Successful cyberattacks on corporate IT are almost part of everyday life today. CIOs and CSOs give tips on how those affected can best prepare for an emergency. […]
You were attacked? You are not alone, as the latest figures from the digital association Bitkom show. According to this, in Germany in 2020 and 2021, almost nine out of ten companies were affected by data theft, espionage or sabotage. The economic damage amounted to about 223 billion euros per year. The fact that the attackers can cause such high damage is partly due to the fact that they were often able to pursue their destructive activities for a long time and undisturbed because the companies reacted too late. In its “Voice of SecOps” report, the security company Deep Instinct reports that the average worldwide response time to a cyber attack is 20.9 hours, which corresponds to more than two working days. In Germany, 92 percent of the surveyed cybersecurity experts in companies said that they would need an average of at least 6 hours to respond to a security incident.
CIOs and CSOs discussed best practices in the event that criminal hackers have penetrated the corporate network at IDG’s interactive IT decision-maker workshop “beyond”. We ask for your understanding that we only publish the tips and recommendations of the participants anonymously in order not to discredit the security strategies of the respective companies.
Cyber Attack Checklist: First Steps in an Emergency
So how does a company manage to react quickly if it has been the victim of an attack? In order not to be caught cold in the event of an emergency, according to the beyond participants, such an emergency should be practiced at least once a year. This is the only way to ensure that the first and most important steps really sit and go quickly:
- Save logfiles: At first glance, the advice to save the log files immediately may seem a bit strange. But it is precisely this data that is absolutely necessary from the point of view of IT forensics for the preservation of evidence of the IT incident that can be used in court. In addition, the procedure of the attackers can be elucidated later as part of a methodological data analysis.
- Centralize crisis, emergency management team: Furthermore, the crisis should be made a cross-company, central issue so that all parties involved pull together. It also serves the speed of response when a pre-defined crisis management team can intervene quickly. This team takes the next step.
- Ensure communication: In an emergency, ensuring your own communication skills – both technically and organizationally – is an essential requirement. Technically, this is necessary because, especially in times of Voice over IP, telephony is also at risk of failure, since it is part of the IT infrastructure. Therefore, it has proven itself in practice to define alternative communication channels in advance. In some companies, for example, the signal messenger is used for this purpose. Organizationally, the communication department should inform and reassure its own employees in order to avoid panic (fear for jobs, etc.) and to prevent rumors and wild speculation. It is also advisable to proactively inform the outside world, because experience has shown that such cyber attacks almost always come to light. Those who maintain communication authority here have a good chance of averting greater damage to the company’s reputation. And last but not least, the C-Level board has to be informed about the current status every half hour so that it can make decisions quickly if necessary – for example, about paying a ransom in the event of a ransomware attack.
- Involve external consultants: How to negotiate with a blackmailer? What legal questions arise from the highly complex crisis situation? Hardly any company will have the necessary know-how in-house. Therefore, external consultants should be consulted who have the appropriate specialist knowledge.
- Observe reporting obligations: Which reporting periods apply to your own company in accordance with GDPR? Are KRITIS regulations to be complied with? In case of violations, there is a risk of serious fines, which are unnecessary and only increase the financial damage. Therefore, you should not only inform yourself in advance about deadlines and obligations, but also find out the possible or necessary reporting channels.
- Analysis of the status quo: After these preparatory steps, it is important to systematically get an idea of the extent of the damage. Which systems still work? What data is affected? What are the effects on the business? Is your own ability to deliver threatened, do customers have to be informed? How long will it take to resolve the issue? Is an emergency operation possible in order to be able to produce at least in parts?
Responding to cyberattacks: Prepare
In order for these steps to be carried out really successfully in an emergency, it is not enough just to practice. As many of the steps as possible should already be prepared in normal times so that they can proceed as if according to a script. Similar to the emergency checklists of an aircraft, a detailed manual with emergency plans for various crisis scenarios helps here.
It is almost counterproductive if the members of the emergency team are only determined in the event of a crisis. This only costs valuable time. Hierarchical aspects should play a subordinate role in the selection of team members, this is about having the right know-how at the table. In the team itself, roles for different damage scenarios have to be defined. In addition, a clear chain of command is necessary, because nothing confuses in extreme situations more than contradictory instructions. This includes defining the responsibility and decision-making power of the emergency response team. The preparatory work also includes preparing the communication. In the event of a crisis, there is no time for lengthy coordination and approval loops in which the appropriate formulations are haggered over. Ready-made templates for communication have proven themselves so that corporate communications can act quickly.
Since practice is often neglected in everyday business life, emergency tests should be defined as a criterion for the acceptance of IT projects. So that external experts do not have to be searched for a long time in the event of cases, the beyond participants recommend taking out cyberrisk insurance. This is advisable under two aspects: On the one hand, the insurance companies usually offer emergency support with appropriate specialists and consultants, on the other hand, they cushion the financial damage, which can be considerable – even if many ransomware extortionists can be negotiated with themselves.
After the cyberattack: The Importance of Backup
As much as cyberrisk insurance helps in an emergency, it does not intervene in one point: it does not bring back any data. Therefore, special attention should be paid to the topic of backup and recovery. So an annual backup/restore test should be standard. And test procedures have to be defined in order to guarantee the consistency of the backups and to be able to find out whether malicious code is already in the backup.
The backup should be the most secure system in the company, because all too often the attackers rush to it first to make the backed up data unusable. With this in mind, practitioners advise offsite backups. An air gap – i.e. a virtual moat – between the backup storage and the rest of the IT is optimal, so that no access is possible. In principle, only a few selected users should have access to the backups. And the backup operations themselves should be defined as a pull process so that other systems do not have access rights to it. Furthermore, a precise monitoring of the access to the backup system belongs to the specifications. Especially since it is suitable as an early indicator for detecting attacks, since the intruders often try to paralyze or manipulate the backup systems first.
* Jürgen Hill is Chief Reporter Future Technologies at Computerwoche.