'There are two types of companies; those that know they have been hacked, and those that have been hacked and don't know it.' So John Chambers CISO (Chief Information Security Officer) and previous CEO of Cisco is often quoted as having said. 2017 has underlined this as a truism, as virtually all records from prior years have been smashed.
Sadly the growth in volume of reported, successful hacks follows the exponential curve predicted by the gloomiest of forecasters. Cyber-attacks in 2017 occurred at an astonishing double the rate of occurrences in 2016. The vast majority of hacks, close to 75%, are committed by opportunistic criminals. (Source: hackmageddon Oct 2017)
The fact is you are far more likely to be hacked than not. Furthermore, the hacker is likely to be a cyber-criminal who will dwell in your system completely undetected for an average of 49 days. Though a vast improvement from the 81-days average of 2015, 49 days is still plenty of time to cause damage. So, what can you do about it?
Brace yourself for the inevitable
Tim Vincent, CMO of newly launched Powel Security Services,offers some key lessons for executives from 2017.
“Preparing yourself and your company is key. Set expectations company-wide that the hacker is already dwelling in your system and the search for them has begun – damage limitation for inevitable events cannot begin soon enough,” he says.
“Additionally, you should limit data exfiltration through simple monitoring alerts which can prevent hackers from stealing data. Admin rights should be contained and with just a few people who are well vetted, thus limiting the hackers ability to implement change,” Vincent continues.
Developing post-hack drills, to ensure all employees know what to do and how to do it as soon as the hack is revealed, is recommended. Holding regular drills will test the organisation’s robustness in response. Invite press and PR experts to help advise on external communications.
Get into cloud
One of Powel’s headline recommendations to our clients is to invest in the best leaders you can possibly justify. Experienced leaders are crucial in helping pilot a company through these tricky passages.
A focus on key areas such as threat-detection and response, security scanning and testing needs should of course be a priority, but if you can migrate your systems into the cloud, you should.
Vincent explains, “Wherever the business services or products can be cloud-enabled, we strongly recommend that they are. The cloud is proving to be the environment where the most meaningful layers of protection can be assured from constantly evolving threats. Internal budgets for an enterprises network will always be dwarfed by the likes of Microsoft's investment in Azure.”
Sharing is caring
Just ten years ago, threat intelligence was limited to reactive prevention and analysis of known threats. However, there were plenty of unknowns. Among respondents to the Global State of Information Security Survey (GSISS) that detected a security incident in 2008, 42% did not know the source of the incident. In recent years, that number has dipped below 10%.
Today, more organisations are implementing dynamic threat intelligence and information sharing to shift cybersecurity and privacy capabilities from reactive to proactive. They understand that they can build business advantages and customer trust by better visibility into specific threats—and most importantly sharing that information with private and public sector entities.
Powel is one of the sponsors of IOTSA (www.iotsa.info), the International Technology Security Association, launched early in 2017. The aim of the organisation is precisely information sharing. Together we have a better chance of defending ourselves from the hackers whom we know to be very adept at sharing successful exploits.
“IOTSA was set up to be a common platform for cyber security professionals within IT and OT to share experiences across industries, in order to find solutions to challenges together,” says Vincent. “It is a voluntary, not-for-profit organisation and experienced officers and representative members bring a passion for security, community development, education and technical prowess, benefitting member organisations.”
What not to do
The past year has also shown companies what not to do in the event of a security breach: opting for secrecy. What we have seen time and again is that opting for secrecy does not work. Once you get found out the damage to your company’s brand values far outstrips the damage caused when admitting to a hack and being open about the process of damage limitation.
With hacking being so prolific, chances are you will be hacked. Which begs the question: why do some companies still risk their reputation this way? Your customers deserve to be informed and by going for openness in the face of shared adversity, you have the best chance of protecting you brand.
Powel Security Services provide a structured approach to helping our clients ensure they are better protected against the risk of a significant cyber security compromise and the inherent; brand, economic or environmental damage such an event could cause.
Contact us today to share thinking and book a free one to one Cyber Security insight meeting, +47 73 80 45 00 or firstname.lastname@example.org
Powel Security Services – protecting your brand, your data, your people and your assets from cyber, social and physical attacks.