Whenever a major cybersecurity incident occurs, there are two things everyone asks. Could it have been prevented, and what did the victim of the attack do to minimise the damage? The left side of that equation, prevention, is critical and is often the focus of cybersecurity strategies. This is hardly surprising, with the Australian Cyber Security Centre receiving reports of a new cyber-attack every eight minutes – a rate that has been accelerating annually. 

But the right side, how you react, is equally important. In a world where even the best-equipped organisations are wondering when they will be attacked rather than if they are targeted, security strategies mustn’t have blind spots that leave them vulnerable to damaging attacks. In a recent survey conducted by Elastic, just a third of IT leaders describe their security strategy as having a genuine mix of prevention and incident detection and response controls. But preventative security measures remain a higher priority for those organisations. 

Avoiding a cyberattack is almost impossible. Many threat actors are well-resourced, skilled and motivated. Making yourself a less attractive target by having strong preventative controls in place and having a layered strategy that frustrates attackers can mitigate the risk of an attack. In addition, most attackers are financially motivated. Becoming a harder target minimises the return on investment for the attacker.  

The effects of a cyberattack can be devastating. For example, when Mondelez was hit by the NotPetya ransomware attack in 2017, the company wrote off more than $100M in a quarter and had to postpone a major acquisition. And data from the USA’s Security and Exchange Commission has found that 60% of Small to Medium Enterprises (SMEs) hit by a cyberattack collapse within six months of an attack. 

We are no longer in a set-and-forget world 

Networks and applications constantly change. Service providers continually add new features and configuration options. As a result, organisations might fall victim to ‘configuration drift’ as new settings offer new security options and old ones are made redundant, or worse, are vulnerable to attack. Even on-prem systems can feel the effects of configuration drift as patches and software updates add new options to better secure system access and data. 

Gartner says 99% of cloud security failures will be the direct consequence of misconfiguration. Some of that will be due to the complexity of options as technology practitioners struggle to understand the nuances and interactions of different configuration items. But there’s also a further challenge as new services and options appear and are left at their defaults rather than being correctly configured. 

On-prem systems aren’t to be ignored either. Ensuring your organisation has a robust patching and updating system for all endpoint devices – this includes networked printers, lighting systems and IoT devices – is critical to ensure they don’t drift into a vulnerable state. 

Many organisations don’t know where their Crown Jewels are   

The proliferation of software, platform and infrastructure services delivered over the cloud has led to a significant sprawl where corporate data is stored. The days of the corporate Crown Jewels being stored in a single server or data array in a locally hosted data centre are well behind us. Businesses rely on cloud services more than ever. With risk management being a function of the likelihood and impact of an incident, each new data location increases the risk of a breach. 

Enterprises, government departments and agencies, and even SMEs need to identify their critical data, create and maintain an inventory or register of that data and ensure they have appropriate protections in place to mitigate the risk of an attack. With organisations now subject to many different regulations, such as the Notifiable Data Breach rules, Australian Privacy Principles and critical infrastructure legislation, knowing what data you have and ensuring you have both preventative and reactive plans to protect it are critical.  

The impact of cyberattacks is often underestimated. 

A cyberattack does more than disrupt access to systems. For example, a ransomware attack affecting 1000 systems may require a ransom to access a decryption key to access your data. But the effort to apply 1000 different keys to 1000 machines will likely inflate the cost of remediation significantly. In many cases, ransomware attackers exfiltrate a copy of that data before encrypting it and threaten to release it onto the Dark Web or into the public domain to incentivise payment.  

Continuous monitoring for anomalous activity is vital. The 2022 Verizon Data Breach Investigations Report found that the average dwell time –—the time between when an attack is launched and its detection—has remained between 85 and 100 days for several years. While that can be seen as a sign of failure, it is also an opportunity to reduce the risk of an attack shifting from an annoyance into a major incident. 

An effective security strategy includes both the left and right sides of the cybersecurity equation. Preventing an attack starts with understanding your most valuable assets —what and where they are—and putting appropriate measures in place to mitigate the risk of an attack. That includes setting policies to ensure configurations are monitored to ensure new services are compliant and that new security options are recognised and correctly configured. 

Every organisation needs to consider what it will do when attacked and breached. That means designing everything from system to access to network segregation so that if an intruder can breach your defences, the blast radius of their incursion is minimised. Organisations also need to have procedures in place so they know whom to notify in the case of an attack, what information they must share, the timelines for sharing information and how they will communicate. 

Asjad Athick is principal security specialist at Elastic.