Why You Should Practice and Drill to Prepare for a Cyber Emergency

Nowadays, businesses operate in a ubiquitous computing environment, relying on information technology to enable the speed and agility of modern business practices from payroll to public offerings. With the vast amount of email content and links that are populating employee inboxes, just one click on a phishing scam can cause a cyber emergency that results in the loss of millions of dollars and customer loyalty — not to mention a lengthy remediation process that amasses additional costs over time.

Spammers Don’t Take Days Off, So Neither Should You

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a data breach globally is around $3.86 million. The cost of a mega breach — an event that involves the loss of 1 million to 50 million records — is between $40 million and $350 million, depending on the number of compromised records.

Of the security events recorded in the study, 48 percent were caused by malicious or criminal attacks, including the use of phishing and social engineering techniques to gain unauthorized access to corporate networks. Inboxes are slammed with spam every day of the week, increasing the odds of successful compromise.

The IBM X-Force Kassel research team operates a network of globally distributed spam honeypots, which collect billions of unsolicited email items. Last year, the research team pulled a sample of worldwide data to gain insight into when attackers’ spam bots were the most active.

A look at the same sample size from 2018 echoes last year’s findings: Spammers never rest. However, they are primarily active on Tuesdays and Wednesdays, clocking in at 21 percent and 22 percent, respectively. In addition, they tend to take a less aggressive stance on Saturday (4 percent) and Sunday (9 percent), when offices are less populated and therefore not as target-rich of an environment.

Spam Data, Incident Response

A 5-Step Approach to Avoiding a Cyber Emergency

Any coach or instructor will tell you that you get what you train for. In the heat of the moment, our practiced reactions determine the speed and course of our actions. To provide better online security throughout the organization, user vigilance must be a practiced part of the daily workflow.

The U.S. Fire Administration outlined five key components for designing an effective fire safety education program. In cybersecurity, we can apply that same approach to train personnel to consistently avoid the flames of phishing and react effectively to inadvertent compromise.

1. Assess Your Environment

Begin by gathering information about your workforce and network security posture to identify where risks and vulnerabilities may exist. If you’re going to build a safe and consistent security environment, governance is key. Employees must understand what the organization deems right or wrong. Likewise, network defenders should be well-versed in existing policies and procedures for addressing cyber emergencies.

Using examples of previously successful breaching techniques — such as mimicking the phishing scams that already made it through the organization’s safety net — can help you determine how familiar employees are with the dangers of current-day deception and social engineering scams. Meet with IT managers to learn what procedures are in place to help protect against exposure and minimize risk. This is also a great time to ask network defenders about secure email gateways, orchestration and automation, password protection, and two-factor authentication (2FA).

Finally, whether hosted locally or in the cloud, a best practice for email security is to take a layered approach. Digital fortification — from the network perimeter down to individual device hardening — that is built into corporate IT planning can help reduce exposure and risk.

2. Develop a Clear Escalation Map

Every emergency action plan needs to identify key internal and external stakeholders. Who should respond and who needs to be notified if a malicious link is accessed and the network is set ablaze?

Speed and calmness are everything in this moment. Companies that have an in-house incident response (IR) team or an on-call service to confirm and respond to a breach stand to substantially reduce losses in the event of a compromise. According to the “2018 Cost of a Data Breach Study,” companies with a low mean time to identify (MTTI) a breach — less than 100 days — saved more than $1 million. Likewise, companies with a low mean time to contain (MTTC) a breach — less than 30 days — saved more than $1 million compared to those that took longer than 30 days.

A company’s IR plan should clearly outline who to contact in different departments and ranks — in network security, the C-suite and the IR team component, but also the PR team and the company’s legal counsels. The plan should make it easy to reach them, know their responsibilities and have a clear view of their resources for carrying out mission-critical functions in the event of a cyber emergency.

3. Plan and Implement Your Incident Response

Once you have analyzed your risk environment and identified stakeholders, it’s time to establish objectives and create a plan of action. In case of suspected activity, employees should be able to recognize a phishing scam, whether via email or on the phone, and react appropriately as part of their everyday workflow. To do this, you need to recognize, react and repeat.

Recognize

Establish what “normal” looks like to help personnel readily identify what key indicators should not be trusted. For example:

  • Was the email solicited or did it come out of the blue? While some criminals craft very personal emails, most cast a wide net that can be avoided.
  • Do you recognize the sender, and does the domain check out?
  • Does it read, and is it formatted, like a legitimate email?
  • Do the embedded links point to authentic domains?

React

Identify the next steps that personnel should take when something alarming appears. Is the organization set up to enable quick and effective reporting of suspicious emails and activity? Ensure that any employee can easily report an issue to IT security and the IR team. If a user identifies something malicious, a referenceable policy should be in place that clearly states where to forward it and how to flag it. Statistics should then be captured from these events and used to help establish trending threats.

If an employee has already clicked a link, identify what needs to happen next to correct the situation, from pulling the plug to quarantining the network. If a larger issue is confirmed or an attack is underway, each corporate player should know his or her role. Decisive action can save priceless moments when reacting to a digital threat.

Repeat

Drills should happen monthly, quarterly and double during the holiday season. After all, what’s more enticing than a gift card during the shopping season? Security-savvy reactions aren’t built in a day; they become a part of the culture, a practiced reaction to inbox items that look and smell “phishy.”

4. Market Your Plan to Management and Teams

Gone are the days when droning through a stale slide deck will satisfy a training requirement. People learn in a variety of ways; if you want employees to remember and adhere to your plan, it needs to be engaging. Those in charge of security awareness training would be wise to reach, frame and connect their content with the target audience, a practice known as role-based training, to fit each role’s specific risk factors and likely attack scenarios.

Training needs to be memorable and interactive, so don’t skimp on quizzes, visual reminders, mock phishing campaigns and even companywide giveaways. There’s nothing like a security reminder on a new thermal cup. A spoonful of sugar is a small price to pay to boost organizationwide security awareness.

5. Evaluate Your Plan, Then Evaluate Again

An unexamined plan isn’t worth practicing. Training must be systematic to yield results. Simulate relevant attack scenarios that may affect the organization as authentically as possible and collect the stats on response times and accuracy. Do it again in a quarter, in a month or at random. Crunch the numbers and compare the results. Are employee responses improving? If not, how can the program be improved?

Remember to systematically return to the first step in this approach: assess your environment. In addition to internal review, an outside set of professional eyes on your network to perform periodic penetration testing can help expose previously undiscovered vulnerabilities. Criminal phishing methodologies and the ways by which they target employees are evolving every day, and a good IR plan should too.

Empower Your Users to Adapt to Evolving Threats

The need to establish a corporate culture of cyber awareness has become an accepted tenet of digital enterprise security. To help online safety become second nature across the organization, employees must be able to recognize the sparks of all kinds of scams and learn to react appropriately. Employers, in turn, must give their users the resources they need to continuously adapt to evolving threats and act as a protective layer that can help avoid losses from a cyber emergency.

Claire Zaboeva

Cyber Threat Analyst, IBM

Claire is a Cyber Threat Analyst on the Threat Intelligence Production Team of IBM X-Force Incident Response and...