Modern Cybersecurity: Responding in the Age of Response

Most of us have long since given up flipping through our daily newspapers, favouring 24/7/365 news
available at our fingertips on demand. Our information has migrated from analogue to digital and is
available in more places, at any time, to anyone. However, with this convenience comes risk, and
more than your daily news fix is available online.

Browse any mainstream news site, digital publication, or even turn on your favourite news and
entertainment program, and it won’t be long until you encounter a story about a cybersecurity
breach. Government and intelligence agencies report a rapid escalation of cyberattacks, with the
United States Federal Bureau of Investigation (FBI) reporting a 300% increase since March 2020.

Indeed, the global pandemic plays a significant factor, and how we earn and learn is forever
changed. The economic repercussions are swiftly shifting to desperation and survival. Cybercriminals
create a fever pitch with nefarious entities seeking opportunities to exploit businesses and
individuals alike. We cannot afford to be complacent, and a state of increased awareness that
borders on hypervigilance is becoming mandatory.

Healthcare facilities, critical infrastructure, supply chain, finance, and retail are among organisations
that have suffered cyberattacks in recent times. While the impact of these is still calculating on
balance sheets globally, intangible losses, like reputational damage, linger for years. Of course, we
can prepare for an incident and invest in preventative measures, but what matters most is how we
react and respond because it is always “when” and not “if” an incident occurs.

Data^#3’s JuiceIT panel addressed these points recently, examining the current threat landscape from
a legal, technical, and organisational perspective. What actions are organisations undertaking when
it all goes wrong? If we’re woefully underprepared, how do we bridge that gap to a state of
readiness? Where should we start if we’ve not been compromised but are unsure how we’ll fare
when the chips are down?

Watch the JuiceIT Panel discussion : Responding in the Age of Response

Assess. Contain. Remediate

These three actions form the core of your incident response plan, and while the timelines and
activities that form each vary, the basis remains the same. For example, in the event of a security
breach, the priority is to assess the situation rapidly. Data^#3’s Managed Detection and Response
service has a Service Level Agreement (SLA) of a 15-minute response time for critical incidents
24/7/365, and where your data ‘crown jewels’ are involved, this is crucial. Faster response times
contain the problem and reduce potential harm. In addition, having the right people involved
following a defined incident response plan allows you to rapidly determine the integrity of an
incident and its potential impacts.

Upon assessing an incident, we move to contain it. The focus is to limit the damage, actual or
potential, caused by the breach and to mitigate escalation and further infiltration of systems along
with unauthorised access to data. This requires a coordinated technical and administrative
approach. Depending on your business and industry, controlling incident communications must
happen just as rapidly; you don’t want your key spokespeople or your customers finding out about a
breach from a journalist or any third-party for that matter.

Showing support and offering customers practical advice goes a long way towards building and
maintaining trust in your brand. In the present era of a digital and global economy, reputation is
key, so once you have contained the immediate situation, your attention will turn to remediation.

By rapidly assessing and containing a situation, you will understand the steps required to remediate
it by drawing upon the knowledge gained. This activity may be as simple as switching off a device or
terminating network services or as complex as redesigning a remote work capability. An incident
response plan cannot address every situation or potential threat and outcome, but it can provide
guidelines for action.

Draw on the expertise of your team and get extra help where needed. As part of remediation, one
should understand precisely what happened and how the gap can be closed before other
cybercriminals attempt to repeat the process. Ideally, the lessons learned can be shared to benefit
others since cyber defence is a case of “strength in numbers” in combatting the evolution of threat
actors.

Start with A cybersafety commitment

As IT professionals know, security is about more than products or budget; it is also about people and
an end-to-end commitment to risk reduction and response preparation. This directive must come
from the top by fully committed and invested leaders to carry the required weight. Senior
management and stakeholders understand the risks involved, investing in a proactive approach to IT
security, the organisation positions itself to reduce the impact of breaches.

Having this conversation can be difficult and often has an unknown starting point, but it is worth
having. Some of Data^#3’s security resources can help guide the discussion effectively and facilitate
engagement with all levels of your organisation. Everyone, regardless of role, has an investment in
cybersecurity and the overall mission of the business.

