Responding to a cyber-attack in less than 1 hour

Readiness Assessment is a proactive Incident Response task that allows you to respond to a cyber-attack in minutes and minimize its impact

49 million dollars. That’s how much Clorox, a global cleaning products company, had to spend to respond to a cyber-attack that paralyzed its operations, impeding its ability to manufacture and distribute its products. In addition to the financial losses, the magnitude of the incident and the problems in restoring the company to normality are also evident. The attack occurred in August 2023, and in February 2024, work is still being carried out to repair the damage caused.

This case shows that every minute of a security incident is critical and that, therefore, if a company can respond to a cyber-attack in less than 1 hour, it is more likely that the attack’s impact will be reduced and will not impact business continuity. This not only generates economic losses but also reputational losses, as the cleaning products company itself acknowledges.

What can companies and public institutions do to prevent the effects of cyber-attacks from spreading over time and jeopardizing the critical functions of organizations? Have a proactive Incident Response service in place, emphasizing pre-incident preparedness to respond to a cyber-attack in less than 1 hour effectively.

One of the essential tasks of a proactive Incident Response service plays a critical role in this mission: the Readiness Assessment. This activity, which should be carried out regularly, allows cybersecurity professionals to verify that the Incident Response team can act immediately to combat a cyber-attack, contain it, eliminate the presence of malicious actors and help organizations get back to normal.

1. Why is responding to a cyber-attack in less than 1 hour essential?

36 million books and 170 million historical documents became unavailable at a stroke. In October 2023, the British Library, the library with the most extensive catalog in the world, suffered a ransomware attack by the criminal group Rhysida. The criminals managed to hijack not only the institution’s digital catalog but also the personal data of its staff and users.

Almost four months later, the library is far from being back to normal. For now, you can only consult the catalog of works at the main branch and ask the staff to find the book or document you want. One of the world’s most essential and modern libraries has gone back several decades.

The cost of restoring it to normality is unknown, but media outlets such as the Financial Times put the figure at around £7 million. However, this does not consider the enormous financial losses for authors who will no longer be paid to consult their books and for researchers worldwide who have seen their work and research paralyzed by the impossibility of accessing the documents they need.

What would have happened if the British Library’s defensive mechanisms and equipment had detected the attack early and activated an effective response in less than an hour? We will never know, but presumably, the incident would have been less devastating.

1.1. Containing its impact and reducing its duration

There are two critical aspects to assessing the criticality of a security incident: what company assets are affected and how long it takes to repel the malicious actors and restore the organization to normal operations.

The impact of the attacks against Clorox and the British Library was devastating because the first incident brought the company’s production and distribution to a standstill. At the same time, the second made it impossible to access the library’s catalog of books and documents. Moreover, in both cases, the recovery from the attack and the mitigation of all the damage caused has not yet been fully completed. The duration of both incidents is several months.

Responding to an attack in less than 1 hour is critical to identify the extent of the compromise as soon as possible, to know in real time what privileges the malicious actor has achieved, and to establish the potential risks for the company’s assets. A customized Incident Response can then be orchestrated to prevent the attack from spreading across the technology infrastructure, and the hostile actor can be removed in an agile, effective, and secure manner.

1.2. Safeguarding business continuity

Business continuity is critical for companies in the event of a security incident. If a cyber-attack succeeds in undermining business as usual or even paralyzing it completely, the impact will be much more severe in economic and reputational terms.

If an organization takes too long to respond to an incident, the likelihood of business continuity being threatened increases. On the other hand, if it can respond to a cyber-attack in less than 1 hour, the possibility of the incident paralyzing day-to-day processes and activities is reduced.

Business continuity is vital for all kinds of organizations. In some sectors as critical as healthcare, energy, or banking, a cyber-attack that paralyzes an organization can be devastating and even affect people’s health and well-being.

This is evident in the case of hospitals, which have become a priority target for malicious actors and cannot function if they have to shut down their systems or are unable to access their patient’s medical information, as was the case in the now-famous attack against the Clínic, the largest hospital in Barcelona.

Just this February, a children’s hospital in Chicago, which cares for 200,000 children a year, suffered a security incident that took all its systems offline. What were the consequences? All medical appointments were halted, scheduled surgeries were delayed or canceled, and a forced return to the analog world: using pen and paper to write diagnoses and prescriptions.

1.3. Minimising the impact on third parties

If business continuity is critical, the consequences of a cyber-attack on a company’s customers, employees, suppliers or partners are not far behind.

Today, one of the main targets of many criminal groups, especially those using ransomware and other malware, is to gain access to confidential company data and information, from customers’ and employees’ personal and financial data to business secrets or intellectual property.

Why is responding to a cyber-attack in less than 1 hour critical? It is the best way to limit criminals’ access to a company’s data, minimizing the documents and data obtained and hijacked during an attack as much as possible.

