How to effectively manage serious cybersecurity incidents

Cipher breaks down the steps to be followed when an attacker has managed to take control of elements within the organisation's infrastructure. A clear, organised and systematic plan is essential to deal with this type of situation.

All the companies in the world are exposed to a cyberattack. Madrid and its metropolitan area suffer 15,000 cyberattacks a day, according to the National Institute of Cybersecurity (INCIBE). Most do not have much impact, but  what if an attacker manages to take control of the organisation? Prosegur's specialised cybersecurity business line,  Cipher, whose more than 400-strong team of cybersecurity experts is divided into six operations centres serving more than a thousand customers, sets out the steps to be followed in the event of a cyberattack on a company. 

First, identify the attacker. These are often organised criminal gangs from third countries with a particular predilection for this type of crime who carry out large-scale attacks. One of the most common attacks today involves ransomware.

This kind of attack seeks out all kinds of vulnerabilities in the organisation's infrastructure. And in most cases the access door is unwittingly opened by someone within the company. For example, by clicking on a malicious email, the sophistication of which has increased to the point of causing a real headache for computer experts. Sometimes, these kinds of malicious programmes that seek to hijack data can hide for days and even months in the internal network without being detected. They use this time to become more familiar with the company's infrastructure, as well as to seize data that will later be used to extort the victim.

 

Report

We should also remember that one of the first responses to any cyberattack must to be to file the corresponding report with the State Security Forces and Bodies. This allows investigations into cybercrimes to be opened and helps to identify whether the attacker belongs to an organisation, is a specific individual, and also to create a pattern in which to analyse if the same cyberattacks have been carried out on more companies in our sector, our environment or our geographical area.

The size of the organisation is irrelevant because none is safe from the threat of a cyberattack: the major Spanish companies record more than 130.000 incidents per year. The difference lies in the ability to withstand such an incident, and this is why up to 60% of SMEs that had been attacked ended up closing within a few months.

 

Transparency

Another factor that helps make a difference in the immediate aftermath of this type of incident, especially in the case of companies that provide services to other customers, is transparency. Information reassures the users of the company's services and open and constant communication helps minimise the impact of the cyberattack on the image of the organisation.

A good flow of information would help to reduce figures such as those published by the consultancy firm McKenzie in a study. In this survey, up to 26% of respondents stated that they would change bank or health insurance provider if they suffered a cybersecurity attack.

 

Location and elimination

It is once a cyberattack has been located that the hard work begins: if the infection is severe, drastic action is required, such as shutting down all equipment, to prevent the damage from spreading further and contain the threat. The next step is determining how many computers have been affected and isolating them. This is a complex process that can take months, depending on the size of the company. If its business model is also based primarily on a digital infrastructure, the process is not complete until all services have been restored and it has been verified that all are working as normal.

In this regard, the cloud environment must be taken into account, which is fast becoming the future of most organisations. At the moment, however, the cloud is the number one cause of security breaches. This does not mean that it is not secure; moreover, the security measures for the cloud can be much greater than those we have in our own environment. However, in order to take advantage of the ease with which security measures can be implemented in the cloud, it is necessary to have professionals who not only are familiar with cybersecurity, but also have a set of digital skills that are very difficult to find today.

Whether in virtual, physical or hybrid environments, having identified and brought the threat completely under control, the priority is to eliminate any remnant of the attacker from the infrastructure, conducting a thorough sweep to ensure that the attackers have completely relinquished control of the assets.

 

Origin

Once the crisis situation has been brought under control, the next step is carry out an analysis. To do this a timeline for the attack must be established. Returning to the origin of the incursion to determine how it developed in the organisation and learning from the possible breaches that were achieved will enable us to deal better with another similar attack. In particular when we consider that malicious attacks in 2021 are breaking all records. According to the National Cybersecurity Institute (INCIBE), there have been 153,720 cybersecurity incidents so far this year, 20,000 more than in 2020 and almost 50,000 more than in 2019.

This is one of the reasons to have the backing of external cybersecurity experts who know how to deal with these situations, and manage the crisis.

 

Training and resources

It is once a cyberattack has been located that the hard work begins: if the infection is severe, drastic action is required, such as shutting down all equipment, to prevent the damage from spreading further and contain the threat. The next step is determining how many computers have been affected and isolating them. This is a complex process that can take months, depending on the size of the company. If its business model is also based primarily on a digital infrastructure, the process is not complete until all services have been restored and it has been verified that all are working as normal.

In this regard, the cloud environment must be taken into account, which is fast becoming the future of most organisations. At the moment, however, the cloud is the number one cause of security breaches. This does not mean that it is not secure; moreover, the security measures for the cloud can be much greater than those we have in our own environment. However, in order to take advantage of the ease with which security measures can be implemented in the cloud, it is necessary to have professionals who not only are familiar with cybersecurity, but also have a set of digital skills that are very difficult to find today.

Whether in virtual, physical or hybrid environments, having identified and brought the threat completely under control, the priority is to eliminate any remnant of the attacker from the infrastructure, conducting a thorough sweep to ensure that the attackers have completely relinquished control of the assets.

 

Simulation

From a preventive standpoint, it is essential to prepare by carrying out routine breach simulation exercises so that staff have the experience to deal with crisis scenarios. This means that when a real attack is launched, the organisation will be much better prepared and able to react consistently.

Another recommendation is to take out a cyber insurance policy. Once an attack has taken place, this type of insurance policy covers all the losses caused by the attack, as well as the high costs of the experts required to manage the response.

Finally, none of the above will be effective if an organisation fails to provide sufficient resources for its cybersecurity systems. Events that jeopardise the security of a system happen constantly. As has been repeated on countless occasions, there are only two organisations: those that have already suffered a serious cybersecurity breach and those that will suffer one in the future.