Decision Making Is your Organization’s Greatest Cyber Defense, But Can It Really Be Trained?

Modern life is the accumulation of a multitude of small choices. What to eat, where to go, who to listen to on social media. Attackers play on the numbing effect of this blizzard of actions by trying to slip one seemingly innocuous click past us. That's why following a link in a phishing email, downloading a fake software update, or overlooking a patch can have untold consequences. 

But while good frontline decision making is important, preventing mistakes is near impossible, as demonstrated by the 90% of data breaches caused by human error last year. 

People are an organization’s biggest asset post-compromise

People can be a cybersecurity liability, but they can also be an organization’s greatest asset. This is something neatly summed up in the OWASP Cyber Defense Matrix, which shows a continuum that characterizes the degree of dependency on technology, people and process as you move through the operational functions.  

The matrix shows that the dependency on technology diminishes as an incident moves into a crisis phase. Almost everything post-compromise (or "right of boom") is about people and process. From this point decision making is either an organization’s greatest strength or its Achilles heel – there’s little in between.  

Incident response plans are a precursor to good decision making

According to a recent IBM study, the average data breach cost $3.92 million last year, proving the necessity of incident response plans within the enterprise. This set of instructions that helps staff detect, respond and eventually recover from incidents is a team effort involving internal resources and external entities, such as vendors, contractors, law enforcement and legal counsel. Every incident response plan should cover the following steps:

·       Preparation – being prepared to respond before an incident occurs

·       Identification – determining whether an incident has occurred, and if one has, its nature

·       Containment – limiting the scope and magnitude of an incident

·       Eradication – removing the cause of the incident

·       Recovery – restoring systems to their normal status

·       Follow-up – improving incident-handling procedures and supporting efforts to prosecute

Despite the importance of incident response plans, a quarter of infosec leaders aren’t even sure their business has one. And this is cause for concern when considering half of all CEOs feel their organization is incapable of responding to a hacking incident or data breach.

Equifax and the consequences of poor decisions

The Equifax breach is a great example of how poor decisions can not only start a cyber crisis but also exacerbate one. In 2017, hackers breached the company using a well-known vulnerability that should have been patched. Post-compromise, however, people were making poor decisions right across the board.  

After discovering the breach it took Equifax over a month to notify anyone, during which time stock sales by top executives gave rise to accusations of insider trading. Then the business set up a separate dedicated domain to host the site with resources for those potentially affected – equifaxsecurity2017.com. However, phishing scams often utilize these kinds of domains, which meant asking customers to trust one was amateurish. Worse still, the company’s social media accounts were sending people to the wrong URL entirely, securityequifax2017.com.

The company’s top brass didn’t last long as a result, and over two years after the breach, Equifax said it had spent $1.4 billion on cleanup costs.    

The industry needs a way to battle-test decision making

There is currently no contemporary way to stress test human security and response capability to build human cyber readiness. Cyber crisis exercising is still slide driven and paper based, lacking the realism, jeopardy and consequences to be effective. These scenarios require a heavy investment in time which makes them draining for large organizations. Crucially, they also lag the emerging attack landscape.  

Many infosec leaders think showing the impact of a decision in real time is the key to incident response exercises. This comes from practical learning experiences that can build muscle memory and be called upon during a real cyber crisis.  

To boost decision making skills, it's crucial to battle-test defenders in real-time cyber crises – challenging teams to make critical decisions in the nuances of everything from ransomware outbreaks and insider threats to data breaches and spear-phishing attacks. Realistic storylines that evolve based on a team’s decisions will drive resilience and human readiness unlike anything else, preparing people to face the real-world consequences of a cyber incident.

But until organizations leave archaic crisis response training behind, we will see more incidents in the mould of Equifax, with damage spiralling long after compromise.

Comments are closed.