity plans, protocols, and procedures are designed to mitigate risk and shut down avenues of attack. But unless those measures have been tested against in simulations, all your precautions and defenses are theoretical. Unfortunately, bad actors don’t really care about what works in theory, finding clever tricks to undo your best-laid plans. As the 2022 Data Breach Investigation Report puts it, “[T]he only certain thing about information security is that nothing is certain.”
Cybersecurity exercises held by DARPA on Plum Island, New York, as part of the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) project demonstrated just how unwilling bad actors are to follow the playbook. Energy industry operators and cybersecurity experts pitted against white hat hackers encountered curveball strategies from the start. Bad actors manipulated sensor data, dimmed the visibility of monitors as malfunction misdirects, and disabled online app portals, creating a topsy-turvy environment where cybersecurity teams lost all footing.
Though cybersecurity experts were able to reestablish some control in contested environments, their efforts were short-lived, undermined in an instant as bad actors changed the game to their own advantage. In this situation, bad actors were trying to compromise the power grid, an example where all pretense of stealth is thrown out the window. If their attacks had been meant to reap rewards at a later date, relying on a level of quiet subterfuge, they might have gone unnoticed for months, long after the worst has already come to fruition.
Healthcare, financial services, utilities, and other high-pressure industries need to maintain a security posture that accounts for the unpredictability of live attacks and adapts through exposure to ingenious moves. Much like the United States Armed Forces conducts military exercises to test their mobilization and preparedness for conflict-based anomalies, so should your organization test itself. The goal is to expand the known techniques and cyberactivity to anticipate a wider scope of threats (the ploy used in the SolarWinds attack was more novel than even the Department of Homeland Security was expecting).
Whether working with an audit consulting partner or deploying as much of your internal team as available to test the parameters of your defenses, the action of running drills will only broaden the effectiveness of your enterprise security program.
Increasing Testing Frequency
How often you are auditing your cybersecurity plans and programs also influences their potency. The quantity of potential attackers dreaming up new hacking tactics as well as the speed at which the general threat landscape evolves requires organizations to test and retest their overall cybersecurity strategies. What’s worrying is surveys suggest this level of preparation is not happening.
According to the Information Systems Audit and Control Association®, 41% of organizations say they run cybersecurity risk assessments on an annual basis. Experts suggest this is not enough. On average, experts recommend auditing any cybersecurity disaster recovery plan twice a year, at minimum. Organizations that are higher-risk targets or have larger infrastructure may benefit from an increase in their auditing frequency to once a quarter or even once a month.
Additionally, the types of tests and audits you’re conducting will also vary depending on how involved or demanding they are. Routine checks of backup systems, much of which can be automated, can be conducted on a regular basis, typically during predetermined times of low traffic or reduced usage. More comprehensive examinations of your platforms, systems, or data by third parties or white hat hackers, both of which are more disruptive to standard operations, can happen with less frequency.
Preparing for Only Bad Choices
Sometimes, you are left in a position where none of your options are ideal. And bad actors, despite your defenses, have compromised your system. Hopefully, your business has prepared for some of these varieties within your cybersecurity disaster recovery plan. Even with an understanding of what you need to do, there’s a difference between knowing a decision is right and actually pulling the trigger.
When Spectra Logic, a Colorado data storage company, was caught in a ransomware attack, they were forced to make some difficult decisions on the fly. Spectra Logic’s Senior IT Director spotted the simultaneous failure of numerous unrelated systems and the encryption of key files. Recognizing the issue as a ransomware attack, they were faced with a tough choice: allow bad actors to complete their gambit and pay the ransom or manually unplug servers and machines in the data center to prevent the spread of encryption. They opted for the latter and the result was an entire infrastructure shut down for days.
What made this option preferrable to paying the ransom? When interviewed, they had cyber insurance that could have covered part of the cost of the ransom and provided immediate relief, so why choose the hard road? Their thinking was that bad actors could just as easily take the money and run or return in the future to a perceived soft target willing to pay their extortionary demands. In the long run, leadership decided it was better to deal with the weeks it took to return to normal as a future deterrent for similar attacks than pay now for an uncertain outcome.
The lesson here is that everyone in the organization needs to have a clear understanding of the consequences of their choices – and be ready to endorse decisions without hesitation. If there is delay in action, you might be forced to decide between two even worse situations.
Verifying the Fundamentals Are in Place
When you’re auditing your systems, it’s important to ensure that what you’ve accomplished covers your bases. Surveys are finding that only about 32% of healthcare organizations have a comprehensive security program and only 48.44% of financial services businesses are very confident in their storage security and recovery.
Revisiting the basics as well as preparing for novel and multiple negative outcomes ensures that your organization is ready for the full span of challenges – no matter how common or uncommon it is.
Want to identify further ways to enhance your cyber security disaster recovery plan? Follow our blog for the latest insight into enterprise and security best practices.