With cybersecurity threats on the rise, can any of us say that we are truly prepared for an attempt by cybercriminals to break into our networks? In today’s world of constantly evolving threats, it’s potentially only a matter of when your systems will be hacked, not if. Before your organization falls prey to cybercriminals, consider taking some time — and money — to plan ahead and test your own defenses. Consider the saying, “It takes a thief to catch a thief.”
So cue the ominous music and bring in the hackers for hire. I’m not talking about hiring actual “bad-guy” or criminal hackers — although some organizations have been known to do that. I’m talking about working with a company that has ethical hacker expertise and thinks like a hacker to help its clients respond to and recover from security breaches.
The following are some tips on how you can use these hackers for hire to strengthen your organization’s security before a breach.
Have a Cybersecurity Plan
Work with a knowledgeable consulting firm to build an incident response plan that outlines the major incident scenarios that are likely to happen, the key contact details of whom to engage during an incident and the rules of engagement for the overall response process. Also, be sure to include reporting and communications templates because those are the last things you want to be designing in the middle of an incident.
Test Your Controls
Use a little friendly, ethical hacking to test your systems. Organizations have contracted consultants for years to perform penetration testing on Internet-facing systems. With today’s evolving network perimeter, many organizations are not adequately securing or testing their mobile devices and the applications that access their core business infrastructure. About 75 percent of mobile applications will fail basic security tests through 2015. These mobile devices and apps are target-rich opportunities for cybercriminals — especially if proper security wasn’t built into them or configured in the first place — so they should be part of your incident preparation activities.
Exercise Your Plan
Many organizations today are taking a lesson from military and other first-responder organizations that run a variety of exercises to test their incident response plans. While no one can really plan for a “black swan” scenario, you can still test your response to the likely major incident scenarios you have outlined in your incident response plan. Exercises can range from tabletop scenarios, where participants sitting around a table walk through the response actions step by step, to full-on live war-gaming, with an active response to simulated cybercriminal attacks by your friendly ethical hackers.
Update Your Plan
Based on the findings from your penetration testing and your incident response plan testing, it is critical to go back and update your plan to cover the lessons you learned. At a minimum, incident response plans should be updated on a yearly basis to capture the changes needed to address the evolving threat landscape and your organization’s changing information technology and cybersecurity environment.
As Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.” This adage holds equally true whether you’re an athlete preparing for a big game, an employee giving a presentation to your management team or an information security manager trying to secure your computing environment.
How will your organization prepare itself for an inevitable systems attack?