How to protect your business with a cyber incident preparedness plan

UK businesses need to protect against threats on many fronts  

Cyber threats are a growing concern for businesses across the UK. As with most things in business, good preparedness trumps a great response - and instituting better safeguards is a better policy than having to step into a damage mitigation scenario. 
 
Businesses need to prepare themselves to face down a variety of cyber threats - and to have strong incident response (IR) plans in place to swiftly deal with, and minimise, the impact of a cyber-attack.

Increased attack surface and increase in adversary activity

Here’s a quick analysis of the current cyber threat landscape facing UK businesses and what businesses can do to establish a stronger cyber security posture against these threats.  
 
Due to Covid-19, more employees than ever have ended up working from home, this has presented attackers with an increased attack surface to target.  Home workers are unlikely to have the same level of security controls in place on their home network as would be in place if they were plugged in to the internal corporate network.  Attackers will seek to target remote users in the knowledge that they may be able to use a foothold they gain on a corporate “trusted” device as a conduit to gain access to the internal corporate network through remote access technologies such as VPN.
 
Current cyber threats that businesses need to protect against include: 

  • Phishing and social engineering exploits - security researchers have discovered a 600% rise in the number of phishing emails worldwide that used Coronavirus-related themes to target individuals and businesses [1].  
  • Employee sabotage - employees and other “inside” resources, like contractors, can deliberately or unwittingly inject viruses, malware, and other payloads into company systems. This is a risk whether the employee is on-site or accessing company systems remotely.  
  • Ransomware attacks - in which files and folders are encrypted until a ransom is paid to the attacker.  There has been a substantial increase of these type of attacks in recent months with many attackers now adding additional pressure of threatening to publish sensitive data stolen from the victim organisation prior to encryption taking place.
  • DDoS (Distributed Denial of Service) attacks - DDoS attacks typically involve using botnets to orchestrate massive influxes of traffic to Internet exposed corporate servers or websites, with the objective to overwhelm and temporarily leave them inaccessible. 
  • IoT (Internet of Things) - attacks which target Internet connected smart devices are sometimes neglected in cyber security plans. However, these devices can be directly attacked in order to breach network perimeters and gain remote access to a company’s digital infrastructure. 

Other attacks are more niche-specific, such as denial of inventory attacks in which attackers artificially “hold” inventory on eCommerce websites thereby tricking them into telling legitimate users that a product is temporarily out of stock when in fact none have been purchased.  

What can businesses do to protect themselves? 

In a recent research study we conducted into the State of Technology at UK SMEs, the vast majority (81%) confirmed that they had suffered a data breach or cyber-attack, with a considerable two in five (37%) admitting they had suffered multiple breaches [2].  
 
To protect themselves against these and other threats, businesses should combine a variety of measures to provide a strong cyber security posture, making it significantly harder for bad actors to penetrate networks and cause damage. 
 
For instance, a baseline security plan ensures that all company IT resources, like desktops and any laptops accessing company systems, are running basic protection such as an anti-virus software. Other defensive practices include: 
 

  • Review any internal services the organisation is exposing directly to the Internet to ensure they are kept up-to-date with security patches and consider securing critical websites behind services which can protect against DDoS attacks and detect and block common exploit attempts against the site.  Never expose Microsoft RDP directly to the Internet, instead secure access via a VPN.
  • Any Internet facing services which require a username and password to access, should be mandated to use multi-factor authentication (MFA). Using MFA greatly improves the security and can eliminate some of the common techniques, such as using credentials obtained through phishing emails, which attackers use to gain access to corporate systems. 
  • Incoming emails should be scanned for malicious attachments and website links. 
  • The human element can be the weakest link in an organisation’s cyber security posture.  Invest in training staff on how to spot the techniques commonly used by attackers to trick them into divulging credentials or opening malicious documents. Services are available to simulate these user-focussed attack methods and to determine the risk presented to the organisation.

Incident response planning is a must 

Businesses need to both identify which threats they will face and then prepare incident response plans to document the steps needed in case of a successful breach of company systems. 
 
Cyber security specialists can help businesses understand the current cyber threat landscape and what type of attacks they should plan to respond to. For most businesses, those will be a combination of current popular exploits as well as those specific to the company’s industry, such as the inventory stashing attack currently being used against major eCommerce targets.  
 
IR planning is vital - and it needs to be documented and not in an IT manager’s head. The IR plan will ensure that threats can be quickly identified, contained, eradicated and systems can be recovered with the minimum amount of impact to business operations. 
 
Common mistakes when developing and executing IR plans include spending insufficient time investigating the root cause of the incident. Not doing so often simply results in a cascade of recurring attacks which only end when the underlying cause is finally determined. 
 
Companies often also economise on protective measures like Endpoint Detection and Response (EDR) because such systems seem both different to ones that have traditionally been used and may be considered expensive. These types of protective measures will not only help detect cyber-attacks in their early stages but also provide invaluable analytic logs which will be used during an IR investigation. Businesses need not only consider the system disruption linked to a successful cyber-attack, but also the potential reputational cost to the business.
 
Finally, failing to ready internal resources for a cyber incident, and to train them in the developed IR plan, is a common slip-up. When using external partners such as contractors and MSPs (Managed Service Providers), clear lines of communication are necessary to reduce the time required to successfully and swiftly complete the IR process.  

Begin planning before a cyber incident

Unfortunately, many organisations do not put together an IR plan until after a cyber incident has taken place. This can greatly increase the time taken to recover from the incident and the overall financial impact to the business.  Utilising external expertise can help clarify exactly which aspects of the growing threat landscape should be of greatest concern. After instituting proper protective systems, a thorough IR planning process needs to be implemented which spells out what steps would be needed to get mission-critical systems back up in the event of a major incident or breach.  

To discuss your cyber security provision contact one of our Cyber Security Consultants by emailing [email protected].

Sources:
[1] https://www.teiss.co.uk/covid-19-related-phishing-attacks-grew-by-600-worldwide/

[2] https://www.ogl.co.uk/sotreport2020