Sponsored
Sponsored content is premium paid-for content produced by the Irish Times Content Studio on behalf of commercial clients. The Irish Times newsroom or other editorial departments are not involved in the production of sponsored content.

Preparation is key for an effective cyber-attack response

Getting the basics right and employing good cyber hygiene are key, says Jacky Fox, managing director of security at Accenture in Ireland

The recent spate of high profile cyber-attacks has acted as a sharp reminder to organisations of the need to prepare for the high probability of a cyber breach. “They have acted as a shot across the bows and have underlined the importance of cybersecurity and building the resilience required to ensure the business can continue to function following a breach,” says Jacky Fox, managing director of security at Accenture in Ireland.

A balanced approach is required, she advises. “Organisations have limited budgets and they have to look at how best those resources can be applied to treat their cyber risk. It can be very difficult for organisations which don’t have access to in-house expertise in relation to IT and cyber to make the right decisions and they may need to look for external assistance.”

Fox is also vice chair of Cyber Ireland, a national cybersecurity cluster that provides a collective voice to represent the needs and challenges of the cybersecurity sector in Ireland. She believes that the cybersecurity discussion needs to be reframed. Instead of a technology issue, it should be seen as a business issue.

Governance matters

“When you pare back it comes down to good governance and risk management,” she says. “You need to spend time focusing on what the risks are and put controls and mitigation measures in place to deal with them. If the company’s core business is making widgets, the focus has to be on what can be done to contain a cyber breach and continue to make widgets.”

READ MORE

And that begins with getting the basics right. “How do you know who is coming in and out of your network?” she asks. “Do you have multi-factor authentication in place; do you know it’s Jacky and not just someone who has stolen her password? Having these basics in place is very important.”

That can be easier said than done due to the growing complexity of organisations’ IT systems and networks. The systems can be partly on the premises and partly in the cloud as well as being located in people’s homes since the shift to remote working. “Remote working makes it much more difficult as there’s no longer a finite perimeter around your network, but you still have to have the measures in place to stop unauthorised access to your networks and information” says Fox.

That requires businesses to take the time to understand their information and assets and where they are located. However, it doesn’t stop there. “They have to look at their third parties as well,” she explains. “Supply chain risk is complex. You are only as strong as your weakest link. If your organisation has good cyber hygiene and a supplier doesn’t, they could be a vector for infection. Your suppliers could expose you to malware and hackers.”

Those vulnerabilities have led to a change in mindset with organisations thinking about moving to what is known as a zero-trust architecture. “Instead of allowing you broader access and monitoring what you’re doing for unusual behaviours, a zero-trust architecture only allows you access to what you absolutely need. Trust nobody, not even your own employees.” And nobody can be offended by this policy if you don’t trust anybody.

Everyone needs to know what their role is and what they are expected to do in the event of a cyber breach

“There are a lot of parallels with traditional security techniques,” Fox adds. “A lot of it is about applying those tried and trusted techniques at speed. For example, similar to a security guard checking if lights are on where they shouldn’t be, you can look at behaviours on the network to spot anomalous activity such as where a marketing person is trying to access the HR system. That’s where AI, machine learning and data analytics come in. These automated tools can give early warning that something may be happening and allow you to start to lock down the systems.

That advance warning can be very useful. “You don’t want information leaking out of the organisation. Ransomware used to be relatively straightforward. The criminals would encrypt your data but if you had a good backup in place, you could be OK. You should have an offline backup of your data not connected to the systems to help you get back up and running as quickly as possible.”  But the criminals have morphed their business model and steal data first and threaten to publish it at the same time as encrypting the data on your systems. Now you can have a huge data breach as well as massive disruption.”

This is often what makes organisations consider paying the ransom. “They are paying for decryption keys and for the stolen data to be destroyed,” Fox notes. “As high as 50 per cent of those who pay get hit again. Everyone asks themselves if they should pay when hit by a ransomware attack. Paying the ransom still leaves organisations with problems and ongoing uncertainty. For example, even if you buy the decryption key, it may not work very well, leaving your data locked. Also, how do you know the people you are dealing with actually have your data. How do you know they will destroy it if you pay and not just sell it on?

“I would never sit in judgement on an organisation that does pay,” she continues. “It may be a choice between survival and paying. Many insurers are now saying they won’t cover ransom payments. Personally, I think that this is a positive development. Organisations can no longer transfer this risk. I’d love to see a world where everyone says they won’t pay ransoms. The criminals’ business model would disappear overnight.”

I strongly recommend organisations to consider their options in advance and do trial runs and attack simulations. The scenario planning should also look at recovery and resilience. “Every business does fire drills, and this should be no different. Everyone needs to know what their role is and what they are expected to do in the event of a cyber breach. The drills will build the muscle memory required for crisis response.”

The drills should identify the prioritisation of systems the organisation requires to get back up and running if they are hit by a wide scale attack. “This can often be surprising,” Fox notes. “If the company manufactures widgets, it can’t operate if it can’t pay staff or communicate with them. You need to map out the interdependencies between your systems. You also need to identify the people in advance who will respond to the attack, both internally and externally. They may include the Gardai, regulators, and external advisors.”

We need to get people comfortable with noticing and alerting IT teams to activity that feels unusual

Bottlenecks also have to be dealt with. “If you have 400 systems down and you have 10 people in IT to look after them, that’s not going to work. You should know in advance who you are going to get in from outside to help. You need to have the full response team in place from the very beginning. It’s really hard to keep expanding the team all the time.”

Alternative systems have to be put in place at speed. “People often do that in the cloud. But that can be difficult in an emergency. Sometimes the business just has to go back to manual systems using paper forms to record goods in and out and so on. Consideration also has to be given to communications difficulties leading to delays in decision making. You have to think about the effect that will have on the business.”

She concludes by emphasising once again the need to prepare in advance and run drills and simulations but also training the wider organisation to flag activity that seems suspicious. “Ongoing employee vigilance is really important – we need to get people comfortable with noticing and alerting IT teams to activity that feels unusual.

You want to get to place where, in the worst case scenario when an attack actually happens, your response will follow a prepared playbook and people will understand their roles and responsibilities. Everyone should be trained to play their part in the response and be confident that they are doing it correctly.”

Learn more about Accenture’s security services at Accenture.com

This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.