So your company’s been hacked: How to handle the aftermath
- 26 August, 2016 00:36
After a company has been hacked and the hack has been discovered to be a harmful one, top executives and IT leaders normally huddle in a room to assess the loss.
It's usually not a pretty scene.
It's not as if heads are exploding. It is more like what some might call a tense "come to Jesus" moment.
"It's not good," said cyber security expert Tyler Cohen Wood. She's participated in post-hack forensics sessions at companies and has witnessed the faces of panicked executives firsthand.
"People are scared, and a lot of times they don't even have logs of what happened in the hack and they still have to get the company up and running," Cohen Wood explained. "They have to have help as much as possible and [they have to] work quickly."
Cohen Wood is currently cyber security advisor for an online learning provider, Inspired eLearning, but has been part of cyber incident response teams in previous jobs. Before her current role, she spent 13 years as a Defense Intelligence Agency senior intelligence officer and deputy division chief for cybersecurity.
"I've never personally been hacked, but I've been through the trauma of incident response at companies to help them with their trauma," she said. "I understand the pain. People are worried about how to fix it and what do to. It's a terrible thing to go through. It's the feeling you have when something personal is stolen, but much worse -- that feeling of being vulnerable."
Those kinds of insights have influenced her blogs, presentations and curriculum materials to help companies protect against cyber attacks and beef up their cyber security.
In an era when private-sector and government cyber attacks are reported daily, Cohen Wood is worried that apathy has set in. In that sense, it helps to reflect on how it feels when a company gets hacked.
"Companies are getting hacked left and right. When you get to the point where every day you read about another major company getting hacked and your reaction is, like, 'OK,' then that's a really, really big problem. People are apathetic about cyber security. We have a serious problem.
"It's not like we use devices only as a tool. They have become part of daily life and we rely on them. We have shifted to where have so many different types of systems -- from banking to healthcare to transit and the power grid."
Cohen Wood believes companies need to educate workers about cyber threats and that IT shops need to assiduously stay on top of cyber threats with a shed of tools. She's also concerned that the major university computer science programs in the U.S. are failing to do nearly enough to prepare IT workers and coders with cyber security courses.
"As we move to everything being connected in an internet of things world, these devices need to be coded securely ... As hackers get better and better and we have a generation with less training in security, we have a big problem."
Cohen Wood said her advice to average workers is to make sure they are involved in some type of security education program, just to understand the cyber threats. "You have to be very cognizant that what you post on your social media about yourself or your company doesn't make it easy for somebody to piece together a pattern about your company or your kids that can later be compromised. When you get a device, like a smartphone, really look at the risks, change the default password, read the terms of service and update it when attacks come out."
For IT executives, she advised: "You have to be better than the hackers. Along with education, you have to get support from the C-level. You also have to have good cyber monitoring systems in place and procedures so that if something goes wrong your employees know what to do. Remember, a hacker just has to find one way in, while the security admin has to know all of them. If you are not keeping security logs or staff doesn't know how to escalate a response, you have a problem. "
And Cohen Wood repeats the oldest lesson from the IT playbook: "Make sure you have backup systems and have tested them. Make sure the sensitive data is segregated and not easily reachable and is 100% encrypted and in compliance with federal regulations, like HIPPA and PCI."
Generally, Cohen Wood advises companies to recognize that hackers have moved from going after faulty code to attacking humans through targeted attacks or phishing attacks. That means that anyone who touches a company network -- from the interns to the vendors -- needs to educated on all the threats.
Workers need to be segregated so that those who don't need to know certain things should not get administrative privileges, she added. A recent survey by the Ponemon Institute found that 62% of 1,371 end users said they had access to company data that they probably shouldn't see.
"The security situation is not hopeless, but we do have to get better," she said. "We need to work together and educate. An executive can't say, 'It's not my problem, that's IT's problem.' "
Cohen Wood conceded, however, that the emergence of quantum computers means that hackers will indeed be able to break tough encryption in coming years.
While Cohen Wood advises using encryption today, she said it might be rendered ineffective in a decade when powerful quantum computers will be put to use.
Quantum computers mean "the things you say online that are 100% encrypted today might not be tomorrow. Something secure now in 10 years is not going to be. You have to stay updated with the trends, especially if it's your job. Things are not hopeless, but do keep in mind that someday what you put out there may not be private."