The truth is that your business is being attacked by cybercriminals. Yesterday. Today. Every day. Is your business ready? Would you know what to do?

When it comes to cyberattacks, there is zero immunity. The BlackBerry 2022 Threat Report found that small and mid-sized businesses (SMBs) are currently experiencing 11-13 attacks per day. That’s an attack every couple of hours; 4,745 malicious entry attempts on your organisation each year.

The increase in connected end points and continued migration to digital technologies makes the threat surface broader, while cybercriminal tactics such as ransomware-as-a-service (RaaS) means smaller, even niche, organisations have become viable targets.

For the financial sector, data theft is the dominant threat. Cybercriminals are using a range of tactics – from old school phishing to more sophisticated activities – to create an entry point for malware. Particularly in today’s tense global political environment, nation state actors want to purloin financial data and a lack of focus on security comes at a price.

Cybersecurity innovations and approaches offer strong protection. Yet, cybersecurity investment is like the fire alarms in your home. Installation of the right tools gets you much of the way to being protected, but the alarms need regular testing and new batteries. Your family needs to know what to do when the alarms ring, how to call the fire brigade and evacuate the building safely.

In cybersecurity we talk about ‘red team’ tests that simulate a hack to find out how defences perform under attack. ‘Blue team’ tests prepare and practice defensive action, providing a step-by-step framework for preparation to remediation.

When there’s no doubt the threats will come, the only question is: are you ready?

Go Blue Team!

In truth, most companies – regardless of size and sector – are not ready and, when a strike happens, SMBs are typically the worst affected. The cost of remediation and reputation in the wake of a cyberattack can be a death knell, with 60% of businesses folding within six months. Yet most companies don’t run tests on their security capabilities, often for reasons of money, time or resources.

The SANS Institute incident response cycle offers an accessible guide and it’s the framework that the CylanceGUARD team at BlackBerry use for Blue Team testing. It starts with preparation, through identification, containment, eradication and recovery in the event of a breach, and ends with lessons learned…which takes us back to preparation.

In our experience, most issues are rooted in inadequate preparation. For example, your organisation is exposed to attack if it is still relying on a legacy, signature-based anti-virus protection. Digital transformation strategies have dramatically increased the range of devices connected to the network where an endpoint detection and response system (EDR) will provide a more reliable protection.

Having the right expertise available is also a challenge. While the finance sector’s larger organisations may have cybersecurity professionals within their in-house team, for the majority the answer is more likely to be outsourcing. It’s important to get a relationship established as a go-to resource in the event of a breach, to minimise panic and increase response speed when crisis hits.

Identify, Contain, Eradicate, Recover

When defences are breached, time is of the essence. But it can be easy to miss critical actions in a rush to resume operations.

In the identification phase, following procedures and communications plans is critical to alerting the right people and pinpointing the root of the threat. Are there unfamiliar events, new accounts, oddly scheduled tasks or ‘out of band’ communications via an unusual channel? All of these are flags that could signal a breach.

Containment then aims to stop the spread of malware further into the network. This can be as straightforward as unplugging the network connection to cut off infected systems. Password changes, antivirus protection and file deletion can also help at this stage.

Once the threat is contained, move on to eradication. Here it is important to know from the identification stage whether you are dealing with ransomware or malware, what the threat is and how it manifests. Often viruses have more than one way of staying on the machine, so eradication needs to be a thorough process of deleting infected files, applying patches, restoring back-up files and rescanning the network for further presence of threats. Rare – but valid – is the ‘nuclear option’ of wiping, reformatting or rebuilding from scratch.

And, finally, we proceed to recovery with a return to normal operations. This phase requires testing and monitoring closely to check for attacker artifacts – evidence that the cybercrime leaves behind. These are difficult for attackers to manipulate and can help professionals to investigate the breach to identify threat actors and techniques.

Learn from the past, inform the present

In the fast-paced world of cybersecurity, there is no such thing as over preparation! Thus, taking time to identify the lessons learned – documenting the journey from discovery to recovery, seeking out necessary changes, and updating processes and policies for better protection in future – is a critical step in the aftermath of an attack.

Whilst tempting to point fingers (now we know who clicked on that unknown attachment), it’s important to tackle processes, not people, to creating lasting change. Informing stakeholders and delivering an executive summary that is accessible to the C-suite are critical steps in securing budget and support for future developments of cybersecurity protection and a ‘prevention first’ approach.