Despite what it may feel like when you’re in the trenches after a security incident, the world doesn’t stop moving. (Part 3 of a series.)
Even when cybersecurity investigations after an incident are ongoing and you won’t have all the answers upfront, it’s still important to communicate what you can as early as possible and as often as possible. Communication is integral to successful incident response and the endurance of a brand’s reputation. The main reason it’s important to divulge as much as possible as soon as possible is that brands can die after a security incident if a third party (such as the press or customers) was the first to break the news of the incident.
Even if you don’t have all of the answers, it’s better than any new information coming from your organization and not the press or third-party groups. Again, show empathy and ownership every step of the way. Keep anyone who is potentially affected — customers, vendors, third parties — updated on an ongoing basis about technical findings, results, and impact. Offer these people helpful and relevant resources and support.
What Happens After a Security Incident?
Information sharing can heal even the deepest wounds; companies that are advised (by lawyers or others) to keep as much as they can under lock and key are, frankly, short-sighted. Sharing threat data and information needs to happen in a clear and concise way. With whom and how this information is shared should be discussed and agreed upon with lawyers before any major incident occurs. Don’t be afraid to share technical details and the steps your security team is taking to investigate and avoid these vulnerabilities in the future. You might consider sharing technical details such as events to look out for, CVEs, or indicators of compromise. These details are extremely valuable because they can help customers get ahead of the incident and take their own remediation steps.
Despite what it may feel like when you’re in the trenches after a security incident, the world doesn’t stop moving. If you’ve publicly announced a breach, other cyber adversaries don’t magically disappear. There are still threats looming, possibly waiting to attack your infrastructure while it’s at its weakest. After a security incident, it can be easy to forget about our defenses against everything else but set up a system to make sure this doesn’t happen. Ensure you’re monitoring for additional nefarious activities. Make sure your team members get regular rest breaks (tired people make mistakes!). Nutrition and hydration matter just as much as sleep.
Second, it’s important to note cyber adversaries typically don’t break-in, they log in. This is certainly the case for Lapsus$ and other similar threat groups. They can compromise credentials through a variety of methods and log in to most networks and applications. Security teams should shift their focus from purely preventing credential compromise to tracking user behavior so that anomalies can be quickly identified and acted upon. Thanks to modern tools that utilize machine learning or behavior analytics layers, there is little to no burden on the analyst. Read more:https://bit.ly/3wjTUj8
You can also read this: HHS Information Security Program ‘Not Effective’