10 Ways Companies Screw Up Their Cyber Investigations

In today’s world, cybersecurity is no longer just something that’s nice to have — it’s life or death. Seemingly every week there’s been another major breach making headlines, not to mention the thousands of cyber attacks that target small businesses each year. Stopping the attack is only part of the solution, however. 

In order to successfully protect your business, you also need to conduct thorough cyber investigations to shore up your defenses and have the evidence you need if litigation is necessary. But cyber investigations are difficult, and companies often screw them up.

Mistakes companies make in cyber investigations

  1. Not believing they’re vulnerable to breaches
  2. Thinking reliable software keeps them safe
  3. Reacting too slowly to attacks
  4. Not backing up their data regularly
  5. Monitoring networks without the right expertise
  6. Thinking IT isn’t critical to day-to-day operations
  7. Talking about sensitive information over email after a breach
  8. Waiting to get counsel until after an attack
  9. Overthinking attackers’ technical capabilities
  10. Never evolving their approach to cybersecurity

1. Not Believing They’re Vulnerable to Breaches

The unfortunate reality of cybersecurity today is that anyone can be hit with an attack at any time. Many companies, however, believe they are too small or low-value to be attacked or that the base-level cybersecurity measures they have in place will keep them safe. In actuality, small businesses are a big target for attackers, and standard cybersecurity tools may not be able to stop zero-day threats

2. Thinking Reliable Software Keeps Them Safe

In theory, choosing reliable cybersecurity software should be enough to keep businesses safe, but Solarwinds proved that wasn’t true in 2020. Attackers are constantly looking for vulnerabilities in software that they can easily exploit, and a software company may not have a patch available until it’s too late. While companies should choose reliable software, they also need to have an incident response plan in place to quickly catch threats that slip by their security tools.

3. Reacting Too Slowly to Attacks

Every second counts during a cyberattack. John Hammond, senior security researcher at Huntress explains that it’s vital for organizations to have incident response plans and cybersecurity tools in place before a breach ever occurs. “The fatal mistakes are not having a disaster recovery plan, a business continuity plan, tested reliable backups, the knowledge of who to reach out to, how, and when, and a number of other preparations. There should never be any open questions during an emergency — to the best of their ability, an organization should have role-played and worked through their own disaster scenario well in advance.”

4. Not Backing Up Their Data Regularly

Ransomware has been a hot topic in the media lately, made even worse by the fact that ransomware is preventable. Far too many companies don’t back their data up regularly, which leaves them vulnerable to attacks. By backing up data often and keeping it easily accessible, the organization won’t have any reason to pay a ransom for their data and can keep operations running smoothly. Backups are also key to identifying changes to data during a cyber investigation.

Also read: How to Prevent and Respond to Ransomware

5. Monitoring Networks With the Right Expertise

Monitoring the network is essential for companies to ensure there are no threats lurking that could compromise the system. However, security monitoring isn’t just something that someone can pick up right away. Matt Bromiley, senior principal consultant with Mandiant Managed Defense, says, “Adversaries are skilled at identifying nooks and crannies within a company’s environment and hiding in those “secret” places to evade detection. When performing an incident response, absolute visibility is essential to scoping an incident and preparing to truly root out the adversary.” 

The people monitoring a network have to know what to look for and be cognizant of minor differences that could identify a breach. Additionally, someone needs to be watching the network 24 hours a day, 7 days a week, 365 days a year.

6. Thinking IT Isn’t Critical to Day-to-Day Operations

Once upon a time, IT wasn’t necessarily the backbone of most organizations, but now, with remote work and all of the technology required to efficiently complete work, IT is more important than ever. “When I look back, I remember that IT and computers were sort of seen by senior management as something new, something we’ve got to get used to, and the way to manage it was to hire an IT management and they didn’t have to worry about it,” says Alan Brill, senior managing director and founder of Kroll. “IT is no longer just a service, it’s at the heart of your business.” 

Without a proper IT team in place, your cyber investigations could be a waste of time because you won’t have the information you need to find out what happened.

7. Talking About Sensitive Information Over Email After a Breach

Many people make the mistake of continuing to talk about cybersecurity issues after they’ve had a breach. Brill goes on to say, “When you have a data breach, everything is on the record. Jokes may not come across as jokes. It’s better to talk on the phone or meet in person.” 

Talking over email after a breach could cause two major problems. Either the attacker could find out exactly what the organization knows about them, or anything that the emails discuss could be used against the company during litigation. 

8. Waiting to Get Counsel Until After an Attack

Certain governing bodies, like GDPR, only give businesses a limited amount of time to submit an incident report after an attack. Wasting time trying to find an investigating partner severely sets the company back and may run out the clock completely. It’s important to remember that cybersecurity experts are in short supply relative to the demand, so companies may have a hard time finding the expertise they need. Counsel is essential for helping organizations collect important evidence and store it correctly.

9. Overthinking Attackers’ Technical Capabilities

Some organizations make the mistake of focusing too heavily on the advanced vulnerabilities in their network while overlooking the basic ones. Bromiley notes, “One of the most popular entry vectors is spear phishing, followed by legitimate credential use (with single-factor authentication), exploiting an external-facing device or service, and browser-borne threats (in no order). Adversaries are very much creatures of “least resistance” and will often utilize the easiest path into a victim company. In investigations, and in your overall security program, do not ignore the basics for the sake of the advanced, because the attackers will win with the former every time.”

10. Never Evolving Their Approach to Cybersecurity

New threats are always emerging, and in response, cybersecurity is constantly evolving. Brill explains, “It used to be that we would use a middle-ages “guard the walls of the castle” approach and if we could protect each of the places where data was coming in and going out, that would be fine. But the bad guys learned to dig in from under and throw things over the walls.” 

With the evolution of new threats, businesses need to adapt their cybersecurity approach as well. They can no longer simply guard the edges of their network; instead, they need to add zero trust policies and microsegmentation when applicable.

Protecting Your Business Before, During, and After Attacks

Hammond, Brill, and Bromiley all agree that while it’s possible for an organization to conduct a successful cyber investigation in-house, it needs to have the right levels of personnel and expertise to do so. Unfortunately, that isn’t the reality for many businesses, so third-party firms are their best bet in resolving an investigation quickly and thoroughly. Companies should talk to these firms before a cyberattack ever happens, putting the expertise and experience in place for when they inevitably need it.

Read next: Boosting IT Security with AI-driven SIEM

Leave a Reply

Your email address will not be published. Required fields are marked *