If you’ve never experienced a hack on your IT environment, consider yourself lucky. No matter who you are, there are some universal feelings associated with this experience. First, there’s an OH $#!+ moment, when you realize you’re staring down a steganography or ransomware attack. Next, you’ll spend a lot of time and energy on cleanup—an average of 66 days.
There’s more to healing from a cybersecurity incident than simple upgrades to your endpoints and processes. In fact, breach recovery has a bit in common with the five stages of grief. To be clear, getting hacked is not the same as grieving; however, there is value in developing a framework to help IT pros respond productively to a post-data breach disaster. Here’s how to find your way out of the darkness.
Stage 1: Denial
This couldn’t possibly be happening. Not today.
The depths of your denial depend on how you discover a breach. Privacy expert Bob Anderson defined the following four categories on Quora:
- Internally, as it’s happening, due to alerts or log reviews.
- Internally, after it happens, due to something like a ransomware demand.
- Externally, due to a public relations disaster or law enforcement agency tip.
- Externally and never, since the breach is never fully discovered.
It goes without saying that the mixture of shame and denial you experience if your customer’s data is published on the web or an enforcement agency tips you off is the absolute worst. But you’re not the only one experiencing this unique form of full-body cringe: Verizon says 27 percent of IT environment attacks are discovered by third parties.
Stage 2: Anger
What kind of twerp would dare attack your IT environment? After all, you’ve got pretty good endpoint protection, and it’s not like your company deserved it.
In the early stages of breach recovery, there’s a lot of unknowns, and it’s natural to feel angry toward the script kiddies who breached your environment with malware they didn’t even code themselves. Or maybe your anger is directed internally. On Quora, Clayton Badeaux admits he’s been at the helm of IT and security when a known issue was exploited and experienced anger because:
“A number of times, it was InfoSec or IT that got thrown under the bus for the problems we knew about and reported, but that management didn’t particularly want to allocate money or resources to deal with.”
If you couldn’t get the budget to fix a known issue and your boss’s boss is blaming the IT team for the problem, you’ve got every right to feel a little peeved.
Stage 3: Bargaining
If I patch every known problem, maybe this will never happen again. A better firewall might fix our security issues. If I pay the ransom, the issue will just go away for good.
While it would be nice if you could cut a deal with hackers, remember the wolves of the world are rarely rational and only motivated by greed. Symantec’s Robert Shaker writes on Quora that, in the early days of ransomware attacks, many companies and customers tried the bargaining approach, but it never worked:
“[They] soon realized just how bad a decision that was when the attacker either made a second demand or didn’t fulfill their side of the bargain and deliver the keys.”
You know what bargaining with Ransomware as a Service hackers actually gets you? A spot on a list of known payers and a lot more ransomware attacks. Cha-ching.
Stage 4: Depression
Heading to work after a data breach may not feel the same as usual. You may feel beyond bummed out about your future as a security pro. Have the hackers won? Is there any point? Maybe you should just make that career change you’ve fantasized about and try to become a professional poker player.
Stage 5: Acceptance
Acceptance is not the same as deciding that everything you’ve experienced is okay or fine, according to grief expert Elisabeth Kübler-Ross. She writes that this stage is, “recognizing that this new reality is the permanent reality.” In a post-breach IT environment, acceptance is the healthiest response of all.
There’s a good chance you’ll experience a breach at some point, but working your way through the five stages allows you to learn from the experience and take some of these corrective actions:
- Be aware of ransomware. Steganography is soaring, so your entire company needs to be on high alert for suspicious attachments. While you’re at it, don’t let yourself put off software updates for any reason. Better yet, adopt cloud apps and endpoints automatically running updates for you.
- Control the future spread of infection. Simulating phishing attacks continually could reduce the chances of your colleagues getting speared. Since human error is inevitable, segregate the heck out of your networks to control the spread of infection between devices if you get breached again.
- Do your DDoS work. Having services and tools to detect and mitigate DDoS attacks is the first step. Routinely test the limits of these solutions to make sure they don’t fall down or fail when it counts.
- Watch your accounts carefully. Eighty-one percent of breaches involve password theft or abuse. Automate account monitoring to watch for key signs of attack, including privilege escalation, usage monitoring, and red flags, like massive data transfers by your users.
- Protect your endpoints. Wouldn’t it be nice if you could reduce your attack surface by setting a one-device-per-user policy? Well, you can’t. Your attack surface is massive, but you can reduce its weaknesses by investing in endpoints engineered for security, like HP business printers that monitor for attacks and self-heal during breach recovery.
Getting hacked feels horrible, so it’s only natural to respond with denial, feel angry, or want to bargain away the problems. Reaching acceptance doesn’t mean believing the incident was okay; it simply means preventing future incidents with more secure office IT endpoints and better policies.