The Saying NEVER SAY NEVER Is More Applicable In Cybersecurity & Online Safety Than Ever
Businesses are aware they need to plan for their cybersecurity, but they don’t know they also need to plan for their failure!
All cybersecurity is ultimately dependent on people, and people fail.
In fact, people almost always fail – not every day, but eventually, someone will make a mistake. Cybersecurity must do the right things 100% of the time, but the bad guys only need one mistake.
Has your organization planned for failure?
Here is a suggested outline for an organization in the event of a cyber failure. It assumes that data has been accessed and that it was not just a hack but also involved some form of social engineering. It also assumes you are doing all of the good deeds on the IT front to secure your tools and platforms.
- Secure Everything – this is self-evident and obvious, right? But rarely do organizations do this. After a breach almost any connected device can be a new backdoor – you found and fix the primary entry point, but how do you know that your CEOs connected phone has also not been compromised, or the accounts payable manager’s computer? Every device needs to be recertified as secure.
- Trace Everything – look at all potentially related transactions and business actions for compromises. This can include file moves, financial transactions, emails, etc. If an intruder gained access then they may also have been engaged in under-the-radar actions too.
- Blame Is Not Important – first fixing the holes, and then analyzing the causes are important. But people will make mistakes. By blaming your people you make it much more difficult to both identify the real situation and to gain their willing cooperation after the fact.
- Overcome Paralysis – people who are attacked, even cyber attacked – be it a scam or ransomware or other technical attacks – will be fearful. They will not know (immediately) the extent of the attack or how far-reaching it may be. In such a situation people freeze. But your business needs to keep running.
- Plans should include – switching to alternate processes that you people know and can trust.
- Watch The Money – expect the attack to be related to data or money, and secure your accounts and processes that can be used to access your money. Freeze everything electronic until they are known to be safe.
- Stay aware of what your assets are – that attackers might want, but also the potential impact throughout your organization when they access them – because eventually, they will.
- Communicate With Your People – all of your people. As said people will be afraid; afraid they did something or that they are affected. A cyberattack should be a WHOLE OF BUSINESS response. No blame, just all hands on deck!
- Expect Fallout – have contingency plans in place for all nominal types of attacks to deal with the aftermath. Cyber insurance is not enough. Have legal plans, HR plans, banking plans, etc. Be comprehensive and VERY PARANOID!
Provide Trauma Support – your employees, especially those in the line of fire will experience some trauma – count on it! Each human will react differently based on their history and past trauma. Expect that someone will need counseling, up to and including your executives! This is where HR will have to step up and be the guide.
- Retaliation – forget it. Bring in the police and the FBI if appropriate, but let them do their jobs. If needed bring in outside cyber forensic investigators. Wait for the real answers, don’t rush to assumptions. AND DON’T blame your people. If one of them made a mistake acknowledge it and support them to never make it again – but of course they will remain human and future mistakes will happen. How you treat your people after an attack will have a lot to do with the probabilities of the next one.
Plan For Failure
In short, whatever you need to do to plan for failure is what you need to do. It is going to happen to every business or entity. It is not a question of if, just when.
With the pandemic, we have all seen how we all failed to plan for a major contingency. Hopefully, we learned from this. Now let’s apply this to the global cyber pandemic we all face every day!
If your business needs help for the human victims of cybercrime, we are SCARS and we support cybercrime & scam victims worldwide! You can learn more about us at www.AgainstScams.org