Understand what you are protecting

A key method to understand the “crown jewels” of an organisation is undertaking a threat, risk, and
security assessment to ascertain what is at stake and what controls may or may not exist to address
actual and potential threats. These highly bespoke engagements seek to understand the nuances of
customers and their systems and data. Since every business is at a different level of cybermaturity,
the assessments must consider what is possible in the immediate, short, mid, and long term and
provide the greatest value for the least cost and effort.

Organisation struggle with establishing a framework or benchmark to compare themselves against
to start and establish metrics against which progress and maturity are measured. Finding that
baseline is confusing and, at times, overwhelming with the wealth of options and advice (not all of
which is either relevant or contextualised to your business, let alone industry). However, finding a
security framework that aligns well with your situation is very helpful and can help you prioritise
security activities.

Indeed, the choices are overwhelming with frameworks such as the NIST Cybersecurity Framework,
ISO 27001, COBIT, and more. The Australian Cyber Security Centre (ACSC) Essential Eight Strategies
to Mitigate Cybersecurity Incidents is a good starting point for Australian businesses. As part of a
larger set of 37 strategies derived directly from the Australian Government Information Security
Manual (ISM) of 772 controls, businesses of all sizes and industries can create a framework that
works for them. The Essential Eight and the ISM itself are not unique, with many other countries
globally adopting a similar approach. The Top-X lists from Five Eyes countries outside of Australia
(Canada, New Zealand, United Kingdom, and the United States) are strikingly like our own.

Simplicity is the ultimate sophistication

Today, 78% of security and IT professionals rely on more than 50 discrete products to address their
security issues, with 30% of them juggling more than a hundred products. Given that more than two-
thirds of Australian organisations experience more than 5,000 threats per day, the resulting number
of alerts would be enough to give any security administrator nightmares. All these layers of security
can make risk management much like entering a boxing ring blindfolded – you never know where
the next hit is coming from and can’t protect yourself from a knockout blow. In many cases,
organisations are buying too much technology, so a good security assessment will scrutinise the
overlaps as carefully as the gaps and identify opportunities to streamline.

One could argue that we have too many layers, which seems contradictory to “defence in depth”,
but it’s the lack of integration between those layers that causes the most grief. We spend too much
time trying to make competing technologies work together because we were trying to use the best
available, lowest cost, or recommended products instead of creating a cohesive ecosystem. This
complexity reduces our visibility and ability to detect threats, let alone assess, contain, and
remediate them. Human error is inevitable, and that arises from both trying to make cyberdefences
work before an incident and trying to manage an incident during and after its occurrence.

Data^#3’s approach is to use security assessments to find the gaps and overlaps in your systems and
create a solution that spends more time working for you than you do working on it. Even still,
technology only forms to the pointy end of your spear of defence.

Plan your Incident team

We must not become complacent and believe that more is better in money, technology, or people.
An enormous budget, the latest and greatest technology, and teams of security experts are no
guarantee. Even the United States of America’s seemingly impenetrable fortress of The Pentagon
has suffered data breaches. While this seems defeatist and understanding you don’t have a
Department of Defence style budget, all is not lost.

Furthermore, the impact of security breaches is felt business-wide and far beyond the IT team, so it
stands to reason that a multi-disciplinary approach is needed. Typically, a response team consists of
internal and external resources, and it is vital to know who to turn to beyond the organisation. Help
is readily available, and Data^#3 is always ready to guide to achieve your goals, understanding your
constraints.

Internally, you may wish to include those responsible for communications, your legal counsel, and a
key spokesperson in addition to crucial IT staff. They can help the business manage the narrative and
communicate as needed with colleagues, customers, and suppliers. Proactive communication can
reduce the risk of uncontrolled gossip and present a united front.

Externally, you can draw on expertise from your IT security services providers. For example, if you
work with a Public Relations agency, they should be included in team planning since their role is
essential in controlling the narrative of an incident.

Additional considerations

Additionally, cyber insurance may be a worthwhile investment, and your insurer can offer
tremendous help in managing incidents. It will typically have a panel of experts, including PR and
forensic IT specialists, to help you coordinate your response. Your team should meet regularly and
be clear on the roles and responsibilities of each participant.

With the threat landscape constantly changing, you cannot prepare for every possible variable, but
you can narrow the odds substantially and recover better with a robust plan.

Need to increase the odds in your favour? View the JuiceIT panel, follow us for more security tips
and tricks, or contact the Data^#3 security practice for a confidential discussion.