Five practical steps to surviving a security breach
Why many businesses never recover after a cyber attack
We all have heard the statistics before:
- The AVERAGE cost of a data breach is $3.8 million. This number does not take into the “mega breaches” that occurred in recent years such as Anthem, JP Morgan Chase, Home Depot and Target (which reported a $148 million loss as a result of its breach).
- 71 percent of cyber attacks target small to medium businesses (500 employees or less)
- It takes the average company 205 days to detect they have been breached.
- 60 percent of small to medium businesses (500 employees or less) will go out of business within six months of a data breach.
The fact that we are more likely to be breached than not is no shock to anyone. But the question is this:
How do I actually protect my business, my customers, my data, (and my job), when a breach is inevitable?
The problem is not the lack of incredible technology or competent professionals; after talking with countless professionals, I believe the problem lies in the approach, our core beliefs about security and how those beliefs manifest themselves tactically which ultimately determines whether companies become statistics or not.
It has been my experience that those companies you won’t read about in the headlines are those which have taken these five steps. They are the ones which not only survive a security breach but thrive in spite of one.
Determine what “protecting your data” really means.
Security it a hot topic, and nearly every company playing in that space is feeding off of the fear we all have of being hacked as their primary marketing and sales tactic. I don’t know about you, but I am constantly bombarded with messages ensuring me that XYZ product will “protect” my data or ABC solution will keep my business “safe”. But it wasn’t until recently that I found myself asking the question, "So what does 'protect' mean?"
Honestly, it sounds like dumb question, but I’ve found that how each company answers this question (whether they have thought it through cognitively or not) tends to determine their fate in the instance of a breach. And as I thought about this for my own business and reflected on the countless conversations I’ve had over the last few years with clients and colleagues, this is what I concluded:
By default, if we don’t take the time to really think about the answer, most of us will give lip service to the idea of “assume a breach” and would strategically adopt that paradigm, but tactically, we have a tendency to treat cyber security like a castle. We end up building “walls” around our data with preventative security like antivirus, firewalls, SIEM, (the list is endless), and hope to God that those will keep the bad guys out and the data in.
But the real question is: Is that truly keeping us safe? These technologies are, indeed, vital to a solid security strategy, but any security professional worth their salt will tell you that none of these are impenetrable. It’s just a matter of time.
In my experience, the companies that (consciously or unconsciously) adopt this “castle” definition of protection tend to become statistics. My observation is that the survivors are the ones that have determined that truly protecting their business begins with going beyond their castle walls and addressing the real root of the security problem: understanding what’s really going on in their network.
Understand what’s really going on in your network.
If we take a moment and dissect the reasons why breaches are so devastating (and often fatal) to businesses -- the loss of money, smeared reputation, loss of jobs, closing of business, lawsuits, general misery -- at the core, it’s NOT because they didn’t have proper preventative security technology or incompetent professions. In fact, it’s not even because breach happened (because we’re all gonna be breached, it now the status quo).Because I guarantee you, all of the companies that had the names and reputations smeared across the headlines had top-notch security technology and dedicated teams of people whose sole job was to prevent an attack. And they got hacked.
The real consequences come when we don’t have a clear understanding of what’s really going on in our environment.
Think of it like a building with security cameras: The camera’s aren’t what actually ‘sound the alarm’ and secure the perimeter when something happens. But it’s the cameras, the visibility into our network, that allows us to capture what happens before an attack, trigger alerts that something is not right, and rewind the tapes to determine what happened and the quickly remediate of the damage after an attack.
If we were to liken attacks to a continuum, a stage of before, during and after, we spend the vast majority of our time money and effort prepping our business for the “during” stage when the alarms sound. In reality, it’s the lack of security cameras, preparation for the before and after stages that ultimately cause the most damage.
Because without visibility, it’s taking us an average of 205 days to detect a breach. Without visibility, it’s costing us an average of $3.8 million to deal with the consequences of not knowing exactly what happened.
The following three steps are ones we guide our clients through to tactically understand what is going on:
Identify what’s there.
Today’s IT networks are incredibly complex, with thousands of moving parts, making it very easy for there to be areas of the network that IT is unaware of, and, thus vulnerable. Hackers are taking advantage of this complexity to infiltrate areas and sneak in undetected and wreak havoc for months.
If we don’t identify what’s in our environment, how can we expect or defense tools to effectively protect it? There are lots of technologies that test for vulnerabilities within the network, but they will test only for elements in the network that they are aware of. If they can’t see it, they can’t protect it. Network visibility technology enables the creation of network maps that allow security teams to identify everything that is in their network and monitor everything in real time.
Baseline what’s NORMAL.
Visibility technology provides companies with a baseline understanding what “normal” behavior is for your business and allows security to quickly identify when something is abnormal. For example, let’s say all credit card swipe terminals should be registered to IP# x.x.x.x in Denver, and only that IP address. If you have baselined that as normal behavior, and anything outside of that as abnormal, you can quickly raise an alert when those credit card terminals start communicating with and IP address in Russia.
In going through this exercise, you can designate what is important, monitor communication, and in doing so, quickly identify abnormal behavior deeper in the network that might otherwise go unnoticed. Because not all security issues will manifest as a blatant attack – a lot of security issues disguise themselves as performance problems.
Think about it – if someone is sneaking terabytes of data out of your network, it’s not unlikely for that to create a bandwidth issue that will result in applications or networks that are under-performing. This technology allows you to quickly drill down to the root cause of those performance issues and determine if was a server glitch, bad application code…or something else.
Rewind the tapes.
If you were attacked, could I easily go back and “replay the tapes” to see what happened, triage the damage and remediate before irreparable damage is done? Without a doubt, one of the primary reasons companies lose millions (or go out of business) is because, after a breach, they have to spend months or years investigating what happened, how it happened or the extent of the damage.
Think about it like this: How much faster could you solve a crime, if you had access to the security tapes versus if you didn’t?
In 2012, FBI Director Robert S. Mueller III, was quoted saying this: “There are only two types of companies: those that have been hacked and those that will be.”
Whether we want to admit it, the reality of a breach is imminent. And if we want to survive, we HAVE to start thinking about security differently. And that starts with understanding what’s going on in our network.
How this is actually done will vary from company to company, but without these five components, we will be hard-pressed to understand what’s really going on, and surviving a breach will become a game of Russian roulette rather than a strategic plan.
Jill Brito is the Marketing Director at Vista Solutions in Fort Collins. She works with IT and business professionals who are worried about how to protect their data in an environment where breaches are inevitable, and are serious about developing strategies that give them confidence that their business would not only weather a cyber-attack but thrive in spite of it. Jill holds an MBA from Colorado State University and has been working in technology for over 5 years. Learn more about Vista Solutions.