Book A book icon Megaphone A megaphone icon Chat A chat bubble Calendar A calendar symbol Calendar alternative A calendar symbol Menu A menu symbol for navigation print A computer printer symbol Location A map location marker Location alternative A map location marker Phone A phone symbol User A human silhouette indicating login Document A document symbol Facebook Facebook social media icon Facebook Facebook social media icon Twitter Twitter social media icon Twitter circled Twitter social media icon YouTube YouTube social media icon YouTube YouTube social media icon YouTube Play icon YouTube social media icon Vimeo Vimeo social media icon Vimeo circled Vimeo social media icon LinkedIn LinkedIn social media icon LinkedIn circled LinkedIn social media icon Instagram Instagram social media icon Instagram circled Instagram social media icon Pinterest Pinterest social media icon Pinterest circled Pinterest social media icon Mobile A mobile phone Tablet A tablet symbol Laptop A laptop computer symbol Desktop A desktop computer display Pencil A pencil symbol Ok A checkmark symbol cancel-circle A X symbol Plus An addition symbol Minus A subtraction symbol Heart A heart symbol Star A star symbol Videocam A video camera symbol Caret A small triangle symbol Newspaper A newspaper symbol Cart A shopping cart Tools A hammer and a wrench symbol Flag A flag symbol home home-desc Photo A photograph symbol Audio A speaker with sound symbol Cog A group of cogs symbol RSS A RSS feed symbol Comment A speech bubble symbol Link A chain link symbol Export An export arrow symbol Envelope An envelope symbol Search A magnifying glass symbol Info An information symbol Info circled An information symbol Help circled A question mark symbol Clock A clock symbol Globe A globe symbol Globe alternative A globe symbol none none

Cyberattacks: “It happened. Now what?”

When a successful attack against your organization occurs, the required intervention must be both human and technological. The great irony of IT security is that, despite your best efforts, some form of successful attack is likely to happen at some point, no matter what you do. After all, defenders have to be right every time, whereas attackers only need to be right once. To further complicate matters, it might not be immediately clear when the actual penetration has taken place.

It can come in the form of a successful phishing attack, a lockdown from ransomware, the work of someone with little expertise other than how to work a specialized kit, or an advanced persistent threat. After the initial compromise, the attackers will be looking to extend their access to other devices on the network, wage privilege escalations in order to extract more data, and generally move through your infrastructure until they find the specific targets that they seek. Once this is done, they may cover their tracks and withdraw, or more likely they will try to maintain a presence on your network that can facilitate future attacks. Bear in mind that data can be intercepted while in transit or stolen while at rest.

While it makes sense to do everything possible to fend off these attacks and prevent them from happening, it is equally important to assure you have the infrastructure and plans in place to detect the breach, notify the necessary people, and collect all the information required to track the breach, close the exposure, and prevent it from ever happening again. Many experts suggest the best tactic is to delay the attacker long enough for the security teams to discover the incursion (or attempted incursion) and resolve the issue before damage is done, or until it can at least be minimized.

This is essentially a team approach that transcends your technologists and engages business-level roles, as well. This team should include your Trusted Advisor and a managed security services provider, if one has been commissioned. It may also include your communications team.

“Many times, we assume that the most important component to the response to an incident is the technical component, which is let’s get the systems and operations back up and running and let’s get the impact minimized,” said Leo Taddeo from Cyxtera, a secure infrastructure company with 57 data centers. “I’ve always believed that the technical aspects of incident response are not as important as the communications aspects. If you look at what really harms a company after a cyber breach, it’s not they’ve lost data or a server. What they have lost is trust, and that trust is lost when communications are not concise, clear, and open. So, when you form a task force for incident response, the most important person in the room is the one responsible for outward communications, meaning what are we going to tell our customers and partners? What are we going to tell the government? The government reaction is much more severe when the government suspects the company is withholding information improperly, and thereby putting other people at risk.”

Taddeo, who previously ran the FBI’s largest cyber-investigative unit out of New York, said that since most executives are trained to protect the enterprise from litigation and loss of reputation, they often translate that objection to severely limiting public information. But breaches and related issues can rarely be kept under wraps for very long. Sometimes employees may speak too much about what they know. Other times the attackers themselves may discuss their exploits, perhaps on the dark web. All this leads to speculation, some of which might be wildly untrue, yet equally damaging to the company.

Dealing with a cyberattack requires more than great technology. It requires a great team.