17/11/14

By Andy Settle, Cyber Security Director, Thales UK


If your business comes under cyber-attack you need to be prepared for the worst-case scenario and, crucially, you need to be ready to respond promptly and proactively to take immediate control of the situation. This 'how to' guide will take you step-by-step through the emergency response best practice, detailing the challenges against firms today and how they can be overcome.

Nowadays, external cyber-attacks multiply faster than legacy IT security solutions can keep up with. Cyber-attack groups have an interest in compromising all sizes of companies in all sectors of business, so everyone is a potential target. Whether it’s stealing intellectual property, using a network to attack others, or for more strategic reasons, the threat is many-fold. Cyber hacks are rarely isolated incidents, yet many companies can make the mistake of adopting a ‘wack- a- mole’ approach to cyber security, involving patching vulnerabilities as they crop up instead of fully addressing the underlying threat. Here are some top tips for how organisations should go about tackling these hurdles:


Step 1 – Remember the insider threat

Many companies are so concerned with protecting against threats outside the organisation that they forget to combat the potentially significant insider threat, which can happen either through malicious intent or unintentional ignorance. To combat the threat from employees, firms need to invest in employee security training and awareness programmes to avoid accidental breaches. This can arguably offer greater ROI than investment made in expensive security infrastructure and software deployments. Educating your staff both on your companies’ own security policies and procedures, as well as industry best practice and regulatory standards, will greatly reduce the risk of an incident resulting from poor or lack of education.

There are also a number of IT administered employee controls which organisations should consider, such as using network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system or are being used to transport sensitive corporate details to another physical or digital location. This means regular checks for malware and vulnerabilities within the organisation and its supply chain.


Step 2 - Team up with a cyber-security technology partner

Organisations of all sizes should regularly screen their systems for vulnerabilities and malware to catch attacks early. Thales has audited many large organisations which believed themselves secure – in around 80% of cases we found their networks crawling with Malware. Ultimately, if an organisation can show it carried out regular audits and had a sensible plan in place to lock down the incident and communicate to customers at the soonest sensible point, they will suffer much less reputational damage.

When an incident does occur, organisations need an Incident Response plan. We’d like to see companies appoint a first responder, someone who knows what to do when a breach is discovered. This person doesn’t have to know everything about security, but they need to know who to call i.e. their defence supplier.

Earlier this year Thales UK announced the launch of Critical 48, a cyber-response package which helps companies assess and contain the threat in the critical 48 hours following the discovery of a breach. It is designed to offer attack victims an extensive range of capabilities – from an initial consultation to malware analysis, remediation and reporting.


We would recommend adhering to the following steps in the immediate 48 hours following a breach:

1. Obtain an initial consultation from your defence supplier to assess the nature of the incident, the level of infection and extent of data loss. Analyse any malware or other evidence discovered and remediate where possible

2. If from this initial consultation you can resolve the incident and return business to normal, do so. If not, obtain recommendations to prevent the attack continuing and get a detailed report of the next steps to take in order to get secure and stay secure

3. Alert your customers as soon as possible. Of course, you aren’t necessarily at fault if you are unable to do this immediately, as doing so may alert an attacker that compromises your ability to secure your data. But once things are secured, you must alert your customers and ensure adequate measures are taken (passwords changed, etc.). Delays for reasons other than improved security are hard to justify

4. Work with your supplier to correct the problem and put additional protective measures in place – security is never 100% fool proof but there are many measures you can put in place to give your organisation the best choice of survival