Why Organizations Should Think More Holistically About Preparing for and Responding to a Security Breach
In a recent episode of Agent of Influence, I talked with Sean Curran, Senior Director in West Monroe Partners’ Technology Practice in Chicago. Curran specializes in cybersecurity and has over 20 years of business consulting and large-scale infrastructure experience across a range of industries and IT domains. He has been in the consulting space since 2004 and has provided risk management and strategic advice to many top-tier clients. Prior to consulting, Curran held multiple roles with National Australia Bank.
I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music or wherever you listen to podcasts.
Cybersecurity Challenges of COVID-19
From Curran’s perspective, the COVID-19 pandemic has created a lot of challenges for organizations, many of which weren’t prepared for this situation. For example, some organizations primarily used desktop computers and now their employees are being asked to work from home without laptops, which is particularly hard at a time when hardware is difficult to source.
In addition, many companies had processes in place that they never tested – or their processes were too localized. While many companies are prepared to withstand a disaster in one location – for example, Florida in case of a hurricane – COVID-19 has affected the entire world, and organizations weren’t prepared to withstand that. The widespread global impact is why most companies’ disaster recovery and business continuity plans are failing.
The same thing goes for cyberattacks – they aren’t localized to a particular building or region, which is a challenge when most companies are only set up to lose a single building or a single data center.
As during other similar situations, we have seen an increase in cyberattacks during the COVID-19 pandemic, meaning organizations are not only having to implement their business continuity plans on a very broad scale, but also ensure cybersecurity during a heightened period of attacks.
What Makes an Organization Prone to a Security Breach?
People. Budget. And more. Sometimes it’s just that the organization is focused on the wrong things. Or they still believe that security is the security team’s responsibility – but it’s everyone’s responsibility.
Curran has seen organizations with a small number of employees and low budgets do some really amazing things, showing it comes down to the capability of the individuals involved and how interested they are in security.
Organizations also need to strike a balance of protecting themselves from old attack methods while thinking about what the next attack method might be. Attackers are very good at figuring out what security teams are looking at, ignoring it, and moving on to the next delivery mechanism. At the same time, ignoring an old attack method isn’t necessarily the right approach either because we do see attackers re-using old schemes when people have moved on and forgotten about it – or combining several old attack methods into a new one.
Key Steps After a Breach
It’s critical to first understand the point at which your employee fell victim to the virus. The day the antivirus program alerts you that you have a virus isn’t necessarily the day you got the virus.
Then you need to understand what the virus did when someone clicked on a link. Was it credential stealing or malware dropping?
To understand this, you can use toolboxes, which allow you to drop an email, an application or point to a website, and the toolbox will tell you what the virus did. Curran uses a tool called Joe’s Sandbox.
Once you understand what the virus did, you can determine next steps. For example, if it was credential stealing, you need to think about what those user credentials have access to. It’s critical to think holistically here – if the user gave away internal credentials, are they re-using those for personal banking platforms or a Human Resources Information System (HRIS)? People tend to think myopically around active directory, but Curran argues that we need to start thinking beyond that, especially as we start using cloud services.
Curran pointed out that social communication is happening on almost every platform, including Salesforce, Slack, and more. Everything has a social component to it, meaning also that there’s a new delivery mechanism that attackers could start to use.
It’s critical for organizations to start thinking more holistically about how they prepare for and respond to a security breach. For many organizations, the COVID-19 pandemic has created a perfect storm of trying to implement business continuity plans that weren’t tested or up to the task, while also ensuring security during a heightened time of cyberattacks.
To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.