April 29, 2015

4 steps to combat cyber attacks in a digitalized world

Mikael Salonaho

Chief Risk Officer, Tieto

Hacking threats have been around for years, but growing digitalization means it's now more important than ever that organisations take steps to protect their IT systems from cyber attacks.

In my previous blog post, I explained how one of the side effects of digitalization is that it's now more important than ever for organisations to defend themselves against hacking threats.

That's not because these threats were unheard of a few years ago, nor that the rules of the security game have changed significantly in the past two decades, but because we're much more dependent on technology today than we used to be: we use it to shop, to do online banking, to carry out day-to-day tasks in the workplace, etc.

This applies to business IT systems, too: almost all functions, from communication with subcontractor networks to handling logistics, are being digitalized and managed online.

Cyber attacks have the potential to disrupt services that are critical to the normal functioning of business and society, as well as to allow our personal information to fall into the wrong hands.

So, what can organisations do to protect their IT systems from cyber criminals? Last time, I suggested that the basic rules of information security are no different now than they were 20 years ago: keep your systems up to date, educate your people, use the newest technologies to protect yourself, and ensure that you're able to respond and act if something happens. In this blog post, we'll explore what it means to follow these rules in a digitalized world.

I've broken this down into four commonly accepted steps to achieve information security readiness: predict, prevent, detect and respond.

Understand and manage your risks using this framework, and your organisation will stand the best possible chance of avoiding or mitigating a cyber attack.

Protect yourself against cyber attacks

Step 1: Predict

Predicting a cyber attack is not a simple task. There's no viable way for a single organisation to intercept hackers' communications and learn about the tools they're currently using, or where they plan to strike next.

This work is typically carried out by government agencies, which share their intelligence with critical infrastructure suppliers and other organisations that might be targeted in the future. It's important that organisations respond to these alerts, keeping staff informed of new hacking threats and the attack patterns they ought to be looking out for.

Additional data can, if required, be obtained from commercial, subscription-based early warning systems. However, it should be remembered that resilience to cyber attacks starts with a culture of security and risk management, and that these tools can only really provide context - if you don't understand the risks specific to your organisation, you won't be able to predict which attack vectors could bring down your systems and compromise your data.

An understanding of your business, as well as co-operation with different authorities, vendors, partners and your peers, will help you here.

Step 2: Prevent

Organisations today have a huge number of technologies at their disposal to prevent cyber attacks, many of which are mature and simple to implement. Examples include intrusion prevention systems (IPS), which are designed to detect and block malicious network activity before damage occurs; anti-distributed denial-of-service (DDoS) solutions, which protect against one of the most common threats to server availability; and identity and access management.

If you know your environment well enough to tell the difference between normal and abnormal traffic, preventative controls are often very effective. It would be a mistake, however, to think that they're foolproof - hackers are always looking for new ways to circumvent them.

As such, it's important that organisations adopt a defence-in-depth model: if cyber criminals manage to bypass one layer of security, they should still have others standing in their way before they can cause a data breach.

Of course, prevention is not only about technology, but also about implementing security measures to protect information from unauthorised use and disclosure, modification or destruction, either accidental or intentional. Security policies and security controls play an important role in this. For instance, security policies dictate how and when updates should be rolled out, and how emergency patches are applied, to keep your systems up to date.

Step 3: Detect

Detection can be carried out by endpoint security systems, such as antivirus scanners, or by other technology, like email content scanners or proxy and other network appliances. In some cases, these products and devices also take steps to prevent cyber attacks. Typically, though, while preventative controls are designed to block malicious network activity and warn you of the attempted intrusion, detection tools alert you when that activity has bypassed your defenses and caused a tangible security incident such as a malware infection.

These alerts call for a quick response, as you might have limited time left to stop or mitigate a breach. And even if your endpoint security systems manage to fix the problem, you should still find out how it occurred and attempt to patch the vulnerability or apply additional controls.

Detection and prevention tools are not infallible. They won't give 100% protection against zero-day attacks, for example. As such, it's still important to educate your people about their own responsibilities: how they should act if their computer starts to behave oddly, or how they should respond to an unsolicited email containing a mysterious attachment or link. The end user is your last line of defence - if other security controls fail, awareness is key.

In particular, advanced persistent threat (APT) attacks need to be understood by employees. In an APT attack, an unauthorised person gains access to the network and stays there undetected for a long period of time. Their intention is often to steal information rather than to cause damage. Typically, the attacker utilises new methods and vulnerabilities, as well as social engineering, to gain access to IT systems, and tries to circumvent their defense mechanisms.

Step 4: Respond

Finally, in order to handle hacking threats and breaches effectively, it's not enough for organisations simply to rely on prediction, prevention and detection tools, or even on a strong security culture. It's also vital to have plans in place so that the business can respond and recover to the unthinkable with minimal service disruption.

Central to this is effective communication and collaboration within your organisation and with outside stakeholders, including IT vendors and business partners, but also with any customers who are affected by the problem and therefore need to be notified promptly. Additionally, it's important that your response plan isn't purely theoretical - you should rehearse it if possible, identifying any bottlenecks that might delay your return to normal service.

Positively, organisations are more likely to see the value of this kind of planning today than they were two decades ago - breaches now attract significantly more media attention, which has contributed to greater awareness of the consequences of a poorly managed security incident.

Even with the best technical controls in place, and the most security-savvy workforce, almost any organisation can fall victim to a cyber attack. You should therefore see your response plan as another opportunity to be best in class, restoring customer trust by reacting in the most efficient and conscientious way possible.

Would your organisation be prepared to act and bounce back?

Mikael Salonaho works as Chief Risk Officer in Tieto and Risk Management Director in Tieto's Managed Services. His mission is to maintain and improve risk management and security culture in the company for the benefit of both Tieto and its customers.

Stay up-to-date

Get all the latest blogs sent you now!