Cyberattacks threaten all of us. White House officials confirmed in March 2014 that federal agents told more than 3,000 U.S. companies that their IT deployments had been hacked, according to The Washington Post. Meanwhile, Bloomberg reports that the Securities and Exchange Commission (SEC) is looking into the constant threats of cyberattacks against stock exchanges, brokerages and other Wall Street firms.
These attacks are going to happen, no matter what you do. Here, then, are four strategies to help you deal with cyberattacks and the threats they pose.
1. Have a Cyberattack Disclosure Plan
Many industries are regulated by state, local and federal governments and have specific rules about what must be disclosed to consumers during a cyberattack. This is especially true of the healthcare and financial verticals, where sensitive customer information is involved.
Sometimes in the wake of an attack, though, or even while an attack is still happening, the evolving situation can be murky enough that disclosure rules get broken -- or, at the very least, the disclosure process is delayed or confused. For that reason, it's important to plan ahead and develop an action framework when events that trigger a disclosure response occur.
Here are some considerations:
Understand the applicable regulatory framework. For publicly traded companies, the SEC generally has disclosure guidelines and timeframes. For financial institutions, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) handle this on the federal side. State regulations vary.
Engage your communications team. These employees are professionals who have developed relationships with media and other external stakeholders. They can help you control the messaging and disclosures that you're required to make, as well as advise on the timing and breadth of those statements.
Coordinate with the required departments. Most CIOs coordinate with the individual IT teams responsible for the area under attack -- as well as outside contractors and vendors helping with the mitigation and recovery, and applicable government agencies, to keep the disclosure plan on track. Identify key personnel ahead of time and make sure roles and next actions to carry out disclosure plans are known.
2. Understand What Targets Cybercriminals Value
The real question about cyberattacks isn't when they occur. Attackers constantly invent new ways to do everything, connectivity to the Internet is becoming more pervasive, and it's easier and cheaper than ever to acquire a botnet to do your bidding if you are a malfeasant. Cyberattacks will happen to you -- tonight, next week, next month or next year.
The real question about cyberattacks is where they will occur. Traditional attacks have really gone after most of the low-hanging fruit, such as payment information (witness the recent Target breach) or just general havoc-wreaking, such as the Syrian Electronic Army's distributed denial of service (DDoS) attacks. Many attacks have been motivated by political or moral issues, or they've been relatively simple attempts to harvest payment information to carry out low-level fraud.
Future attacks could have more significant ramifications, though, including the attempt to retrieve more dangerous identity information such as Social Security numbers. In a recent panel discussion at the Kaspersky CyberSecurity Summit, Steve Adegbite, senior vice president of enterprise information security oversight and strategy at Wells Fargo, hinted that attackers may well be attempting to penetrate where the data is -- implying that new cloud technologies and data warehouses, as well as weaknesses in emerging technologies embraced by larger companies, could well be future targets for attackers.
Where cyberattacks will occur also pertains to the location of your enterprise. Threats in the United States will have a different profile than threats in Europe. Location matters in this equation. Take some time with your team to assess where cyberattacks are likely to be directed across your enterprise. Understand what may now be at an increased risk of attack, especially relative to the past.
3. Lobby for Budget to Defend Against, Mitigate Cyberattacks
IT budgets are no goldmine. CIOs have been used to having to do more with less for a long time now. If you've sung the praises to your management group about how you can save money by, for example, moving to the cloud or consolidating and virtualizing many servers, you might find yourself with reduced budgets and reduced headcounts -- right as the storm of cyberattacks threatens you. This isn't a preferred position.
Unfortunately, cyberattacks aren't only damaging. They're expensive, not only in terms of the cost of services being down but also the expense directly attributable to mitigating and defending them. Vendors with experience in reacting in real time to cyberattacks and mitigating their effects are tremendously expensive, both at the time of the event and hosting data during periods of inactivity in order to be prepared if and when an attack occurs. Purchasing the hardware and software necessary to properly harden your systems is expensive. This is an important line item, an important sub area, in your budget for which you need to account. Consider it insurance on which you will almost certainly collect.
Also, look for products and technologies rated at EAL 6+, or High Robustness, which is a standard the government uses to protect intelligence information and other high-value targets.
Bottom line: Don't cannibalize your budget for proactive IT improvements and regular maintenance because you've failed to plan for a completely inevitable cyberattack.
4. In the Thick of an Attack, Ask for Help
When you're experiencing an attack, you need good information you can rely on. Others have that information. In particular, look for the following:
Join information-sharing consortiums that can help you monitor both the overall threat level for cyberattacks and the different patterns that attack victims have noticed. For example, the National Retail Federation announced a new platform to share information and patterns that aim to arrest the data breaches the industry has recently suffered. Financial services companies have set up an informational network, and other regulated industries often have a department of the governmental regulatory body that can serve as a contact point to help prevent this kind of illegal activity.
Develop a relationship with vendors with expertise on cyberattacks. It may be tempting to try to rely only on in-house resources and talent, both as a way to control costs and protect valuable information about your infrastructure, but many vendors and consulting companies have worked through multiple cyberattacks and have tremendous experience under their belts. Hiring one of these companies may well stop a cyberattacks before it does serious harm.
Using the security technology you have in place, understand what readings are important and what may well be just noise. In an effort to impress and appear complete, many software vendors monitor every little thing under the sun and spin up a multitude of readings that can mask or inadvertently dilute the notifications of serious problems. Use your technology wisely and understand what notifications refer to high-value targets so you can act earlier in the attack lifecycle.
Jonathan Hassell runs 82 Ventures, a consulting firm based out of Charlotte. He's also an editor with Apress Media LLC.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.