Right of BOOM: The Aftermath of a Cyberattack
A successful cyberattack has taken your organization/agency off-line. The FBI and CISA have been contacted. As you know, if this hasn’t already impacted you (either directly or indirectly), it will. When your networks are compromised, what happens next?
In the military, they talk about being to the right of boom. The aftermath. This is the part where this has become not just an IT problem and the rest of the company joins in the fight. How do you make payroll with no records? Who owes you money? And a thousand other things. Savvy organizations run regular tabletop exercises (TTX) to stress-test (and build muscle memory) around various ‘what-if’ scenarios.
Recently at the MACPA Government and Not-For-Profit annual conference, a panel focused on this crucial part of the equation.
Typically, TTXs are the realm of the IT department. They often include penetration testing (pen testing), looking for vulnerabilities, and defeating the attackers. This is referred to red team/blue team. Red attacks, blue defends. These exercises are necessary to build an awareness of the entire surface of your networks (remote workers, programs added to the network, devices, etc.) and related things. These exercises sometimes miss a critical step, that is testing the backups. A cybersecurity expert recently said an organization is only as good as their backups. And if the backups aren’t tested, you don’t have backups. Cybercriminals prioritize controlling access to backups as leverage in extortion operations. If they aren’t regularly tested, restoring networks after a cyberattack becomes questionable.
For the non-IT leadership, the TTXs look different. The average downtime an organization faces after ransomware attack is 11 days. That includes those that paid the ransom, those that had sound back-ups, etc. Consider planning a TTX around what would happen if your computer networks were off-line for 11 days.
Make a friend before you need a friend. When things go sideways, it is good to have already established a relationship with your external partners, especially the FBI. There are 56 field offices, and the agents would welcome a hello.
Invite your cyber insurance/risk management professionals, general counsels, board members, investors/funders, etc. to this right of boom TTX. From these initial exercises, you’ll identify both gaps and affirm resiliencies.
A few questions (and there are many others) that need to be explored are:
- Is your organization willing and able to consent to a search of computer systems/networks by the FBI?
- Who has authority to sign legal consent documents?
- Who is responsible for managing your networks?
- Are there multiple networks or system owners?
Once an attack has been discovered, you can report it at www.IC3.gov (less than $5,000) or CyWatch ([email protected]) if over $5,000 in damages. It is advisable, even if paying a ransom, to contact the FBI first for assistance. The FBI has an extensive collection of documents that outline basic steps in the investigation and the impacts on the organization. Cyber Investigation Prep – Key Considerations shares an overview of how the FBI will assist and respond to cyberattacks.
One way to mitigate against threat actors is by having an elite IT managed service provider (MSP) as part of your security equation. I recommend using DTC (www.dtctoday.com) given their extensive experience managing the complicated needs of CPAs (and other professional services).