Every day, businesses of all sizes are under attack. From the smallest mom-and-pop gas station that just keeps a single card reader for their customers, to the biggest multinational conglomerates, every business is at risk of having their security compromised.
For example, according to data from Symantec’s 2017 Internet Security Threat Report, “one in 131 emails contained malware” and “Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining $3 billion over the last three years.”
While a strong cybersecurity posture can do a lot to mitigate your risks, nobody can prevent every attack from being successful. There are simply too many attackers with too many attack strategies to guarantee complete safety from a security breach. So, the question is: “When, not if, your company faces a situation where its security is compromised, what will you do about it?”
Some of the most important things to do if your cybersecurity measures are breached include:
The first step in any incident response program is recognizing that the breach has occurred in the first place. Here, an intrusion detection system (IDS) can be vital for your ability to recognize and respond to a security event.
There are many different kinds of IDSs, from software-based antivirus systems that reside on the device being protected, to systems that monitor and reroute incoming network traffic outside of the devices they protect. The important thing is that the IDS is able to generate an alert that gives your security team a timely warning that security has been breached.
Following the identification of the breach, the next action to take is to contain the breach however you can. The specific means you use to contain a breach may vary based on the nature of the attack and what equipment and resources were breached.
For example, if a specific workstation was breached, then you may need to disable its internet connection or shut it down to contain the breach. If a specific user account was breached, then revoking that user’s access privileges may be effective for limiting the effect of the breach.
Using a multi-layered security architecture for your network systems can help you preemptively limit the spread of an attack by slowing attackers down and keeping them from accessing all of your systems from a single point of entry.
Even after a security threat is contained, it still needs to be eliminated so as to prevent more damage from occurring in the future. Once again, the method of elimination that you need to employ may vary based on the nature of the threat and the asset that was compromised.
Some elimination strategies, such as for a ransomware attack, may require that the afflicted assets are reformatted and restored from a remote backup. Other attacks may be eliminated by blacklisting the IP address serving as the attack’s source.
After you’ve eradicated the source of the security compromise, it’s important to restore normal function for your systems as soon as possible.
The question is: “How will you recover from an attack?” Here, having a prepared business continuity and disaster recovery plan in place is vital. If you don’t have a plan in place ahead of time for dealing with the loss of an IT asset, then it will be more difficult to deal with the loss when the time comes.
When a breach happens, learning from the attack can be just as important as containing and eliminating it. After the attack, it’s important to review the chain of events leading to the security compromise. Some IDSs can help with this, providing some forensic data of the security events they log for your team to review.
One key piece of information to focus on is the attack vector. How did the attacker gain access? Was the attack a social engineering-based one where they first compromised a legitimate user account? Or, did they exploit a previously-unknown vulnerability in your security architecture?
Being able to identify the source of the attack and how it was carried out is crucial for creating strategies to prevent similar attacks from working in the future. By studying how the attack was carried out, you can prioritize a patch that closes the exploit that was used, warn employees about a spear-phishing strategy, or block the malicious IP address that served as the attack’s source.
The price of doing business is eternal vigilance. After any attack that successfully breaches your security architecture, it’s vital to prepare for the next one before it happens. Create plans for responding to specific eventualities, prepare a BC/DR solution, train your employees to mitigate cybersecurity risks, and investigate new security solutions that you could have used to prevent the previous attack so you can have these resources for the next one.
Odds are that if an attacker succeeds with a specific attack strategy once, they’ll try it again. Learning from previous attacks and preparing for more attacks is a basic part of maintaining a strong cybersecurity posture.
If you need help establishing and maintaining a strong cybersecurity posture, contact Compuquip today! We have the right people, with the right tools and expertise to help enterprises build better security architectures to protect themselves, their customers, and their reputations.