Data breaches usually leave companies red-faced and scrambling. How should companies prepare for them? When they happen, how should businesses react? And that ever-persistent question, who’s to blame?
In our latest podcast episode, F-Secure’s principal risk management consultant Marko Buuri teams up with principal security consultant Tuomo Makkonen to answer these questions. Here’s just a sampling of what they talk about:
Breaches happen because…
Two major areas of the company, the business unit and the technical unit, are not in sync with one another. The IT guys understand the technology, but they aren’t clued into the business impacts of a breach, so their efforts are not in the right balance with the business risks. The business side understands the impacts of a breach, but they’re not in control of the technology. These two units need to engage, discuss and begin to establish a healthy risk culture.
The cyber attack companies should prepare for in 2018 is…
Companies should not prepare for just one kind of cyber attack. If you take WannaCry and NotPetya, for example, no one was expecting those particular attacks. So there’s no point in preparing exclusively for what’s already happened, or for one specific kind of attack. It’s more important to have good general hygiene, have the proper tools and processes in place, understand your threat landscape and your technology and how to protect it, and have a plan for responding in a coordinated manner.
NotPetya and WannaCry happened because…
Of course, the companies were using old software. But speaking from a risk management perspective, no one in the organizations who got hit probably willingly accepted the risks of running old software. Rather, they either didn’t pay enough attention to evaluating the risks, or they downplayed the risks, thinking the risks would be limited to certain technologies or platforms.
Companies who get favorable responses from the public after a breach do one thing better:
Good communication. They are frank and open with the public. Companies should always strive to be honest about what’s going on and to give frequent updates, even if they don’t fully understand the scope of exactly what happened or how.
The attackers companies need to worry about are…
Tuomo’s take: You don’t necessarily need to worry about WHO the attackers are, because you cannot foresee that anyhow. Rather, start from the assumption that you are already hacked, and plan your capabilities based on that.
Want more? Listen to episode number 3 of Cyber Security Sauna, where Tuomo, Marko and Janne talk about who’s to blame, how attackers may be going after something different than what you’re trying to defend, and why you should “fix the roof when it’s not raining.”