Vincent Geffray is Senior Director of Product Marketing with focus on IT service alerting, IT team collaboration and process orchestration at Everbridge.
When it comes to cybersecurity, it’s all too easy to focus only on prevention.
Don’t get me wrong. Securing your critical systems and data is job one for any Chief Security or Chief Information Security Officer. That means deploying everything from firewalls to intrusion detection systems to end-point security and monitoring it continuously and effectively.
But the hard truth is that you’re playing defence and the hackers are playing offence. To win, the hackers only need to get an attack right once. To win, you need to get your defences right every time. With technology like automated botnets that can launch thousands of attacks a second – not to mention users who click on malware-filled emails – the odds are that an attack will get through at some point.
That’s why, when Tracy Reinhold, chief security officer of Everbridge, is asked what the biggest security threat corporations face (as he recently was when interviewed on Bloomberg); he says it’s the lack of effective internal and external communication before, during and after an attack.
Let’s tackle these one by one.
Before an Attack
All the technology in the world won’t prevent an attack if your employees are not fully trained on security awareness, because they remain your first line of defence. It is the security team’s responsibility to train and publish the best practices around spear phishing (the use of fraudulent emails aimed at specific users to launch an attack) so they know how to recognise suspicious emails, links and attachments which can harm your systems. Yet, people are by nature trusting and in today’s work environment, they’re also busy. Add those two things together, and they’re too likely to assume an email is safe rather than taking the extra few seconds to see if the email address looks fishy. Those split-second decisions can open your most critical systems to attack no matter what security technology you’ve deployed. This is especially true when you remember that, according to recent research from TechWorld, 91 percent of cyberattacks start with a spear phishing email. That’s why proactive and sustained education around security risks is so important. Hackers are constantly refining their “phishing” techniques to trick users and you need to not only alert them to the latest threat but remind them to keep security top-of-mind on top of all their other work. While it isn’t a cure all, keeping users from making damaging mistakes is a big win. Chief Information Security Officers need buy-in with their C suite to ensure they understand the risks to the business and the significance of developing a proactive strategy and backing education programs not just with funding, but with their own personal example of practicing safe computing.
During an Attack
The second big area where a lack of communications can hurt is during an attack. That’s because trust is such a vital part of how customers and business partners think about your business. With every new headline about privacy and data breaches, any failure to protect your systems and data becomes more damaging to your organisation and brand.
A coordinated, effective response can make the difference between a breach being a minor speed bump or a major hit to your brand or market value. For example, lack of adequate, proactive and prescriptive notification to all employees can drastically increase the damage from an attack by compromising even more IT equipment as employees link their laptops to the company network. Organisations may also need to establish alternate communications platforms, disconnected from the company’s infrastructure, for use during an attack if their regular telecommunication network and email systems are compromised. While quick and targeted communication with the relevant IT experts will be key, don’t forget you may also need frequent updates with management, legal, marketing, key stakeholders and partners to comply with regulations governing data privacy and security reporting.
After the Attack
Those organisations that handled communications well after a breach suffered only small fluctuations in stock price and customer confidence. Those that couldn’t get the message out, or bungled the message, suffered far greater and longer-lasting damage.
A successful post-attack communication plan must describe what happened as honestly and completely as possible, explain what was done to make things right for all affected parties, and (as soon as possible) what is done to prevent a recurrence. Thinking all that through in the middle of a crisis is a big challenge. Having a response plan in place, and a communication system to alert all the players, gives you a vital head start if an attacker gets through.
All Hands on Deck
Creating a culture of security to help prevent breaches requires input and engagement from IT, HR, marketing, facilities, and anyone else regularly involved in managing your systems. In the event of a breach, you need to be sure all these players (and more) are clearly identified along with their skills, location and availability and are ready to perform critical functions. They shouldn’t be just names on a contact sheet.
You can’t control how hackers will try to defeat your technology and fool your users. But you can tilt the playing field in your favour with fast, effective, coordinated communications before and after the event. That’s why we at Everbridge put so much time and effort into making security communications fast, efficient and effective. It’s also why Everbridge joined the Advanced Cyber Security Center, a member-driven non-profit organisation whose mission is to harness the power of collective resources to strengthen cyber defences, develop security talent, and advocate for well-informed public policy.
About the author
Vincent Geffray is Senior Director of Product Marketing with focus on IT service alerting, IT team collaboration and process orchestration at Everbridge. He has over fifteen years of experience in the IT operations and service management space, with expertise in critical communications, IT service alerting, application performance management, IT process, runbook, and workload automation. Vincent holds a MS in mechanical engineering and computer science, 2 certificates from MIT Sloan School of Management and has an international experience and he worked in Europe and in North America.