If you grew up on the ocean and around boats, chances are you learned how to swim at a very young age. And like Jack Healey, CFE, CPA/CFF, CEO at Bear Hill Advisory Group, you might have even taken water safety courses. “Included in every water safety course I completed was a section on ‘what happens if you wind up in the water and you’re not able to swim,’” said Healey in his breakout session, “We’ve Been Hacked! Now What?” at the 29th Annual ACFE Global Fraud Conference. "Whether it was due to injury, fatigue or lack of ability given the conditions, we’d learn techniques to survive. Think of what you’re going to learn here as being along those lines. The reason why you or your organization were compromised will dictate your initial actions.”
Man overboard! You’ve been breached
“Man overboard!” This is the initial notification that someone has fallen into the water. Usually there’s a splash and hopefully someone who has seen it alerts the crew. But according to Healey, in cybersecurity, we’re not always that fortunate.
The most common breaches today are:
- Misuse of company data by an insider or partner
- Distributed Denial of Service (DDoS)
- Social engineering: business email compromise (BEC), spear phishing and phishing
- Amazon A3 configuration errors: Cloud services aren’t configured correctly
- Poor hygiene, i.e. using the same password over and over again
But where is the “splash,” or the alert that you’ve been breached? Healey explained that only in ransomware will there be a “splash.” You’ll instantaneously know that you’ve been breached. Otherwise, there could be indicators, red flags or warning signs. “The more people within your organization who are trained to recognize cyber indicators, especially those associated with their specific job function, the earlier you will detect fraud,” said Healey.
Healey’s first piece of advice when you’re notified of a breach — by your merchant card provider, customers, suppliers, law enforcement, help desk or IT department — is not to panic. “Just like our swimming analogy, thrashing around only makes you sink faster,” he said. “The same is true in cybersecurity. First, we must tell our stakeholders that we’ve been breached. Second, focus on how it happened.”
Healey outlined his BREACH action plan:
Be organized. Don’t go all-hands-on-deck. Even while the company addresses the crisis, business should continue as usual. Articulate roles and responsibilities clearly, normally into three groups: technical leadership, management level leadership and executive management leadership.
Reach out to the professionals. As you organize your team, reach out to five groups of professionals: 1) cyber insurance carrier, 2) legal counsel with cybercrime experience, 3) forensics, 4) crisis communications and 5) law enforcement.
Establish rules for the team. First, identify who can speak for the company, both internally and externally. Then, detect, analyze, contain, eradicate and recover. Blame and causation are not on the agenda! And expect intellectual honesty and candor from all team members.
Act — go tactical. Within the first 48 hours of discovering a breach, you should:
- Freeze everything. Take effected devices offline, but don’t shut them down or make changes yet. The goal is to stop ongoing activity.
- Ensure auditing and logging is ongoing. If auditing has been disabled, to cover someone’s trail for instance, restore it before proceeding.
- Change passwords or lock credentials.
- Ask questions to determine the impact.
- Set regular, timely updates. This allows people to do their jobs, but plan for updates.
- Protect the team. People who need a break should be told to stand down for a while. “I once heard a CISO speak at a conference and she said after 40 straight hours she sent the lead a note that said, ‘Can anyone buy a girl a hamburger?’ No one had thought to feed the team!” said Healy.
Control the process. Make certain that your views are heard and incorporated into any strategy. Ask if there are pros and cons to the suggested course of action. Listen carefully for underlying assumptions.
Harbor — get to safety. “Once the breach is remediated, we have to look at the impact on our stakeholders and notify them, if required,” said Healy. “We need to communicate honestly and carefully and only tell them what we know, not what we hope.”
Once you’re huddled in a blanket, you’re dry and on shore, reflect on what you’ve learned. Survival is the goal.