Focus on threat detection and response to help beat the clock after a cyberattack

Speed is vital during a cyberattack. The quicker a company can respond to an incident, the greater the chance to minimise the negative impact it has, according to Kroll head of EMEA cyber risk, Andrew Beckett.

Despite the amount of attention around cybersecurity, attacks are growing in volume and complexity and the Covid-19 pandemic has exacerbated the difficulties. With a large portion of staff working remotely, it has become more challenging for companies to safeguard their data and gain visibility of threats across networks and endpoints. On that point, 93% of organisations suffered a compromise of data over the past 12 months and of those, 49% were hit by at least four incidents, according to research from Kroll. Worryingly, 82% of security leaders fear their organisation is still vulnerable to attack.

Beckett sees remote working as one of the biggest challenges facing firms today. Remote employees may no longer be under the same watchful gaze of the information security team, their new working devices and home networks are likely to be less protected than at the office, opening many new opportunities for attackers to compromise users and subsequently, the corporate network.

Another problem with remote working is that staff are increasingly reliant on personal devices. While adopting a bring your own device policy may save costs from not having to buy computers for all remote staff – it means security staff may lose visibility of users’ behaviours. A personal IT system will not have the same level of monitoring as a corporate device. Besides the increased risk of compromise, there is also the problem of how to ensure data is properly stored and then deleted from a personal computer. If an employee leaves, how can a firm be certain they deleted all private information saved on the computer, or that documents were properly stored and backed up?

Beckett said, realistically, for the next two years businesses are going to be fighting to restore normality. They will need to understand where their data is now and what is stored on hardware outside of their control.

This is why it is crucial for companies to implement a threat detection and response system that can increase visibility for security leaders and help track access to systems and resources. Threat detection services like those offered by Redscan, which was acquired by Kroll earlier this year, empower organisations to log and track suspicious activity, such as network connections from unknown locations and whether data is being copied to external devices. Also, if there is a successful phishing attempt or breach, companies can detect it and respond to it quicker, thereby minimising potential damage and disruption.

“In medical terms, you talk about the golden hour after a heart attack or after a stroke. That is very much what we’re delivering here – early detection and early response. The quicker you can respond, the better you can minimise the negative impact of a cyber incident on your organisation. You can quickly start to contain the malware, stop the attacker moving laterally across your network and then throw them out.”

However, threat detection and response systems can be tough to implement correctly due to their technical complexity. An organisation can have thousands of endpoints, systems and applications. Monitoring therefore needs to be unified to give a holistic view of what is going on in an organisation. For most companies, this is beyond their capacity to handle in- house. Kroll research showed that 76% of organizations use third-parties as part of their detection and response process, and 55% of respondents identified improvement in the time to contain and remediate threats as the key benefit of working with third-parties.

Specialist providers of Managed Detection and Response (MDR) services, like Redscan, monitor networks, endpoints and cloud environments on behalf of their clients 24/7/365 and use their experience to proactively identify external attacks as well as unusual user behaviour. Beckett said, “For every zero day that is used for the first time, there are literally tens of thousands of repeat attacks that have been seen before. If you’ve seen it before, you know how to respond. If you know how to respond, your responses are faster.”

The damage of an attack

It is tough to assess what the biggest risk firms will face following a breach. It depends on the scale of the incident, the firm itself and how quickly everything was resolved. However, most boards will always be concerned about any negative connotations associated with the brand following an attack, Beckett said. In a recent research from Kroll, 64% of security leaders identified reputational damage as their greatest fear following a cyberattack.

Another major worry for boards is the reaction from regulators. When a company suffers a breach, there are often complex regulatory requirements to report the incident to relevant supervisory authorities. Following an investigation, the regulator will assess whether any penalties should be imposed, such as increased regulatory scrutiny or the imposition of substantial fines. Ultimately, the compliance costs are “going to go through the roof,” Beckett said.

However, this doesn’t have to be the case. If a firm has a threat detection capability in place, the brand damage and response from regulators could be minimised. Redscan’s MDR platform gives companies the ability to detect breaches early but also helps to evidence what has happened during the incident. This includes information such as what systems and files were accessed, what they read and importantly, if any data was exfiltrated. By understanding the true extent of a breach and being able to forensically prove what data and systems an attacker accessed, a company can strengthen their defence narrative and potentially minimise the impact of regulatory actions. Having appropriate controls and procedures in place to proactively identify attacks can also demonstrate a mature approach to cyber security and data protection.

Beckett said, “We have historically seen that where we’ve provided those services, regulators have taken a very fair stance. When we demonstrate that the client has complied with regulations, taken appropriate steps to safeguard data, and that they have not been fast and loose with personal data, the regulator is more inclined to accept that they have been hacked and should be considered a victim. That puts you very much on the front foot with the regulators rather than on the back foot.”

Setting up the team

While each company is different, there are a few additional measures a company can implement to ensure they are best prepared. Staff awareness training comes near the top of that list. Staff are the first line of defence and their training can prevent a lot of attacks. Human error caused around 90% of cyber data beaches in 2019, according to research from CybSafe. If companies better train their staff on how to spot attacks, how to report suspicious activity and what to do once an attack occurs, they can go a long way to minimising risks.

However, cyber awareness does not just stop at the general workforce. Beckett believes the best approach to cybersecurity is to have the board lead by example. He said, “We see companies where there’s a security policy in place for the staff to comply with, but the board ignores it because it gets in the way. They ask why they should have to use multi-factor authentication to see their emails, but they’re the ones most likely to be targeted by phishing attacks.”

Not only should they abide by cybersecurity procedures, Beckett believes the board should also be talking about cybersecurity on a regular basis. They should question if they have the right security in place, how many incidents they have had, what can be learned from breaches, whether to adjust budgets. They should also ensure there is a cyber incident response plan in place and that it is regularly practised. It is no use having a plan if it has not been rehearsed, Beckett explained. “When you practise them, you build that institutional muscle memory, to enable the response to be faster so that golden hour can be effective. It prevents time spent running around asking who’s got this, what has happened and where do I find the information?”

Beckett concluded, “Security professionals have known for years that a security strategy centred around prevention is no longer effective. Threats are more sophisticated and persistent than ever. Companies need to be improving their ability to detect suspicious activity early. Whether that is through increased awareness of staff or the deployment of EDR/MDR systems, early detection and rehearsed response greatly increases the chances that an organisation can contain the threat and respond before serious damage is done to their data, systems or reputation.”

Copyright© 2021 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.