Emergency onboarding: what to do before and after a data breach

Australia continues to suffer from seemingly endless cyber attacks impacting both small and large organisations across numerous industries.

The Australian Signals Directorate’s Annual Cyber Threat Report 2022–23 shows that the department received nearly 94,000 cybercrime reports, up 23% from the previous financial year. Australia also ranked seventh on the list of top 10 countries in Asia–Pacific and Japan — the highest percentage of web attacks targeting APIs, according to the Lurking in the Shadows: Attack Trends Shine Light on API Threats report. This shows that attackers are becoming bolder as they find ways to gain unauthorised access to systems to disable or potentially harm intellectual property.

The Australian financial services sector in particular has become vulnerable to web and API attacks. Both are currently the top concern among businesses due to their increasing frequency and sophistication of attack. There is also an alarming rise in distributed denial of service (DDoS) attacks, which can seriously disrupt network servers and result in millions worth of revenue losses for businesses. Banking and financial services tend to be the prime targets for cybercriminals — but no organisation, no matter how large or small, can be truly safe from attackers without robust infrastructure and adequate planning.

Despite best efforts to shore up their cybersecurity defences, many organisations are breached. If your business is under attack or network defences have been penetrated, all is not lost. Emergency onboarding can come to your rescue to help secure critical infrastructure and get your business up and running.

Below are five tips for organisations before and after they’ve been breached.

1. Have a playbook

Having an incident management playbook that outlines what to do and who to contact when a breach occurs is critical. It should outline the roles and responsibilities and response plan to manage any attacks swiftly.

The playbook should be a live document and effective in real time with real-life scenarios — conducting regular attack drills tests its robustness and ensures everyone knows their role in an emergency.

2. Prepare for future attacks

Prevention is key when it comes to cyber attacks. Many organisations tend to rest on their laurels when it comes to cybersecurity, ignoring the warning signs until it’s too late. Monitoring suspicious activity, regularly updating software and investing in ongoing staff training can greatly reduce the likelihood of attack vectors infiltrating IT infrastructure. When investing in data protection and security, consider a partner that offers comprehensive cloud security solutions rather than a one-time fix. This will ensure that the entire business ecosystem is adequately prepared to detect, contain and recover from a security breach.

Below are some key steps organisations can take to prepare for future attacks:

• Gain visibility into your critical applications, data and their dependencies.
• Research common threat actors and their tactics, techniques and procedures (TTP).
• Discover and catalogue APIs and conduct API vulnerability testing and risk assessments.
• Implement specialised API security tools.
• Adopt a blanket set of API policies that can be used consistently across the organisation.
• Consider updating phishing defences based on multi-factor authentication (MFA) bypass vulnerabilities and fake phishing websites. Cut the ransomware kill chain.
• Stop lateral movement and implement a zero trust architecture.
• DDoS preparedness should be based on an ‘always-on’ mentality. Financial institutions should evaluate their attack surfaces in the context of the evolving threat landscape.
• A superior bot mitigation solution will permit the activity of good bots while blocking malicious activity and botnet attacks. Even good bots need to be managed, especially if your site has significant human traffic.
• Execute frequent attack drill scenarios to ensure operational readiness, with an emphasis on internal and external communication plans, in the event cybersecurity resilience, services availability, etc, are compromised.

3. Identify and isolate the threat

In the pandemonium that follows a breach, it’s easy to lose focus while trying to secure all endpoints. This knee-jerk response is natural but could cause more damage, especially if you don’t work quickly to disconnect compromised accounts. Instead of panicking, isolate the attack vector and identify the minimal critical resources for onboarding rather than making everything a priority.

Organisations can embed this strategy in their response planning to quickly contain a threat and prevent multiple breaches in future.

4. Secure your infrastructure

Once you’ve isolated the threat, secure your systems. When you’re under attack, traditional security infrastructure will only buy you time. However, investing in more robust defences could determine if your safety perimeter is breached or otherwise. It may seem like an expensive investment, but it’s one that is better to have than not. Think of it as an insurance policy that you will hopefully never need but would rather pay for just in case.

Remember that securing infrastructure also involves protecting all endpoints — and that includes your customers who could be based in different countries.

5. Harden security systems

Many organisations don’t harden their security systems and infrastructure at regular intervals. This could be as simple as ensuring all devices have the latest security software or that all passwords are updated regularly.

There are numerous instances of customers disregarding certain protocols, which can have disastrous consequences. Investing in purpose-built solutions that offer hardened security systems can prevent cybercriminals from exploiting vulnerabilities.

Conclusion

The risk of cyber attacks occurring is higher than ever and organisations that are on the front foot and have an emergency onboarding plan are better positioned to have their business back up and running quickly in the event of a data breach — ensuring financial and reputational damage is minimised. It’s no longer if a breach will occur but when, and organisations need to be prepared to act.

Image credit: iStock.com/putilich