The stats are alarming: two-thirds of large businesses experienced a cyber-breach or attack in 2016, according to Government research, while Accenture reports that two-thirds of companies globally face significant cyber-attacks on a daily or weekly basis.
Given the apparent prevalence of cyber-attacks in the private sector, you'd expect businesses to be well prepared, up to the task of defending themselves against hostile forces online. Not so – the Government's 2016 cyber-security breaches survey found that only about a third of firms surveyed had cyber-security policies in place, and that only 10 percent had an incident management plan.
This lack of preparedness is alarming, especially given that one recent poll puts the annual cost of cyber-security incidents to UK firms at £34.1 billion. Cyber-attack mitigation and cyber-attack preparedness are two very different things: conducting regular, full security reviews of all your applications and infrastructure including implementing fixes for discovered issues is a huge project for your business, however having a basic plan in place in the eventuality of attack is hardly an onerous task.
Get a plan together
You can't predict when your business will come under attack, whether that be from a virus, a DDoS attack, phishing or malware. You must assume you're always under attack and at some point you are going to be breached. Therefore, you need to have a strong recovery plan: for example, it's not enough to simply make regular backups, you also need to run tests to make sure you're actually capable of restoring your systems from those backups.
Something as simple as a checklist can be helpful here. When suffering from an unexpected event, people are liable to become stressed and forget basic tasks. To mitigate this situation a company must create a list of essential actions that need to be taken during/after an attack. This is a good opportunity to think through the avenues of attack and conduct simulated incidents so you can dry run your responses.
As an example, experiencing a DDoS attack might start as a monitoring alert indicating your application is slow. You need to ensure the right people are available as part of your on-call rotation, they know how to diagnose the alert and then when the DDoS is discovered, how to respond. Depending on the size of your team, this may involve notifying key team members and triggering support from security vendors. Everything needs to be documented, responsibility assigned and the plan executed step by step. Everyone needs to know what their job is.
It's also important to maintain open and clear communication. If your response teams are not properly briefed, then your internal key stakeholders and customers will become confused, and your company will suffer an even greater loss of trust than it otherwise might have.
Remember: your IT staff are only human
It sounds obvious but far too many people forget it. Behind every system, from a startup's website to a behemoth enterprise CMS, is a team of IT workers to whom the responsibility falls whenever that system breaks.
Humans can make mistakes: a recent high profile example of this is Amazon's catastrophic AWS S3 outage, which we now know was caused by human error. Sysadmins are not “superheroes” – they are vulnerable to stress and fatigue just like everyone else. A cyber-attack will, by nature, place enormous amounts of stress on your IT workers, and it's important to counteract this potential strain with some general awareness campaigns.
Adopting HumanOps principles can help: by recognising that humans are the ones who build and fix systems, and that humans are fallible and subject to emotion, businesses will be able to adjust their expectations for their employees, make them more productive and help improve their individual experience with life on-call as a result.
Site uptime isn't the only metric
Too many businesses rely on basic site uptime as the metric to track for assessing the security status of a website. In reality, when under attack far more subtle things can happen to a website than it simply being taken offline.
Website defacement, where a part or the whole of a website's content is changed by external intervention, is a type of cyber-attack on the rise in recent years. For example, Google Brazil was defaced by a lone hacker earlier in the year, showing that no one is immune from this type of embarrassing attack.
To guard against this type of activity, it's best to invest in monitoring tools which tell you more about your page than simply whether it exists or not. For example, you could monitor certain page text or images, such as the logo, and then be sent an alert if that asset exhibits unexpected behaviours.
These suggestions are much more than “common sense” – when facing a security breach many things that seem obvious become much more difficult to execute in the moment. It really pays to do the preparation work before a breach is reported, and ensure that processes are as explicit and codified as possible to reduce confusion in the flow of events. It may not be possible to escape cyber-attack, but it certainly is possible to tackle the after effects of one with anticipation, expertise and professionalism.
Contributed by David Mytton, founder and CEO, Server Density
The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.