Cyber risk has grown at a furious pace in recent years. Since 2005, there have been over 9,700 data breaches in the United States, resulting in the unauthorized exposure of over 1.5 billion records. Data breaches have resulted in millions of identity theft cases and billions spent in litigation and settlements, and cyber crimes have accounted for trillions of dollars in losses—according to Juniper Research the amount in 2019 was $2 trillion.
One report cited that last year, nearly 1,000 U.S. state and local governments, healthcare providers, and schools had been compromised by cyber attacks and held hostage to ransomware. The majority of these attacks were executed via phishing operations that took place, on average, over a 6-8 month period.
So what can you do to protect yourself when a cyber event occurs? Here is a list of best practices to employ when an attack is discovered.
Immediate Recommended Actions
- Disconnect all systems from the internet (this can be complex in some environments, so planning is important in advance of when an incident occurs).
- Immediately isolate any backups from the rest of the systems. The backups should be examined in an isolated environment, not connected to the rest of the organization’s infrastructure. Then restores of that backup should be made to a second isolated system (PC or storage device), then that restore should be used to restore to the rest of the systems, once any infections are presumed to have been cleaned off. This keeps the original backups safe from any further internal corruption risk so that multiple restore attempts can be made without risking the data on the backup system.
- All passwords, including internal IT system passwords, should be immediately reset.
- Steps 1 and 2 are the most important. But keep in mind when resetting passwords that the system/endpoint where the passwords are being reset needs to be made as secure as possible in the case of spyware/malware accessing that system.
Recommended Ongoing Best Practices
- Changing the endpoint security isn’t necessarily a good solution, unless the original protections are proved to be lacking. The money saved is better spent on other security areas. If credentials have been stolen, endpoint security is easily bypassed in many cases. Constantly review current security policies, plans, and systems for improvements.
- Institute a firm user cybersecurity training policy for the organization, along with constant phishing testing. Retrain users who fail phishing tests. This is the largest risk factor in the organization, and phishing emails are getting more devious every day.
- Add multifactor authentication to all users. This makes it harder for the hacker to utilize stolen credentials.
- Third-party vendors are also a high-risk factor to organizations. If you have an IT company helping to manage your network, if they get hacked, you are hacked, and the hacker immediately has admin rights to many of your systems. In addition, any outside websites that have access to your data keep you at risk.
- Initiate a penetration test and an ongoing schedule until fully remediated.
- Implement cloud backup services that protect against replicating compromised data.
- Implement data loss prevention practices.
Adopt a robust cyber security insurance policy to mitigate losses, including data breaches, business interruption, and network damage. Lastly, have on hand contact information for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
ICMA Regional Conferences Feature Cybersecurity Sessions
It's not too late to attend one of this year's ICMA Regional Conferences, which feature keynotes and networking discussions on cybersecurity risks, prevention, and recovery. Experts and other attendees will share thier experiences and knowledge.