Many governing boards over the past year have had presentations and discussions about cyber security but most look at it as an unlikely event.
However, it is no longer the case of whether a company will be cyber breached or receive phishing/ransom attacks, but when it will occur. Actual cyber breaches do not get much publicity as most organizations do not want to talk about it, but they should in order to share experiences and possibly to put a stop to these serious situations.
I consult and I’m on a number of boards where I advise the directors to have a plan that includes the 10 steps outlined below to prepare for a cyber attack. I advise them to assume that hacking/phishing/ransom incidents are going to be successful and the goal is to limit the damage and recover more quickly.
The 10 recommended steps to get ready for a cyber attack
1. Have a decision-making process in place.
Develop a decision making process for cyber security issues including the process for authorization for ransom payment, how and which executives and the Board members are involved in the decision making process. Then document the process and make sure that all involved are familiar with it.
2. Prepare a communication plan
This is very important as it specifies who will be notified of the breach, in what manner and when. It would also include how the Board and staff will be kept upto date. Have both an internal/external communication plan ready with different messages depending on the issue. Develop an alert process to text all employees at one time with a specific alert. Create an email list unconnected to the organization’s email system so employees involved in the recovery can communicate with each other when the corporate email system is unavailable.
3. Set up a process for Bitcoin purchase
Many ransomware attacks hold your systems hostage until a ransom is paid to the attackers in Bitcoin. Rather than scramble to attain the crypto-currency when it happens, be ready ahead of time. Getting a Bitcoin account opened and enough smartphones ready to receive the bitcoins (there is a limit on the amount of bitcoins a smartphone is authorized to receive for its first use) is time-consuming and it is better done ahead of time. Also, anticipate a service fee of around 10 per cent.
4. Set up a Firewall and antivirus system review
Have an internal and then an external review to ensure that all anti-virus software and firewall are up to date and then conduct an intrusion detection test, (also known as a pen test) at least semi-annually and report the results to the Board and senior management.
5. Practice business procedures with computers being unavailable
Determine how business will be conducted if all the computers are unavailable or if data is encrypted and not accessible. Best practice is to adjust the business continuity plan to accommodate up to two weeks of technology partial unavailability while data is decrypted. Or better yet, have backups of your critical data ready to be restored at a moment’s notice.
6. Prioritize the process of recovering systems
A cyber attack may result in all the data and applications being encrypted. Once the decryption key becomes available, it is good to have a process in place to determine which needs to be recovered first: eg does payroll go before the financial system and email.
7. Develop a policy on data retention
This is important since the more emails and files staff keep, the longer it will take to recover. If the policy specifies how much data and emails should be retained, the recovery process would be faster.
8. Focus on regular applications and data backup processes
Backup and recovery procedures need to be examined, both from a security perspective as well as efficiency. For example, determine if your backup would be compromised by such attacks. Online external links should be well protected, especially online backups. Separate the backup data from the corporate data so there is no online bridge between them.
9. Get the experts in ahead of time
Identify and engage a cyber security specialist who you call on ahead of time to provide an assessment of the present environment and as well as when the incident occurs. You will receive better support if the expert is familiar with the technology environment.
10. Preventive measures
There are a number of preventative measures that can be taken to mitigate intrusion. These include:
- Board and senior management educational sessions on cyber security and a review of the organizational readiness for such occurrences.
- All staff to participate in quarterly educational session on technology security and cyber security.
- Contractors and staff re-sign their Confidentiality Agreement and Computer Use Policy which addresses cyber security as part of the annual performance appraisal system.
As the saying goes you can never be too rich or too thin or totally prepared for a cyber attack but you can mitigate it so it has less impact on your business.