by Scott M. Lewis
If you think your company has experienced a network security breach, what now? What steps should you take to protect yourself and your business? According to a 2019 Villanova University study, here are some of the processes you should implement if you think (or have verified) that your systems have been breached.
Evaluate the impact and perceived purpose of the breach.
Determine the information, data, or systems the hackers were seeking. Did they manage to access and download data? If so, what is the potential damage to the company of that information being stolen, leaked or misused? To minimize the chances of data theft, limit data access to only those employees who need the information to do their jobs. Load software that limits the size of file transfers on or off your network. Eliminate the ability to load software on local machines and restrict the use of USB drives or other attached storage devices.
Rebuild security parameters and regularly change passwords, including those on attached devices such as copiers, phone systems, firewalls, routers, workstations, laptops, and service accounts.
If you believe that a breach has occurred, take the time to change individual software passwords. Many times, employees will use the same passwords across software programs and devices, which will increase your exposure. If your company has adopted Microsoft Office 365, then make sure that you also change those passwords to limit and mitigate your exposure.
Investigate the cause of the breach.
Systems will always contain weaknesses, so backtracking the potential breach is essential to identifying and implementing countermeasures for future attacks. Keep in mind that in a large percentage of the cases, a breach is going to result from a user error, such as clicking on something that shouldn’t have been clicked or visiting a website that shouldn’t have been visited. In this case, the breach can serve as a training opportunity. However, diligent employers leverage continuous training and testing to identify the weakest employees.
Work with proper law enforcement authorities; this is typically an issue that is faced by public companies or, in some cases, non-for-profits.
However, depending on the extent and expected loss, notifying the authorities is something you may encounter. Most law enforcement departments do have cybercrime units now. However, you may have to deal with State or Federal Law Enforcement if your local police department does not provide those services.
Check legal implications of the breach.
Although the United States has not adopted the European Union’s (EU) General Data Protection Regulation (GDPR), if you employ or work with EU companies, you may be subject to GDPR compliance. Within the United States, many individual states have now adopted more stringent legislation and regulations regarding the disclosure and management of cybercrimes, including what information you are required to provide to companies or individuals who may be affected by the breach.
Security breaches are very difficult to detect because typically, an external hacker needs internal help in some form to access your systems, and an internal threat is already in your network and has rights on your system. In most cases, this type of activity is difficult for software solutions to detect and block because it looks like regular network traffic. According to a Jolera report, the average time it takes to detect a security breach is six and a half months, and the average time to contain a breach is another 69 days. The process of detection, evaluation, and containment is slow given the time and effort needed to determine the means by which the breach occurred, the specific data to which the hacker has gained access, the extent to which anything was copied or removed from your network, and the potential harm to other companies or customers. Some software packages are now starting to leverage business intelligence to identify patterns of behavior. These software applications capture trends and manage network behaviors, such as file transfers, user login times, and other statistical data points to determine if uncharacteristic behaviors are happening on your network, which could indicate a breach.
Awareness, prevention, and monitoring are still the best options when it comes to detecting breaches. Awareness starts with learning and reporting suspicious activity, such as abnormal application behavior, which could be slowness, database errors, unexplained users, or new reports. Other indicators may include the inability to access your email or files, or redirection to a new landing page when you open your browser. These are simple problems that you will want to report and direct your IT team to investigate.
Prevention starts with having a current firewall in place and making sure that firmware and software are current on your firewall, routers, switches, and other network devices. Replace older equipment with newer models and verify that all the security parameters have been set and are active, including intrusion-detection processes. Use current operating systems on your workstations and servers and employ routine maintenance programs to ensure that your systems are patched and upgraded, with current service packs loaded. Anti-Virus needs to be active on all workstations, centralized distribution of new viruses that are updated every day when the users log into the network. Employ website filtering and blocking measures, including email filtering for attachments, active links, and embedded links. Use business intelligence analytics to ensure that emerging threats are identified quickly and blocked, including country and proxy blocking. Manage passwords using two-factor authentication; limit employees’ ability to load software on local machines; and use some sort of IP and DNS protections.
Proactive monitoring (which I equate to taking action when your car’s check-engine light comes on) is vital to your success. You have a choice to ignore the light or to look at the issue and resolve it. Both systems are trying to tell you something--one about your car, the other about your network—and these warnings should create action items. When it comes to identifying the existence of a security breach, monitoring is your first line of defense to determine whether something is going on and requires your attention. If you are not actively monitoring and alerting on the multitude of data points on your system, then consider doing so if security concerns you and your staff.
Security is complicated. Detecting a breach is complicated, but not impossible. However, as I always try to coach our customers, prevention and sometimes tolerating end-user noise are cheaper and more productive for your company than relaxing security. You can implement all the protection that you want. However, if you fail to train employees, build a culture of security, and monitor and update your systems on a routine basis, then you are putting your company at risk. Like most crimes, cybercrime is a crime of opportunity. Not allowing yourself to be the easiest target on the block takes effort and hard work and should be included as a “budget item” every year.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies’ goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.