Insights Report: Cybersecurity: What to do after an attack?

The second cybersecurity discussion at the Club talked about how companies can respond after a cybersecurity breach, with guest experts:

  • Stefano Ferretti, Managing Director of IMQ Gulf
  • Kawther Haciane, IBM Security – Leader – Gulf, Levant & Pakistan
  • Paolo Sardena, IMQ Intuity
  • Thomas Heuckeroth, Senior Vice President, IT Infrastructure& CyberSecurity, The Emirates Group
  • Doug DePeppe, Esq., Lawyer & Founding Partner, EOS Edge (Virtual)
  • Moderator: Thomas Paoletti, Owner & CEO, Paoletti Legal Consultants 

How does a cyberattack happen?

  • Hackers are a group of malicious people and in the modern cyber terms, they are called ‘threat actors’, with the aim being to make money.
  • After identifying the target company, the threat actors build a profile. This involves finding out more information on the people working in the company, such as getting email addresses. In most cases, social engineering is the easiest way to get inside a target organization.
  • The technical aim of a cyberattack is to compromise systems and as many devices inside the target organization with the final goal being data breach, steal information and launch the well-known ransomware attack. This is a malware that can encrypt all the data and ask you for a ransom.
  • Using easy to obtain open-source tools, the company’s website page was cloned. An email is created, very similar to the real one, with the domain name slightly changed using ‘cybersquatting’.
  • A complex hacker software connection completely controls the company’s device. The user has no clue what is going on. This is all happening completely stealthy.
  • The hacker deletes users’ files and replaces it with malware, remotely.
  • You have just been hacked.

What are the trends on cybersecurity in the GCC country in 2023?

  • In the GCC, the most targeted industries are financial services, followed by health care and then energy, due to the oil and gas companies in this region. The GCC organizations are less prepared for a cybersecurity attack.
  • Forensics show that most often a company does not know it has been breached until almost six months later when systems are down. Also, often the threat actors are insiders.

From USA, can you share an example of the most challenging incident response that you have had to handle from a cyber law perspective?

  • In was in the health care industry with a loss of some personal data by an IT staff member. Their HR policies for departing employees did not address the unique access available with an administrator in the IT department. And because they did not think about completely remove access the IT professional left, he could retrieve files with his credentials remotely.
  • The complication is to understand what is considered legally as a criminal data breach versus a non-criminal compromise situation.
  • Multiple parties involved, including victim counsel, company legal team, counsel for former employee, forensics team, etc. A lot of time and expenses involved.
  • Lesson learned that cybersecurity also includes policies and governance.

What does a company need? Simply a good, computer savvy person or do they require a deeper and different training approach?

  • A holistic view is needed. We need to make cybersecurity relevant as part of a boarder agenda and make it easy and intuitive. How do you bring the right technology to help people solve those problems?
  • It is about preparedness but an acceptance that a breach will happen and what are you going to do? You need to have a plan for what to do after an attack, instead of reacting to it like an emergency.
  • The human factor is the key because it is most difficult to be trained, but the problem is that most companies still adopt the bottom-up approach. It needs to be a strategic investment decision from the top because it is a threat to the brand, business, and reputation.
  • Being prepared properly instead of a reactive mode can make a monumental difference of the response time from a couple of days compared to months of havoc and loss. Many SMEs cannot survive an attack.
  • The challenge of cybersecurity is that it is impossible to be completely secure. So how do you prepare when it is impossible to be fully secure? It is about being reasonably secure and this depends upon the type of business practices you have. There are heightened threats to certain sectors and those need a higher bar of security.
  • Understand your risks and then build security features and prioritize them based upon what is most likely to work.

How has remote working increased the risks?

  • Working from home has multiplied the risk factors. With children and other family members using their devices on the home internet network adds to the risk to your connection and operating environment.
  • We now have people, processes, and technology controls. In remote working situations, more people training is required since they are the weak points.
  • It has become a big challenge for chief information security officers. The perimeter has moved from just technologies to user practices. Often staff are given devices and must log into cloud services, with multifactor authentication, etc.
  • Since more users are driven to the cloud, the security is a pooled resource, so you can share the costs more. And in a way, more computing through cloud resources is helped improve security a little bit.

What is the zero-trust approach?

  • Zero Trust is not about technology but a mindset. Every organization needs to tweak it to what fits for them. The zero-trust principle is about making sure you consider everything a threat. How do you give the right access to the right people and processes? And how do you confirm this access? Globally, only 20% of organizations have started this journey.
  • There are technologies that eases the entire process with multifactor authentication, privileged access management and identity management. But they are difficult to implement if not led by the business leader rather than the CISO. It must be a holistic approach with HR, marketing, finance, all departments need to learn how to open and close doors properly.
  • The CISO needs to think like a hacker and understand real life situations.

What does the term ‘breach coaching’ mean and how is it performed?

  • The insurance industry coined the term to coach the incident response team. They need to determine what data is well-encrypted and so not breached. If you have state of the art encryption, then the information can’t be destructed, divulged, or determined. In many situations, this is not a data breach.
  • The breach coach works hand in hand with the incident response team. While the team goes in to restore the network, isolate and remove the executable malware, etc. The Breach Coach is identifying where the personal information or the sensitive data is stored and understanding whether a compromise has occurred.

What is your advice about paying ransom?

  • In principle, you should never pay ransom as it drives behaviour. The more people pay ransom, the more attractiveness is there on the market for the bad guys who ask for ransom. It is a growing in the black market.
  • It is all down to the business problem you are facing. If you are a critical business infrastructure and you need to run your nuclear power plant, you will assume that you are going to pay the ransom.
  • If you can survive as a company because your financial data is encrypted, then don’t pay.

How do you bring the senior leadership on this journey of being more risk aware, risk averse, and understanding that the policies are there to protect them? 

  • It is important that they understand the threats that are targeting this country or this region, and then how this translates into their day-to-day office? You must do risk quantification. When you use a framework, and you quantify in dollar value then this is not disputable, and it is much more meaningful for leaders. Oftentimes it takes an incident before the change happens. That is unfortunate, but quite common.