The period before an attack can last as long as the attacker chooses. During this phase, the attacker scouts its prey (your company) to understand its technical defenses and identify its vulnerabilities. For defenders, this is the time to take three critical steps.
Create awareness among both IT and nontechnical staff of the potential for cyberattacks. Simple yet powerful ways to raise awareness include distributing mail and video messages from top management; reporting attacks or incidents on the company’s intranet site(s); and—emulating a best practice of busineses in the mining, construction, and engineering industries—making “safety moments” a mandatory part of every company meeting.
The company should supplement its ongoing awareness campaign with appropriate training. It is critical that your IT staff be able to recognize early signs of an attack, distinguish an attack from unexpected but legitimate behavior on the part of the company’s IT systems, and react effectively. You should strive to create a culture that tolerates false positives—IT staff should not have to worry about crying wolf too often. You should also ensure that nontechnical staff understand the importance of being prudent—for example, not clicking on unexpected e-mail attachments. Such prudence is vital, as today’s cyberattackers are both aggressive and devious. Over the past couple of years, for example, attackers have increasingly targeted senior executives’ assistants with “spear phishing” attacks (which rely on individualized, often highly tailored e-mail messages spiked with malicious attachments). A successful attack of this type can be as valuable to the attacker as one that gains direct access to the accounts of senior executives themselves, since many executive assistants have full access or far-reaching delegate rights to their bosses’ mailboxes, calendars, documents, and contacts (which can be helpful to an attacker seeking to build the next step in a targeted attack).
The company should also stress the importance of such prudence to technical staff, whom attackers often target with similar tactical assaults. Administrators of pivotal IT systems (such as central infrastructure services, essential business systems, and the company’s communications infrastructure) are especially popular targets of carefully designed social engineering attacks, as well as of attacks on their private personal computers by outsiders seeking entry into the company’s systems.
Employees throughout the organization should receive tailored training—and the training effort should start at the very top, with the organization’s C-suite, board of directors, and even supervisory boards. Those individuals can benefit tremendously from awareness and enablement sessions tabletop simulation exercises, and full-fledged war-gaming sessions. For technical people, the training should include special skills training—for example, lessons in how to harden systems, detect systems that do not conform to policies, and write realistic policies. For general staff, socialengineering awareness training can be very useful, especially when combined with real-life testing (using company-commissioned fake phishing e-mail messages, for example).
Think carefully about the design, implementation, and configuration of your company’s technology system—especially access rights. Ensure that it covers the basics. Confirm that your technical staff have configured IT systems securely and have hardened them against attack to the extent possible.
Aim for a reasonable role-based access management system for nontechnical staff—one that keeps people separated from applications or data they don’t need. (The use of expiration periods to limit access for people in specific roles is one effective way to restrain “privilege creep.”) The same approach should apply to IT staff, confining their reach to systems that they need unfettered access to, ensuring that they do not claim higher-than-necessary privileges (for example, system administrator rights) for routine tasks, and enforcing appropriate logging for activities that do require higher privileges.
It may help to look at the practices of government entities, which commonly vet staff and assign them different security and access classifications, with different levels of permission to use certain systems. Such fine-grained control may not be economically feasible for all organizations, but studying approaches that involve this degree of sophistication can provide valuable insight into how a company might establish roles and rights in a simpler security design.
Plan for during and after while you still can. In the period before an attack, companies can act under their own control. But when a serious attack is underway, they may be reduced to reacting or, in a worst-case scenario, simply watching as the attack unfolds. Operators of the Ukrainian power grid found themselves in precisely this state when attackers hacked the grid in December 2015.
Beforehand, companies can focus on taking steps to prepare for an attack and its aftermath. These measures include what we call the “cybersecurity 101s,” which include identifying the company’s most valuable assets, identifying risks, defining protection objectives, and instituting appropriate risk-management approaches. (See “Cybersecurity Meets IT Risk Management: A Corporate Immune and Defense System,” BCG article, September 2014.) Other actions that companies can take include the following:
- Identify external parties that the company will need to engage in the event of an attack or breach, and determine how to reach them. At the same time, gauge the extent to which an internal security function can provide the desired capabilities for protection, detection, and response, and whether sourcing all or part of that function might be a viable alternative.
- Write, implement, and test emergency operations, business continuity measures, and disaster recovery plans.
- Run tests and establish a testing regimen to ensure continual reassessment of the company’s degree of readiness. Such testing might include tabletop simulation exercises for senior management (for example, “What would we do if our manufacturing operations in Asia were brought down by a cyberattack?”) and penetration tests performed by “ethical hackers” whom the company pays to relentlessly probe and detect weaknesses in the company’s defenses.
- Determine how the organization can ensure reliable, trustworthy governance during a breach, when elements of systems—including key communications such as e-mail and IP-based telephony—may be compromised or operators locked out of their systems altogether, as happened to the Ukraine grid operators when cyberattackers breached their system. (Companies may face even more-serious threats during a cyberattack. During the highly publicized Carbanak attack of 2015, which targeted a large number of banks and reportedly resulted in an aggregate loss of about $1 billion, attackers could read company communications, view company videoconferences, and watch employees through their laptop cameras.)
- Create and test communications policies and plans (such as who is authorized to say what during an attack) so that the company’s dissemination of information stays ahead of media coverage.
- Make sure that everyone assigned a role in emergency plans is aware of and accepts that role. In our casework, we have found instances where named response managers had never heard of the company’s emergency plan or had long since left the company. Also, make sure that every individual assigned a role has an identified backup—not just during the regular work week, but on weekends, public holidays, and individuals’ vacation days.