Light Dark
October 17, 2018 By Claire Zaboeva 6 min read
Incident Response
Risk Management
Threat Intelligence

Nowadays, businesses operate in a ubiquitous computing environment, relying on information technology to enable the speed and agility of modern business practices from payroll to public offerings. With the vast amount of email content and links that are populating employee inboxes, just one click on a phishing scam can cause a cyber emergency that results in the loss of millions of dollars and customer loyalty — not to mention a lengthy remediation process that amasses additional costs over time.

Spammers Don’t Take Days Off, So Neither Should You

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a data breach globally is around $3.86 million. The cost of a mega breach — an event that involves the loss of 1 million to 50 million records — is between $40 million and $350 million, depending on the number of compromised records.

Of the security events recorded in the study, 48 percent were caused by malicious or criminal attacks, including the use of phishing and social engineering techniques to gain unauthorized access to corporate networks. Inboxes are slammed with spam every day of the week, increasing the odds of successful compromise.

The IBM X-Force Kassel research team operates a network of globally distributed spam honeypots, which collect billions of unsolicited email items. Last year, the research team pulled a sample of worldwide data to gain insight into when attackers’ spam bots were the most active.

A look at the same sample size from 2018 echoes last year’s findings: Spammers never rest. However, they are primarily active on Tuesdays and Wednesdays, clocking in at 21 percent and 22 percent, respectively. In addition, they tend to take a less aggressive stance on Saturday (4 percent) and Sunday (9 percent), when offices are less populated and therefore not as target-rich of an environment.

A 5-Step Approach to Avoiding a Cyber Emergency

Any coach or instructor will tell you that you get what you train for. In the heat of the moment, our practiced reactions determine the speed and course of our actions. To provide better online security throughout the organization, user vigilance must be a practiced part of the daily workflow.

The U.S. Fire Administration outlined five key components for designing an effective fire safety education program. In cybersecurity, we can apply that same approach to train personnel to consistently avoid the flames of phishing and react effectively to inadvertent compromise.

1. Assess Your Environment

Begin by gathering information about your workforce and network security posture to identify where risks and vulnerabilities may exist. If you’re going to build a safe and consistent security environment, governance is key. Employees must understand what the organization deems right or wrong. Likewise, network defenders should be well-versed in existing policies and procedures for addressing cyber emergencies.

Using examples of previously successful breaching techniques — such as mimicking the phishing scams that already made it through the organization’s safety net — can help you determine how familiar employees are with the dangers of current-day deception and social engineering scams. Meet with IT managers to learn what procedures are in place to help protect against exposure and minimize risk. This is also a great time to ask network defenders about secure email gateways, orchestration and automation, password protection, and two-factor authentication (2FA).

Finally, whether hosted locally or in the cloud, a best practice for email security is to take a layered approach. Digital fortification — from the network perimeter down to individual device hardening — that is built into corporate IT planning can help reduce exposure and risk.

2. Develop a Clear Escalation Map

Every emergency action plan needs to identify key internal and external stakeholders. Who should respond and who needs to be notified if a malicious link is accessed and the network is set ablaze?

Speed and calmness are everything in this moment. Companies that have an in-house incident response (IR) team or an on-call service to confirm and respond to a breach stand to substantially reduce losses in the event of a compromise. According to the “2018 Cost of a Data Breach Study,” companies with a low mean time to identify (MTTI) a breach — less than 100 days — saved more than $1 million. Likewise, companies with a low mean time to contain (MTTC) a breach — less than 30 days — saved more than $1 million compared to those that took longer than 30 days.

A company’s IR plan should clearly outline who to contact in different departments and ranks — in network security, the C-suite and the IR team component, but also the PR team and the company’s legal counsels. The plan should make it easy to reach them, know their responsibilities and have a clear view of their resources for carrying out mission-critical functions in the event of a cyber emergency.

3. Plan and Implement Your Incident Response

Once you have analyzed your risk environment and identified stakeholders, it’s time to establish objectives and create a plan of action. In case of suspected activity, employees should be able to recognize a phishing scam, whether via email or on the phone, and react appropriately as part of their everyday workflow. To do this, you need to recognize, react and repeat.

Recognize

Establish what “normal” looks like to help personnel readily identify what key indicators should not be trusted. For example:

  • Was the email solicited or did it come out of the blue? While some criminals craft very personal emails, most cast a wide net that can be avoided.
  • Do you recognize the sender, and does the domain check out?
  • Does it read, and is it formatted, like a legitimate email?
  • Do the embedded links point to authentic domains?

React

Identify the next steps that personnel should take when something alarming appears. Is the organization set up to enable quick and effective reporting of suspicious emails and activity? Ensure that any employee can easily report an issue to IT security and the IR team. If a user identifies something malicious, a referenceable policy should be in place that clearly states where to forward it and how to flag it. Statistics should then be captured from these events and used to help establish trending threats.

If an employee has already clicked a link, identify what needs to happen next to correct the situation, from pulling the plug to quarantining the network. If a larger issue is confirmed or an attack is underway, each corporate player should know his or her role. Decisive action can save priceless moments when reacting to a digital threat.

Repeat

Drills should happen monthly, quarterly and double during the holiday season. After all, what’s more enticing than a gift card during the shopping season? Security-savvy reactions aren’t built in a day; they become a part of the culture, a practiced reaction to inbox items that look and smell “phishy.”

4. Market Your Plan to Management and Teams

Gone are the days when droning through a stale slide deck will satisfy a training requirement. People learn in a variety of ways; if you want employees to remember and adhere to your plan, it needs to be engaging. Those in charge of security awareness training would be wise to reach, frame and connect their content with the target audience, a practice known as role-based training, to fit each role’s specific risk factors and likely attack scenarios.

Training needs to be memorable and interactive, so don’t skimp on quizzes, visual reminders, mock phishing campaigns and even companywide giveaways. There’s nothing like a security reminder on a new thermal cup. A spoonful of sugar is a small price to pay to boost organizationwide security awareness.

5. Evaluate Your Plan, Then Evaluate Again

An unexamined plan isn’t worth practicing. Training must be systematic to yield results. Simulate relevant attack scenarios that may affect the organization as authentically as possible and collect the stats on response times and accuracy. Do it again in a quarter, in a month or at random. Crunch the numbers and compare the results. Are employee responses improving? If not, how can the program be improved?

Remember to systematically return to the first step in this approach: assess your environment. In addition to internal review, an outside set of professional eyes on your network to perform periodic penetration testing can help expose previously undiscovered vulnerabilities. Criminal phishing methodologies and the ways by which they target employees are evolving every day, and a good IR plan should too.

Empower Your Users to Adapt to Evolving Threats

The need to establish a corporate culture of cyber awareness has become an accepted tenet of digital enterprise security. To help online safety become second nature across the organization, employees must be able to recognize the sparks of all kinds of scams and learn to react appropriately. Employers, in turn, must give their users the resources they need to continuously adapt to evolving threats and act as a protective layer that can help avoid losses from a cyber emergency.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Claire Zaboeva
Senior Strategic Cyber Threat Analyst, IBM

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature