By Lincoln Kaffenberger
There are two kinds of organizations: Those who have been hacked and those who will be.
Leaders simply cannot ignore cyber-attacks; cyber-attacks have a very real impact on a company’s bottom line. A recent study by McKinsey and the World Economic Forum determined that cyber-attacks could have as much as a $3 billion impact on the public and private sectors.
One can hardly go a day without learning that yet another business has fallen victim to a cyber-attack. Many leaders will hear such reports and think that spending more money on defense is the answer. However, that line of thinking results in an incomplete solution and one that has failed time and again. Here are five things that leaders must do to prepare their organizations for a cyber-attack:
1. Understand how computers, the Internet, and malware work and ensure your subordinates do too. You use a computer and the Internet to send emails, get news, and watch videos, but do you understand how they work? Do you understand how computer viruses operate and what their capabilities are? If you are like most people, the answer to these questions is no, but it should not stay that way.
Learn how your computer works, what the OSI model is, and the various malware threat vectors. Or better yet, have your Chief Information Security Officer (CISO) explain these to you. This will give you an excellent opportunity to get to know your CISO better before a cyber-attack happens.
In the same way that a Chief Executive Officer (CEO) must understand the organization’s marketing, HR, and legal aspects, that same CEO must now understand how their organization’s network is laid out, where the data is physically and digitally stored, and what cyber threats exist.
Have your CISO provide regular briefs on the attempted intrusions into your organization’s network and other threats that he or she is aware of. These regular threat briefings will ensure you maintain situational awareness of the threat and are able to reallocate focus, personnel, or funding to appropriately mitigate certain risks.
As you are learning about computers, the Internet, and cyber threats, ensure that your subordinate leaders learn this as well so that the entire team becomes security conscious and threat aware.
2. Know what information is valuable and take measures to safeguard it. What information is most important to your organization? What information would most damage your organization if a cyber-criminal or competitor got a hold of it?
You must specify what information is critically important, important, and non-critical. CISOs need to know your information priorities in order to appropriately protect the critically important information more than non-critical information.
Also, consider who in your organization should have access to important information? A recent survey by PricewaterhouseCoopers found that CISOs expected 58% of cyber-attacks originated from insider threats. Nick Vermeulen of PricewaterhouseCoopers recommends companies classify their data, monitor their staff’s behavior on their networks, as well as monitor and vet contractors.
3. Have an organization-wide incident response plan for WHEN the cyber-attack occurs. What is your organization’s incident response plan? The best way to ensure that your organization effectively handles the crisis is to have a solid incident response plan.
Jason Ingalls of Ingalls Information Security recommends “identifying team members, providing guidance on response activities, and addressing the many regulatory and fiduciary responsibilities of your organization…testing the plan on a regular, periodic basis and improving it is also extremely important.”
When a cyber-attack occurs, the CISO and his or her team will obviously be running at full speed to provide you with the details of the breach, what information has been compromised, and the particulars on how to fix the problem. However, leaders must resist the urge to have near-constant updates. Hourly status updates are about as reasonably frequent as a leader should expect without significantly disrupting the security team’s ability to do their job. That being said, your IT professionals are just one part of the team: Your human relations, public relations, operations, and logistics teams are also impacted by the attack and need to be involved in the incident response process.
4. Set your IT security professionals up for success. While throwing money at the problem does not fix it, cybersecurity budgets are often lagging compared to the threats your security team faces every day.
A study by Ponemon found that incident response made up only 10% of the computer security budget, and this amount had not risen in the past three years. With cyber threats growing, a company cannot afford to underfund its security team or its incident response team.
Additionally, bring your CISO and security team into the planning process for all operations that involve your computer network; this includes acquisition meetings, building renovations, contract negotiations, and vetting contractors. With your security team in these planning meetings, they will have the foreknowledge necessary to plan accordingly for increased threats or risks and provide valuable insight to help departments maintain good cybersecurity.
Also, have regular exercises and drills where the team practices its response to a cyber-attack. During these exercises, be sure to involve all the staff elements (HR, public relations, Operations, etc.) that will be involved in an actual incident response.
5. Prepare in advance – cyber insurance and cyber intelligence. Preparing in advance requires money, but as Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Spending tens of thousands of dollars on security will save you hundreds of thousands or millions of dollars in recovery.
One way to do this is to augment your cyber-defense with a cyber analytic capability. Companies like Ronin analytics offer large and small-to-medium sized companies a cyber analytic service that helps companies get ahead of the cyber attackers. Also, given how costly cyber-attacks can be and that most states have mandatory data-breach notification laws, it is important for businesses to invest in a solid cyber liability insurance policy. Cyber liability insurance will help ensure customer confidence, cover the costs for your organization to fix the breach, restore lost or corrupted data, and help with any litigation costs associated with the cyber-attack.
As leaders, YOU are the first line of defense against a cyber-attack. Your policy, hiring, and budget decisions as well as planning and operational guidance play decisive roles in your organization’s cyber-security.
About the Author: Lincoln Kaffenberger is an intelligence professional working with the U.S. Army and the National Security Agency. Lincoln has advised commanders on security risks for the past six years both stateside and overseas. Lincoln earned his Master’s degree in Intelligence Studies from American Military University.