This past October, Halloween wasn’t the only event that spooked people. A well-executed cyberattack left users of Twitter, Spotify, Paypal, Airbnb, Etsy, and Netflix vulnerable to identity theft. The crime was done to Dyn, a cloud-based company that manages website domains and routes internet traffic.
The infrastructure company fell victim to a distributed denial-of-service (DDoS) attack that attempted to flood websites with traffic so as to impair normal service. The result was a massive outage that mainly affected the eastern United States, taking down a number of popular websites that Dyn serviced.
Representatives from Dyn, which was acquired by Oracle on Jan. 31, stated that the attacks were well executed. Luckily, however, engineers at the company were ultimately able to mitigate each aspect of the attack and restore service, they said. Dyn’s response is a model to follow for CFOs in every industry. Here are the top lessons learned from a notable breach that left internet users in disbelief.
Lesson #1: Be ready to respond.
A proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyberattacks. Designing and implementing an incident response plan is a critical component to an effective cybersecurity program. One reason Dyn was able to mitigate the attack quickly is that they had a response plan ready. The hackers in this incident designed and deployed a unique attack approach, and Dyn was still able to stabilize the breach before it destroyed the company.
Your company’s cybersecurity strategy must incorporate the ever-evolving nature of cyber threats. Focusing too narrowly on specific incidents could hinder your company’s ability to respond. CFOs need to ensure that their companies are prepared to react to new methods of attack by running “what-if” scenarios and testing response capabilities. Your company may not always be fully prepared for the attacks being conceived, but by testing your controls you can reduce your recovery time and cost.
On the other hand, it’s important not overcomplicate your response plan. Including recovery steps for all possible scenarios will result in a complex document that won’t enable employees to act quickly. Instead, your plan should focus on recovery scenarios specific to your critical business data, functions, and supply chain. Focus on building an incident response program that is able to work in multiple scenarios, accounting for people, places, procedures, and communications.
Lesson #2: Invest in people, not just technology.
Dyn clearly had a team of experienced professionals in place to resolve an attack that could have destroyed their business. Every company, big or small, can take a similar approach to fighting cyber criminals. CFOs are spending millions of dollars on software and technology to protect their businesses from cyber crimes, and they should be investing more money in training their own people.
Human error is the leading cause of cyber crimes, according to Verizon’s 2016 Data Breach Investigations Report. Training employees about the dangers of cyberattacks must include more than just sending around a list of dos and don’ts. Get more creative. Consider using gamification for training exercises to present real-life scenarios to employees. One way to accomplish this is by having “pretend” hackers try to obtain proprietary information from your employees. If your office doesn’t properly react, the experience could end up a great lesson for everyone.
For example, you don’t want your employees clicking on suspicious links in emails, so you train them to forward suspicious links to the security team. Then you send test phasing email to see what they do. When a user responds correctly they are rewarded by being placed in a drawing for a $100 gift card, winner drawn quarterly.
Lesson #3: Be aware of risks presented by IoT.
Dyn provides an internet infrastructure service critical to any company that uses the internet, and the company has robust incident response plans. The uniqueness of the DDoS attack was the sheer volume of unique source IP address coming from Internet of Things devices, such as technology users’ personal devices connected to the internet.
Technology users are being pushed into using cloud services by the likes of Microsoft OneDrive, Apple iCloud, Amazon Cloud Drive, and Google Drive. But when they use their personal mobile devices to do office work, their accounts may not meet corporate standards. Most cloud services allow for automatic backup and synchronization of data stored on laptops and personal devices. This can cause compliance issues for those companies that deal with health care, financial, or personally identifiable information.
As employees become more connected to the internet of things, it will be harder to separate personal data from corporate data. CFOs need to assume that their employees are taking work home and plugging their corporate devices into their home networks. That creates the risk of corporate data ending up on their personal devices and storage areas.
As they move through 2017, CFOs will need to implement a thorough IT vulnerability assessment. That can help finance chiefs understand whether their companies’ security policies and awareness programs will actually prevent outsiders from obtaining valuable information or confidential patient data directly from their companies’ employees.
Christopher Roach is the managing director and national IT practice leader of CBIZ Risk & Advisory Services.