Cyber Attack Preparedness

After completing my certification in Cyber Security through Harvard, I became curious about where businesses are at with respect to knowing about risks and mitigating them. Cedarvue hosted a Quick Poll for Cyber Security Awareness Month that consisted of five questions where respondents could indicate Yes | No | Not Sure:

Q1. My organization has experienced a cyber attack/cyber security issue that compromised customer data within the past year.

Everyone who responded said that their organizations had NOT been in this situation in the past year. Awareness is fantastic and I wonder if these organizations have invested in some preparedness tactics already.

Q2. My organization has a robust and fully documented incident management plan that is reviewed more than once a year.

The results for this question were split, with half of the respondents saying yes, the other half saying no. It appears that even if awareness is heightened, there’s still a lot of room to improve upon by creating a formal response framework and prioritizing it appropriately within the organization.

Q.3 My organization requires employees to use several safety measures to protect company data and keep customers’ personal information safe.

Everyone who responded to this question confirmed that their organizations do have some measure of safety mechanism or process in place to protect their proprietary data and any personal information that their customers entrust.  While it is excellent that protection is in place, ensuring that these tools and procedures are well-documented saves time in the event of a cyber security breach. They become a sort of checklist to help determine where the attack was successful through a process of elimination.

Q4. In my organization, employees complete cyber security training at least annually so they can be vigilant about good data handling practices.

The response here was interesting:  88% yes and 13% no. While many organizations recognize that cyber security is a core competency for all people within the organization, there are still some who need to implement training and certification programs to help protect themselves.

These approaches help set expectations and make it more difficult for internal saboteurs and disgruntled employees to be successful when they launch attacks from within to compromise data or systems.

Regularly updating the training and certification programs is important because cyber attacks are becoming more insidious and sophisticated over time.

Q5. My organization’s Board is well informed about data and digital asset security. They know about mitigation strategies for data breaches.

This result revealed that it’s a bit of a mystery for a quarter of organizations. I firmly believe that an organization’s approach to establishing strong awareness of its approach to cyber security must come from the top. The commitment here, along with a fully documented framework and organized system, can make the difference between recovering from an attack or disaster. Indeed, the accountability for managing all the detailed risks can’t lie solely with the Board of Directors. But it is within their scope to ask more questions, understand the stakeholders and endorse time to explore organizational readiness through tabletop exercises.

Do you know about NIST?

The gold-standard basis for cybersecurity programs worldwide is the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cyber Security Framework. It systematically aligns all cyber security activities within an organization into five core functions:  Identify, Protect, Detect, Respond, and Recover. NIST can help your organization evaluate its current state based on criteria that assess both readiness and controls. Organizations can complete a survey revealing their level of preparedness in advance of an incident. The higher the score, the more adept an organization will be in detecting, responding, and recovering from a cyber attack. Find out more at https://www.nist.gov/cyberframework

What are three things you can focus on right now to boost your preparedness?

1. Act on audits

Consider setting up holistic security audits across your organization and with vendors you partner with to examine virtual/digital and physical risk and your vulnerability to attacks. Evaluate the results in the context of things you want to stop doing, start doing and continue. Regardless, you should track and report on cyber security risks at regular intervals, such as quarterly and monthly, as well as in real-time. You should trigger these reports to go to various levels of roles within your organization to ensure accountability and action.

You should also audit all business-critical systems assets and examine access controls for customer-facing and internal service infrastructure essentials. Evaluate controlled access to physical sites and secured areas within buildings to reduce exposure. Only those who require specific access to secured data, technology and physical spaces to perform their roles effectively should have it. If everyone can get to it, you’re in trouble.

Apply the same standards to your vendors; they must align with expectations for your organization as an extension of your operations.

Take action to simulate what your current incident responses look like for a data breach. It should involve every level of the organization.

2. Re-engage Boards of Directors

Set revised oversight expectations with Boards so that cyber security is established as an obligation within the scope of their governance.

Cyber security is intrinsically tied to an organization’s financial, reputational, and operational risk.

