Let’s discuss how to survive a cyberattack—and recover faster. I’m going to share my experience on how to prepare for an attack against your organization—including your ERP systems. Here’s a quick synopsis of how to achieve both of those goals:
- Plan effectively
- Be fully prepared—before you need to put that plan into action
Recently, I was a panelist on an Onapsis and Dark Reading webinar on cyber resiliency. As you’ll hear on the webinar recording, my fellow panelist, John Pironti, president of IP Architects, LLC, and I agree that cyberattacks are inevitable. While you must work diligently on prevention, the most important job for any organization is to be prepared to respond when an attack occurs. Effective planning for a cyberattack requires participation from many different departments in an organization. It’s not enough for the security and IT teams to have an incident response (IR) plan ready should a security incident occur. While they are experts when it comes to technology, successful preparation for a cyberattack involves much more than just what to do with computers and related equipment.
I recommend that organizations conduct table-top planning exercises that involve all of the key teams responsible for making a business run smoothly. That means the CEO and their direct reports, including HR, customer success, legal and PR need to be actively involved in this effort. Those departments have vital roles to play in the exercise. For example, no one knows more about employee communications than the HR team.
Begin the exercise by creating a multi-faceted story about a security incident in PowerPoint. The story should be as broad as possible, including the involvement of law enforcement, the news media and regulators. It’s critical that this activity is sufficiently complicated so it is realistic and useful. But such a complex undertaking takes time. It can’t be done in an afternoon. For best results, give everyone the story one month before you get together to go over each team’s response plan.
In my experience, if you were to tell all of the direct reports of the CEO that you need them in a meeting to see how they would perform in a surprise incident response exercise, everyone would call in sick that day. Nobody wants to be embarrassed in front of the CEO or their peers. That’s why they will appreciate having time to prepare their piece of the plan. During that preparation time, the security team should be available to all of those executives and their teams to help address questions and concerns. This commitment of support from the security team will help ensure full attendance on the day of the table-top exercise.
Here’s what a thorough IR plan should include:
Having done these exercises many times, and also having dealt with actual cyberattacks and breaches, I have learned that an effective IR plan, for all of its complexities and customizations, distills down to three simple points:
- Contain it
- Fix the affected systems
- Restore operations
Every IR plan should include your ERP systems
This next point is critical for understanding the difference between a security incident that affects IT systems and one that hits a broader part of your organization, especially your ERP systems.
If somebody hacks your website, the common response is to shut it down while you find and fix the problem. That might be an inconvenience to the company and your customers, but the scope of such an attack is relatively limited. But what happens if your ERP systems are the target? Can you just shut ERP down, as you would with a website? Well, you could. But you would be shutting down your entire business for who knows how long. That’s not an option, which is why you've got to come up with containment methods that make sense to your business but doesn’t exacerbate the breach.
I recommend you start looking at compensating controls in terms of how to step up the reviews of all wire transfers within a particular period of time, along with all of the secondary approvals. You also need to look at every configuration change that's been made within the targeted time period. As you are doing that, you also need to lock down fields, approvals, etc.
ERP incident response requires a whole different level of consideration than your average distributed denial of service (DDoS) or malware incident. It’s much more complex—and sensitive. And that’s why it’s so important to put a tremendous amount of effort into planning for a potential cyberattack now, instead of waiting until you’re in the throes of an incident to start thinking about how to respond. In part two of this post, I’ll discuss how to develop the organizational muscle memory required to quickly respond to and recover from an attack.