Five best practices for countering cyber breaches and attacks

04 November 2016 5 min. read

The proactive management of cybersecurity relies on an intelligence-led approach that can either prevent a breach from happening, or make sure that it is quickly detected and remediated, writes Robert Anderson, a Managing Director in Navigant’s Cybersecurity practice.

The escalation in cybercrime today is driven by the lucrative proceeds of hacking activity, the increasing availability on the Dark Web of stolen authentication credentials, and the growth off-the-shelf malware which has enabled greater participation in cybercrime. Here are five best practices for organisations to follow to harden their defences against a cyberattack and mitigate the consequences in the event a breach occurs.

Best Practice 1: Know your adversary
Specific industry sectors are being targeted by cybercriminals, nation states or hacktivists, each with different motivations and capabilities. Hackers are able to scan organisations for system vulnerabilities in order to identify potential targets. Since the details of computer operating systems used by specific organisations can be purchased on the Dark Web, hackers are then able to attack organisations through customised malware designed to exploit vulnerabilities and bypass security. This year’s SWIFT compromise is perfect example of that strategy. The malware was written specifically for that company to circumvent internal controls. 


Proactive management of cyber security relies on an intelligence-led approach uncovering the probable source and motives of external threats, with the aim of preventing a breach before it happens or at least putting mechanisms in place to ensure it is quickly detected and remediated. 

Best Practice 2: Think of employees as a security vulnerabilities
It has long been a practice of hackers to trick their victims into clicking on email attachments or links in order to download malware. Since details of employee names, their contact details and colleagues are readily accessible via company websites or social media sites, fraudulent emails may appear to originate from a known person in a plausible business context. By giving employees security awareness training they can be learn what procedure to follow when witnessing suspicious activity by co-workers, or receiving a suspicious email on their own.

Best Practice 3: Don’t assume all employees are on your side
Hackers do not rely solely on employees who unwittingly enabling their attacks. They also gain insider cooperation with employees who intentionally steal data or help deliver the malware. In the case of the theft of DuPont trade secrets, details of the intellectual property were stolen by a number of insiders acting on behalf of an external party. The collaborators were not disgruntled employees; they were scientists open to bribery. 

Network data traffic can also be analysed by experts to detect employees or contractors at risk of external factors of influence. Suspicious activity includes data transfers to unusual IP addresses, and data traffic of abnormally high volume or outside normal office hours.

To increase the likelihood of detecting malicious insider behaviour quickly, it is important to monitor the activity of employees with access to sensitive data. This can be accomplished by setting up alerts for any data sent via unauthorised means, for example, file transfer, email, instant messaging or copied to CD’s or USB sticks).

Don’t assume all employees are on your side

Best Practice 4: Fear what you don’t know
In recent years, we have seen major data breaches against TalkTalk, Sony, Vodafone and JP Morgan. These are only the most publicised cases; in many circumstances, companies are simply not aware that they have been breached because those responsible have evaded detection and continue to operate. 

Here are some processes to help you detect ongoing compromises: A thorough assessment of cyber resilience by identifying undetected ongoing compromises; stress testing of the organisation’s cyber defences; utilising scanning software to rapidly identify malware or a virus in order to investigate and neutralise it in real time; focus resources on real and active threats by eliminating false positives in alerts; performing readiness testing to identify the security strengths and weaknesses of your organisation. 

Best Practice 5: Act quickly in the event of a compromise and don’t delay notification
When a breach occurs, an incident response management plan is vital. This should set out the pre-determined actions to be undertaken by the team coordinating the response, including notification of relevant stakeholders, including the government regulators. Organisations in EU member states must notify regulators within 72 hours from the time they discover the breach. The notification must include the nature of the breach, who had been affected, the potential implications of the breach, and the steps the organisation has taken to address it.

It’s also important to preserve forensic evidence, including all electronically stored information (ESI), devices and logs. Guidance from a digital forensic expert early in the investigation would be well worth the cost.