The Russian hacking fiasco we’ve been following over the past weeks – hysteria, which is due to the flawed Grizzly Steppe report and subsequent haphazard news reporting – has done a grave disservice to the serious issue of national cybersecurity.
If the world is going to ever turn the corner from its current state of rampant cyber(in)security, it needs solid journalism to fully expose the woefully inadequate state of affairs and to hold governments, organizations, corporations and individuals accountable for cyber negligence and malpractice.
Journalists can help do this by making sure to ask the following key questions (with a few necessary follow-ups) whenever reporting on a major cybersecurity attack or incident.
1. When did the organization first become aware of the incident?
The delay between when organizations know about an incident and when they start talking about it is a crucial question and has surfaced numerous times. The 2016 Yahoo! breaches are a great example of serious questions about who knew what and when.
2. How long did the incident go undetected?
We know the average incident can go undetected for months – if not years – before an organization finds out. This is unacceptable. One way to incentivize organizations to investment in cyber-attack prevention and detection is to hold them accountable to a higher standard.
3. How long did it take you to contain and recover from the incident? Were additional compromises made in the time between investigating the root cause of the incident and restoring affected systems?
This is a big one. I know of numerous cases where senior managers in organizations of all types make the decision to prematurely end investigations into the root causes and full extent of an incident in order to prioritize system recovery. This often results in the destruction of necessary forensic data.
4. Was any personal information of clients, customers, employees, guests, or anyone else exposed in the incident? If not, how do you know for sure such data wasn’t?
Far too often, organizations of all kinds make blanket statements that no personal information was accessed based on either flimsy or non-existent evidence. Some rely on a standard that says unless there’s explicit evidence that data has been accessed, they will not state there’s any likelihood that such information was exposed. This comes despite the fact that many destroy such evidence in a rush to restore systems. Journalists need to challenge organizations to assert clearly why they believe data wasn’t or was accessed.
5. How did the incident start? Was it a user error, action or malicious activity? Was it the result of either unpatched servers or endpoints? Did the organization have the proper access systems (network and authentication)?
Most “hacks” start with social engineering. The DNC hack, the 2015 Ukrainian power hack, and many more start with phishing e-mails; USB key drops with malware; phone calls; or in-person visits. Others are the result of poor basic cyber hygiene and lack of investment in proper security controls, audits and staff.
6. Do you have a dedicated cybersecurity team or managed security service provider?
Many organizations aren’t investing properly in security tools and security practitioners to properly install, tune, manage and retire IT security systems. This is an issue that directly reflects the attitude of senior management and boards towards cybersecurity and shows how much – or how little – they cared for it before an incident.
7. Do you have a cybersecurity incident response plan? If not, why? If so, when was the last time it was tested and did it play a role in this incident?
A cybersecurity incident response plan is like a fire drill. It has to be practiced, re-inforced, reviewed and improved consistently. Having a thorough, tested plan at the ready is a sign of due diligence in an organization.
8. How much do you spend on information technology as a percentage of your overall budget and how much do you spend on cybersecurity?
As with having dedicated staff and an incident plan, making proper investments in cybersecurity is key to demonstrating organization commitment to cybersecurity. There’s no right answer to this question per-se but organizations that don’t know how much they spend on cybersecurity relative to their organization’s overall IT spending don’t have a mature cybersecurity program that measures effectiveness against investment. For public companies, knowing how much they spend indicates management’s commitment to taking cybersecurity seriously and not to endless boardroom conversations on the topic with little or no real action.
9. Is the senior management and board regularly advised and briefed on cyber risks?
This question speaks directly to the issue of cybersecurity governance, one of the four critical success factors to a healthy cybersecurity program in addition to culture, awareness and technology.
10. Is cybersecurity awareness training mandated for all organizational members and is the training conducted and refreshed on a regular basis?
The vast majority of cybersecurity incidents involve human error, so the best defence against cyber attacks is a well-informed, aware and engaged organizational community. A lack of a formal cybersecurity awareness program that’s mandatory for all members is a critical but all-to-common issue that demonstrates a lack of commitment to taking cybersecurity seriously.