In our most recent blog, we looked at the first step towards guiding your business through a cyber security incident, and outlined the importance of preparation. Creating a robust response plan that has the support of all team members from the board right down to the IT team and everyone in between means the entire organisation knows what needs to be done, and who is responsible for overseeing it. That, however, is just the first step in the process. The second is the identification and detection of potential and existing cyber threats.
Defining the Threat
Just as you need to define what tasks need to be done to prepare for cyberattacks, and who is responsible for overseeing them, it is also important to have an organisation-wide understanding and definition of what a cyber security incident is, and the different types of cyberattack you could be facing.
The creation of an up to date glossary of the more common types of cyber threats, including ‘hall of fame’ examples, will help your entire team know what they are. To be able to detect and identify cyber security incidents, you need to have at least an idea of what you are looking for. Knowing the threat exists is an important line of defence, but putting a name to each will also help your organisation better communicate any arising issues or events.
This glossary doesn’t have to be a comprehensive history of cyberattacks, but an overview of the types that businesses face, with a brief explanation of each. For example:
- Social Engineering (a team member is manipulated or tricked into revealing passwords or other network access information)
- Unauthorised Access (Gaining access without permission to a network, system, application, data, or other IT resource, usually as the result of careless IT security practices or weak access or authentication procedures)
- Malware and Ransomware – (Malicious code-based attacks that compromise your network and systems, restricting usage until demands are met)
- Inappropriate Usage – (Violations of computer policies and inappropriate behaviour resulting in exposure to security threats – a particular problem if the company has a mobile workforce or operates a BYOD policy whereby staff use the same device for their work and personal lives)
- Data loss, leak or theft – (The loss or theft of confidential or personally identifiable information)
This last one is major, with GDPR now on its way. Data loss incidents can have a big financial impact, especially with the fines GDPR threatens to hand out.
Knowing what cyber threats are out there and creating a cyber security culture will help your staff in detecting them, but people are human, and make human errors. On top of that, cyberattacks are now becoming extremely sophisticated, and the people behind them are professionals at what they do, so a cyber security incident can still happen, even with the best of policies and best practices in place. What’s important, then, is that you are able to detect the dangers.
Detecting a Cyber Security Incident
People power
Your workforce may be the weak link when it comes to protecting your business against cyberattacks, but they can also be the sentries at the posts, sounding the alarm at the first sign of trouble. They need to know what they should do if they notice something strange going on with their computer or device, from filling in a form for formal incident reporting (the network seems unusually slow since last Monday), to an email contact address for informal reporting (has anybody from IT been accessing my account?), to a direct phone number for IT help in the event of an emergency (help - there’s a skull and crossbones laughing at me on my computer screen).
Detection/Protection Technology
Technology makes cyber attacks possible, but it also protects against them, and you should consult with your in-house team or outsourced IT support about the levels of cyber security you need to implement into your business technology, based on a security audit.
Firefighting technology that detects and removes cyber threats as they happen can work wonders, but it is always more beneficial to have adequate protection in place before an event occurs – during the preparation phase – to give your organisation the best chance of not only avoiding the majority of risks, but also being able to trace the root cause of any event that does slip through the cracks.
Detection Tools
First and foremost, keeping your software and virus scanners up to date will help you detect any standard new threats to your networks and systems, as these will have in-built sweep functions that update frequently. You should likewise update your software regularly and install patches as soon as they become available to have the most recent versions and accompanying support.
For more advanced cyber threats, you will need specialised tools. Those used to detect intrusions and cyberattacks come in many different shapes and sizes, and are usually tailored towards a specific purpose, so again it is advisable to talk to your IT support team about what you need to identify any cyber security incident.
It is important to remember that there is no magic spell or silver bullet that will enable you to detect any and every cyberattack, but a combination of tools that work across your organisation’s network should help you identify the majority of them.
Use What You Have
Your organisation can also use the information you already have on your network to detect intrusion or cyberattacks. Access and operational logs detailing access to servers, apps and files can be used to create rules and trends that help in the detection of strange or invalid traffic such, as frequent visits to non-relevant websites, or log-in attempts by unrecognised personnel.
Context is also important here, informing the security set-up of the relationship between current and known acceptable activity. Unusual activity such as a team member downloading a large file on a Saturday evening may at first seem odd, but not if that person routinely communicates with an overseas client at that time. If there is no logical reason why such activity is taking place, however, this threat detection should be acted upon.
What Your Cyber Security Detection Should Include
End to end visibility
Cyber threats are stealthy, and often come from more than one angle, or change their entry point to avoid point solutions, so rather than looking at one aspect of the attack, a comprehensive overview of the network that enables the IT security team to see what is happening across the organisation’s systems, and any knock-on effects of user activity, will help to detect harmful activity.
Real-time analysis
Speed is essential when fighting a cyberattack, so real-time analysis should be implemented. Data-driven intelligence helps your IT security team quickly identify and act on threats.
Lateral Thinking
A cyberattack won’t always try to come in the front door of the system they want to infiltrate, but will move laterally, looking for a less secure one that can act as a gateway in. It’s the same principle as when a thief might find it difficult to break directly into a bank to rob the vault, and instead looks to break into the bakery next door because it shares an attic with the bank.
Detection tools must also be able to monitor the entire internal network and detect when any system is compromised, and track where the attack moves from and to.
Cyber threats are constantly evolving and becoming more difficult to detect, but if your organisation can help team members to understand and recognise the more common types of cyberattack, and works with an outsourced IT consultant such as pebble.it to implement the right detection tools, your business should be better equipped to identify when your IT security has been breached, and act accordingly to remove the threat.
Our next blog will look at this stage of guiding your business through a cyber security incident – the actions to take. For now, find out how we can help keep your business secure from cyber threats by getting in touch, and download our IT Security Checklist:
