Cyberattacks are a pervasive element of our digitalized world. It's not just about recovering from an attack but building systems robust enough to withstand future threats. Let's delve deeper into how businesses can move from merely reacting to being proactive and resilient.
Modern ransomware tactics
The continuous evolution of cybercrime has led to the emergence of several new and sophisticated tactics used by cybercriminals to exploit their victims. One such trend is the increased targeting of supply chains. By infiltrating a single point of entry within a supply chain, hackers can potentially gain access to multiple systems and networks, thereby maximizing the impact of their attack and the potential value they can extract.
Artificial Intelligence (AI) and machine learning are also being exploited by these malicious actors. They are increasingly developing malware tailored to specific victims, utilizing AI to analyze their target's behavior and evade detection from antivirus software. As these cybercriminals grow more proficient in the use of these technologies, the frequency and sophistication of their attacks are projected to escalate.
Another aspect of cyber resilience pertains to the handling of internal threats. Disgruntled employees with trusted access to all systems can pose a significant hazard. They have an intimate understanding of the system's architecture, access points, and vulnerabilities, which can be exploited to inflict damage upon the organization. Such insider threats often fly under the radar due to a misplaced sense of trust or complacency. Therefore, it’s crucial for companies to implement robust access control and regular auditing of internal operations.
Some cybercriminals are even leveraging businesses' terror of regulatory scrutiny and heavy fines to coerce them into paying ransoms. By threatening to expose data breaches to the authorities, these threat actors are capitalizing on the potential financial and reputational damages that could result from non-compliance with regulations like the General Data Protection Regulation (GDPR).
In terms of evolution, we anticipate that ransomware attacks will expand beyond traditional extortion methods. They may increasingly target specific vulnerabilities in systems to gain unauthorized access and perform in-depth reconnaissance of their victims' environments. Coupled with the growing threat to data integrity, where corporate data could be manipulated for nefarious purposes such as market manipulation or industrial espionage, these evolving tactics underscore the urgency for companies to shift their focus from mere disaster recovery to true cyber resilience.
What does cyber resilience really mean?
Cyber resilience, in the simplest terms, is an organization's ability to withstand, adapt to and recover from cyberattacks or adverse disruptions to its digital infrastructure. It's not just about preventing attacks, but also about continuing to operate effectively and efficiently even while under attack. This concept encompasses a robust communication plan, maintaining control over the organization's narrative, and ensuring that both internal staff and external partners across the supply chain are alert and aware of how to navigate through a potential incident.
Cyber resilience includes limiting what threat actors can do if they gain access. Adapting to an attack may involve redundant infrastructure or alternative processes, but recovering from an attack necessitates having the right people, processes and technology in place (and at the ready) to restore functions and services.
Cyber resilience is about outcomes and the continuity of business functions — the ability to deliver outcomes, even in the face of an attack. It requires a holistic understanding of the various risks, including cyber risks, threatening the organization. It’s about integrating cyber risks into the broader risk management framework of an enterprise to ensure business continuity and protect its reputation.
How businesses can strengthen their cyber resilience today (the 30,000-foot view)
To further strengthen their cyber resilience, companies can invest in regular cybersecurity training programs for their employees. Empowering employees with the knowledge to recognize and avoid potential cyber threats can significantly reduce the likelihood of successful attacks. The training should cover varied aspects, such as understanding phishing emails, secure password practices and the importance of regular software updates.
Another critical component is having a recovery plan in place. It provides a roadmap for the organization to restore normal operations following a cyberattack, ensuring business continuity with minimal downtime. The plan should outline the steps to secure, recover and restore the impacted data and systems, highlighting the roles and responsibilities of team members during the recovery process.
It’s equally vital that organizations implement a cyber resilient vault that adheres to the principles of the "three I's": Isolation, Immutability, and Intelligence:
- Isolation: Often achieved through air gapping, prevents unauthorized access and protects our data by physically isolating it from other networks.
- Immutability: Ensures that once data is stored, it cannot be modified or deleted, providing a safe backup to restore operations in the case of a breach or data loss.
- Intelligence: Often powered by AI, enables the detection of anomalies when backups are being placed in the vault, significantly enhancing our ability to preemptively identify and counter potential threats.
Together, these three principles form a pillar of cyber resilience, enhancing an organization’s ability to withstand cyber threats and ensuring business continuity in an increasingly digital world.
Finally, companies can bolster their resilience by proactively identifying potential vulnerabilities and conducting regular penetration testing. This approach allows them to anticipate potential attack vectors and implement necessary countermeasures. It's also beneficial to implement multi-factor authentication (MFA) where possible, adding an extra layer of security that can deter cybercriminals. Both strategies align with the concept of a zero-trust architecture, reinforcing the notion that nothing within the network should be trusted blindly.
In case of attack, avoid doing these things
Should your business become the victim of a serious cyberattack, there is a laundry list of things you should avoid doing, starting with this: Don’t panic. It’s normal to have an emotional response to being attacked. Don’t freeze up — stay calm and implement your recovery plan.
Here are a few other don’ts:
- Don’t issue statements about what has happened until you know them to be true.
- Don’t use potentially compromised communications to plan your response.
- Don’t avoid informing regulators.
- Don’t start pointing fingers or looking for staff to blame (and don’t victimize staff if someone did happen to click on a phishing link).
- Don’t neglect staff training and security culture.
- Finally, don’t reuse hacked systems with your backup data until you know for sure those systems are not still infected.
The implications of ransomware that many businesses overlook
Businesses often overlook the extensive implications of ransomware, particularly the interconnectedness of their digital infrastructure and its potential for exploitation. The assumption that a small breach won't significantly hamper operations is misguided. Ransomware attacks could impact critical business functions, even if they infiltrate a seemingly insignificant part of the infrastructure. This underlines the need for a comprehensive understanding of business services and the supporting infrastructure. By grasping these linkages, companies can enhance their protective measures and optimize recovery strategies in the aftermath of an attack.
Another misconception commonly held by businesses is the expectation of a quick recovery post-cyberattack. Reality paints a different picture. Should an attack occur, don’t expect that someone can push a button and have you back online in a matter of hours. This is especially true in instances where a threat actor has had access to your system for an extended period before detection.
The recovery process is often painstakingly slow, further prolonging business disruption. It's crucial for organizations to plan realistically for such eventualities and to have comprehensive recovery plans ready for implementation. It's also essential to remember that cybercriminals are persistent, and if they've successfully infiltrated once, they'll likely try again, leveraging the reputational pressure on the organization. Building resilience against future attacks should thus be a key consideration in recovery planning.
Avoid a false sense of security
Fortifying cyber resilience is a multifaceted endeavor that requires a comprehensive understanding of a company's digital ecosystem and the potential threats within it. Businesses need to recognize the gravity of ransomware attacks, understanding that even seemingly insignificant breaches can cause substantial disruption due to the interconnectedness of modern digital infrastructure.
A false sense of security can lead to underestimations of recovery time after an attack. Remember, swift recovery is rarely an option, especially when the infiltration has gone undetected for an extended period. Realistic planning, comprehensive recovery strategies and the relentless pursuit of increased resilience are critical components in the fight against cybercrime.
Learn more about DXC Security.
About the author
Mark Hughes is general manager of Security for DXC Technology. He is responsible for DXC’s Security business including cyber risk and compliance, digital identity, infrastructure, app and data protection, and cyber transformation and operations. He previously led DXC's offerings and strategic partners organization. A Royal Military Academy graduate and British Army veteran, Mark serves on the World Economic Forum’s Global Cybersecurity Board. Connect with him on LinkedIn.