With the recent breaches at Colonial Pipeline, the Nantucket ferry, and JBS Meat Packing, it seems like every other day, we hear about new hacks and breaches. In the past, we’ve heard about the importance of becoming cyber resilient, how to create the right metrics for a cybersecurity infrastructure, and how to protect yourself from being hacked, but what about once you’ve been hacked? Who do you call? How do you handle it? What’s the best next step to take?
In this week’s Reimagining Cyber podcast episode, “So you’ve been hacked, now what?”, Shawn Tuma, Cybersecurity and Data Privacy Attorney and Partner at Spencer Fane, LLP, shares his experiences and best practices about what to do once you’ve been breached. Tuma’s decades-long career has focused on the litigation of cyber and privacy issues, proactive risk management, and incident response. Tuma acts as a “breach quarterback,” coaching customers through breaches and ransomware attacks.
Not just another sports analogy
First and foremost, having the right strategy in place is key, Tuma says.
“You’ve got to have a head coach that sees how the whole playing field is working, how all of these resources are working together and developing that strategic plan. The head coach is your CISO…Having that CISO in that role, I believe, is of critical importance.”
Tuma breaks down what he calls “reasonable cybersecurity,” into a playbook-style guide with four actionable steps:
- Evaluate your risks
- Develop a strategic plan to assess those risks
- Execute on the plan
- Constantly re-evaluate the plan
In an ever-changing and volatile cybersecurity landscape, it’s impossible to protect yourself from everything, so it’s important to have a fallback plan if you do get breached. A “breach quarterback” can help give direction once there is an attack.
I’ve been breached, now what?
As we’ve seen, breaches and ransomware attacks are becoming even more and more common place. Once you’ve been breached, it can be overwhelming to know the next best step to take. Reaching out to a cybersecurity attorney, like Tuma, provides an extra set of eyes and ears to help strategically approach the attack and next steps.
Common questions Tuma will ask are ones like:
- Are you using RDP access into your network? 50% of ransomware cases involve RDP access.
- How are you handling backups? Are you testing and validating your backups? Ransomware hackers won’t get paid if you have a backup. So they’ll take out your backups first.
- Are you using multi-factor authentication with your Office 365 or Google web-based mail? 90% of the cases he sees involve e-mail without multi-factor authentication
- Have you educated your workforce about phishing? While phishing attacks are now commonplace, it’s often assumed that people know what it is and how to prevent it. Remember to educate your teams as just pushing out policies and procedures doesn’t always ensure action.
What is cyber insurance and should I have it?
Tuma is a big advocate of cyber insurance. According to ZDNet, Cybersecurity insurance helps minimize the fallout from a hack or breach. In some cases, it will even cover some of the financial cost of the impact as well as recovery from the attack.
“I mean, look, if you don't have the money or the budget to put in an incident or a security program, or better your security, you're not going to have the money or budget to manage an incident response either. Poorly managing an incident response can lead to having it be much worse than it could have been if you'd have done it the right way,” he cautions.
Carriers are getting increasingly more specific and more educated on cybersecurity. Some even requesting Pen tests and risk assessments as part of their due diligence and application process.
“You need to listen to what the insurance underwriters are focusing on because they're looking at data and statistics of all these events they've had in the past through their, you know, actuarial process, and it's incredibly informed,” he said. “It's a great learning opportunity for the company to be able to, you know, to get the right people involved.”
Working with law enforcement
When the situation calls for it, Tuma will engage with law enforcement. Contrary to what we see on TV, law enforcement is not going to burst into your office and commandeer computers or databases. While engaging with law enforcement is important, due to already stretched thin resources, the onus will most likely lie with the company and their IT team, in the long run.
“In most cases, we're going to report to law enforcement, we're probably not going to see them engage back. We’ve got to do our work independent of them because they're not going to come in and save the day. The first step in that process, is many times, to file that IC3.gov report, which is what they will usually tell you to do.”
Building relationships before an incident occurs, is incredibly important.
“You need to reach out to your local field office, let them know, ‘Hey, you know, I'm the CISO of this company, we're here in your jurisdiction. We’d just like to visit about maybe what we can do to be better protected, who we can call if a problem arises.’” Tuma says.
Getting hacked is a CISO’s worst nightmare. Expect the best and prepare for the worst by evaluating and updating your cybersecurity strategy, engage early with law enforcement, and research and implement cyber insurance, if needed.
Does your company use cyber insurance? Which company do you use? Leave a comment below and let me know.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com and CyberResilient.com.