To death and taxes, it’s time to add a third inevitability to modern life, circa 2023: Cyber sabotage.
“Cyberattack” doesn’t do the phenomenon justice. “Attack” suggests threats that seemingly come from on high, leaving victims feeling powerless to redirect or dodge the vectors that potentially threaten the viability of their business. In my view, “sabotage” reshuffles the deck, folding in culpability and moving away from a more passive business-as-usual mindset.
Cyber assaults are infernal but cybersecurity doesn’t have to be inscrutable. Just as any disciplined athlete works his or her way into fighting trim, smart organizations need to lean into the challenge and emerge intact, if not stronger, by implementing policies and procedures that comprise an effective cyber-sabotage strategy. This isn’t a case of sighing and saying “nothing can be done.” Whatever transpired, every SMB can do more before, during and after the sabotage than the company may realize.
At the risk of oversimplifying, that strategy comes down to five words: Identify. Isolate. Communicate. Analyze. Fix.
SMBs can benefit from an experience-based template that both leverages behaviors/learnings and extrapolates for that inevitable “next time.” The template should focus on these kinds of actions and attitudes:
- Identify both the problem and its source. What actually happened, where and how did it arise, who was most affected, etc.
- In the wake of an incident, retrace your steps — internally, with an eye toward identifying points of vulnerability, seen and unseen; and over time, externally as well.
- Communicate. immediately, clearly, consistently and with humility. Understand the various audiences, plural, then identify and deploy multiple channels of communication (Twitter, DM, email, etc.) to reach them effectively in realtime.
- Be ruthless about fixing anything that may have been (or still be) broken – including established and ostensibly “proven” procedures and processes.
- Gather actionable data: audit security procedures thoroughly. Codify your learnings; enlist appropriate third parties, as necessary, all in service of preventing or averting future incidents.
Register for Small Business Digital Ready to discover and access free small business-focused events.
Make no mistake: calamities happen. With a “security-is-a-process” frame of mind, it’s far easier to react without overreacting. Businesses get blindsided from time to time; living to tell about it is less a matter of luck than of situational awareness, which is never an accident.
So what’s the best way, the institutional way, to bake situational awareness into the pie? One underappreciated facet of this dynamic involves getting help — all-hands-on-deck type help (aiming at things like root cause analysis and even forensic analysis), if that’s what it takes. For businesses committed to shutting down sabotage, inviting third parties into the conversation isn’t entirely risk-free, whatever their level of expertise.
“Not invented here” thinking really is a thing, potentially complicating matters within organizations that may be wary of perspectives that didn’t emerge internally. Looking outside is most effective once the organization has retraced its steps repeatedly and has obtained a thorough, data-driven understanding of what just happened — and then shares that with its chosen third party. Hardening security at that point not only makes sense — it can actually work.
By definition, post-mortems examine what went wrong, where the source(s) was, what key elements and processes were compromised — but they also need to be forward-looking. What did remediation look like this time and how can actions you take now avert a possible recurrence? Are management and monitoring changes warranted, and if so, how significant do they need to be? Is there a risk of over-correcting? How’s the data itself (has anything been accessed, encrypted, copied, exfiltrated, deleted)?
The M.O. for every small business ought to be embracing triage in a way that uninvites drama and replaces it with control. Just internalize the mantra: Identify. Isolate. Communicate. Analyze. Fix.