Sophisticated zero-day attacks can be intimidating. By definition, they exploit previously unknown software vulnerabilities. Discovering a new vulnerability and developing the attack chain needed to exploit it requires an extremely high level of technical expertise. This makes it highly unlikely that a zero day would ever be used against an average company: its value starts to deminish as soon as it’s used, so their targets are carefully chosen.
The threats most companies should be aware of are actually quite well known, but unfortunately, still alarmingly effective. This is the first installment of a two-part series on what organizations should do before and after a cyber incident. In this article, we focus on the steps organizations should take before a breach occurs to reduce the financial, operational, and reputational damage of a successful attack.
Before a Breach is Detected
Cybercrime is regularly in the headlines these days, whether it’s news about a threat actor targeting specific industries (like airlines), impacting a nation’s economy (JLR in the UK), or threatening violence (big mistake!).
Geopolitical tensions can also increase cyber risks. For example, conflicts in the Middle East may prompt retaliatory cyberattacks against U.S., Israeli, or allied organizations by nation-state actors or affiliated groups. It may seem as though most businesses stand little chance faced with the sophistication of the threats that exist.
Although most security breaches are preventable with adequate preparation, successful attacks are common and we can learn from them. How were the criminals able to get a foothold initially, and how were they able to accomplish their objectives without detection? By understanding the methods cybercriminals employ we can adapt and improve our defensive strategies.
Understand the Threats
It’s impossible to understand all of the threats that exist, but we can certainly identify the most active current threats. Securing common entry points used by criminals blocks them before they can even begin. Credential theft remains the most common method of initial access, and social engineering is one of the leading ways attackers obtain credentials. Other common entry points include:
- Exploiting known vulnerabilities in unpatched systems
- Misconfigured software or cloud services
- Weak or reused passwords
Together, these techniques account for a large percentage of successful breaches.
Because compromised credentials are such a common attack vector, organizations should prioritize protecting them.
Multi-Factor Authentication (MFA) remains one of the most effective defenses against credential theft. However, some implementations are more secure than others. Authenticator apps are generally preferred over email or SMS-based authentication, which can be intercepted or exploited.
Password management tools that support passkeys and single-use authentication codes can also reduce the risks associated with password reuse and store credentials securely in encrypted databases.
Since many attacks rely on social engineering and phishing, employee awareness is equally important. Attackers frequently attempt to build trust before requesting sensitive information or login credentials. Training employees to recognize suspicious requests can stop these attacks before they succeed.
Build an Effective Defense
Cyber defenses shouldn’t rely on technology alone. Adequate protection needs to consider involve people, process, and technology: implementing technology without training people or updating processes can lead to wasted investment. Similarly, undertaking a risk assessment can help to inform the process of building an effective cyber stance.
Find and implement a cohesive multi-layered cyber defensive strategy that you’re comfortable with. And since the threat landscape is constantly evolving, you should be prepared to adapt your strategy over time: this isn’t a ‘set it and forget it’ exercise. There are many approaches that you can take for this, and the important thing is to take a holistic approach:
- Emsisoft top 10 cybersecurity essentials
- FBI’s Operation Winter SHIELD
- CIS Critical Security Controls
Develop an Incident Response Plan
Preparation must also include a clear plan for what to do when a cyber incident occurs. This may include a pen and paper plan that will be available if (or more likely, when) systems go down. The scope of the disruption resulting from a cyber attack can’t be overstated: for many businesses it represents an existential threat.
When an incident is discovered, the situation can quickly become chaotic. A well-prepared Incident Response Plan (IRP) ensures that everyone knows:
- their roles and responsibilities
- how to respond to the incident
- who should be contacted
- what communication steps must be taken
- which stakeholders or authorities must be notified
Investing the time to prepare an Incident Response Plan (IRP) can pay dividends in terms of the time and cost of recovery. You should know in advance what, if any legal requirements exist based on your industry, customers, and jurisdictions. Review the plan on a regular basis to ensure all of the key stakeholders are familiar with it. Some examples of IRPs here:
- Government of Canada template
- NIST Incident Response Recommendations and Considerations for Cybersecurity Risk Management
- Open source IRP
- CISA Incident Response Plan (IRP) Basics
Prepare Before It Happens
No organization wants to experience a cyber incident. But preparation dramatically improves the chances of responding effectively and recovering quickly.
Establishing strong defenses, training employees, and building an incident response plan before an attack occurs can make the difference between a manageable disruption and a devastating crisis.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialCyber incidents are not a matter of if, but when.
The question is: will your organization be ready?