The goal is to increase prominence and recognition that cyber security is likely to be within the top five risks facing many organizations. It should be integrated into Business Continuity Plans and be tested regularly.

Boards should also be keenly aware of employee engagement score results. Low scores/poor results should be flagged as a cyber security risk and need to factor prominently in the Board’s oversight.

The Board should also ensure that comprehensive Cyber Security Insurance is in place. This requirement needs to be included as part of incident response plans. Boards should interview the insurance carrier to gain a thorough understanding of coverage inclusions and exclusions.

Boards can influence the handling of cyber security as an area of practice within an organization too. It may be helpful to assign responsibility to a specific area or build accountability into a dedicated role within the company. Establishing a command centre accountable for developing and delivering all processes, reports, documentation, training, exercises, and responses can make all the difference in an effective response to a breach.

3. Increase cyber security awareness for everyone in the organization

It is paramount to invest in systematic tools and education that ensure understanding, vigilance and that people understand their obligations to protect the organization from cyber attacks. Cyber security awareness is a cultural value all employees must share. It involves things like clean desk policies but also security measures to deactivate or lock down computer slots and ports to prevent information theft on dongles.

By embedding awareness into the very fabric of your daily operations, you can enlist employees to help recognize risks within their peer groups too. Human error continues to be the most common cause of cyber-related incidents. Unfortunately, organizations also need to be aware of disgruntled employees and the possibility of internal cybercrime. You may have employees who have joined the organization through acquisition and are experiencing frustration. Sometimes as they determine they will exit your organization, they could perform one final hurrah, leading to sabotage or theft. It’s also possible to see this kind of malicious behaviour occur if union negotiations break down.

In the end, the education must include all employees, senior leaders and board members, without exception. Individualized online training should be supplemented with opportunities for discussion and sharing through online seminars or in person.

What can individuals do?

Cyber security risks and concerns are not going away but rather have full potential to diversify further in both the methods used and their reach. They are increasing in frequency and intensity. When it comes to protecting your personal information, with masking, decoys, and social engineering, it’s even becoming more difficult to recognize attacks. We’re already hearing about counterfeiting vaccination status documents and continue to be exposed to a worrying volume of AI deepfakes that intend to wreak havoc, harassing, inciting mischief, and sharing misinformation rather than being focused on productive applications.

1. Question how much of your personal information is necessary to serve you as a customer. Ask who will use it, who will store it, and who will have access to it.
2. If there is a policy to deactivate or delete accounts automatically after periods of non-use, find out what happens to the data on file. If the account is deleted, how and when is your data disposed of? A deactivated account typically hides your information but doesn’t remove it. Ideally, if you delete an account, all content you generated or supplied should be erased permanently.
3. Resist the urge to reveal family members, pet names, dates of birth, past addresses or any of the seemingly innocuous things that might be part of a “fun quiz” on different social media platforms. You don’t know who is behind these. You may simply be providing information to hackers to crack passwords on other accounts.
4. Read the licencing agreements/terms of service for photos and images for whatever service you may be using to share photos online. Be cautious. The digital information in these files can reveal locations from the image and include invisible geo-tags and other data elements captured in the photo file itself.

While talking about cyber security can feel like it’s all doom and gloom, try to look for a silver lining when you encounter situations intended to help.

There’s a tendency to become frustrated at the “inconvenience” of the validations we are asked to make to keep information safe.

I recently experienced a situation that I’m hoping will make you chuckle. I’d received what was set up to be a phishing test email from an organization I’m working with. Interestingly enough, I had an Amazon order that was overdue and I had been corresponding with customer service on its status. As a result, I thought that this phishing email was legitimate and related to the problems I was having with my order. When I engaged with it to respond, I got flagged for additional training on cyber attacks. The “pros” are getting so good at this. Despite the coincidence, I couldn’t tell the difference.

Remember that having safe and secure information is the end goal everyone is reaching for. I’d love to continue the conversation. Feel free to reach out if you would like more information or discuss how I might help you out!