Stolen information is used by criminals to extort companies, but also their customers and suppliers, by demanding a ransom payment to prevent personal and financial information from being exfiltrated on the Dark Web, as happened to patients of the Fred Hutchinson Cancer Center, an institution specialized in the fight against cancer.

In addition, this data can be traded to allow other malicious actors to carry out identity theft and commit financial fraud, for example, by obtaining bank credit.

Besides, a severe security incident leading to business paralysis directly impacts your customers, patients (in the case of the health sector), or students (in the case of education), preventing them from accessing the products and services they need.

1.4. Preventing significant financial losses

In September 2023, a multinational developer of industrial control systems (ICS) and security equipment, Johnson Controls suffered a ransomware attack. The costs associated with the incident have now been revealed: $27 million. However, the company has acknowledged that the costs will increase when it completes its assessment of what data the criminals may have accessed.

This million-dollar figure pales compared to estimates made by MGM Resorts, a company with multiple casinos, hotels and resorts worldwide, which also suffered a cyberattack in 2023. The multinational company estimates that the total cost of the incident will be around $100 million after its casinos in Las Vegas were affected by the attack, paralyzing the operation of numerous gambling machines. In addition, thousands of customers’ personal and financial data were stolen.

The Dutch telecommunications company Veon estimates that the cyber-attack on its Ukrainian subsidiary Kyivstar costed it 100 million euros this time. The incident caused 26 million customers to be without phone connectivity and mobile data for two days. This was a significant business continuity crisis associated with the company’s reputation deterioration. To stem the damage, Kyivstar offered its customers one month free of charge for the inconvenience caused.

How can the costs associated with a security incident be limited? Having a service that can respond to a cyber-attack in less than 1 hour and start working comprehensively to contain its spread ensures business continuity and restores normality without affecting operations and customers.

1.5. Protecting business reputation

Why do we know that Clorox and Johnson Controls have had to bear $76 million in costs after incidents and MGM Resorts estimated losses of $100 million? They have had to report this to the US securities regulator, the Securities and Exchange Commission (SEC). In addition, there are the incident communication and final incident reporting obligations imposed by regulations such as the NIS2 directive in the European Union.

What does this mean? Companies cannot ignore the attacks they suffer. Mainly in cases where business continuity is undermined, or data leaks of customers, employees, suppliers, or partners occur.

Responding to a cyber-attack in less than 1 hour and managing to minimize its impact is essential to reduce the effects of the incident on a company’s reputation.

The accounts made by Clorox and Johnson Controls do not consider the economic losses associated with reputational damage.

Security incidents end when the malicious actors are removed for good, and all company assets are restored to regular and secure operation. However, their consequences on a company’s reputation are prolonged over time, generating doubts among investors, business partners and customers.

2. Readiness Assessment. Soldiers ready to act in real-time

Are all Incident Response services capable of responding to a cyber-attack in less than 1 hour? No. If reactive Incident Response is chosen, execution times are longer. Proactive Incident Response, on the other hand, can implement measures immediately and respond in real-time from the very first moment. This is mainly because several tasks are performed before an attack occurs.

One of these tasks is the Readiness Assessment, a comprehensive analysis of a company’s information sources, security tools, digital assets, human resources, access and data likely to be used during effective incident response.

Thanks to all the information collected and updated regularly, professionals can respond to a cyber-attack in less than 1 hour and limit its impact on a company.

2.1. What are the objectives of the Readiness Assessment?

• To build an effective network of contacts so that all Incident Response actions can be streamlined and coordinated in minutes. In a more prosaic way, the Readiness Assessment is used to know who to talk to to make progress in the response or report on the work being carried out.
• Having all the necessary access to sources of information and the tools needed to consult indicators and evidence to analyze the incident. With these accesses alone, responding to a cyber-attack in less than 1 hour is impossible.
• Know precisely and in-depth the company’s information sources, applications, services, and data. In such a way as to start from a solid base that makes it possible to respond to a cyber-attack in less than 1 hour effectively. In other words, determining the best measures to contain the attack and shortening waiting times. This comprehensive knowledge of the company must be continuously updated.
• Permanently update information, contacts and access.
• Know precisely what the data processing requirements are and the limitations related to them.
• Detect gaps and opportunities for improvement to optimize Incident Response.
• Test the use of new tools to manage a security incident. In this way, the company’s tools can be complemented, and the capacity to respond to a cyber-attack in less than 1 hour, efficiently and securely, can be improved.

3. Proactive Incident Response Service: Being ready for battle

The threat landscape facing businesses, public administrations and citizens is becoming increasingly complex and dangerous. Businesses and households are becoming more exposed daily, and the number of cyber-attacks continues to grow.

This is why companies and institutions no longer have to ask themselves whether they can suffer an attack but whether they are prepared to respond to a cyber-attack in less than 1 hour and prevent its impact from affecting their operations, financial accounts, and reputation.

The magnitudes of economic losses we have seen throughout this article allow us to put a value on the cost/benefit ratio of having a proactive Incident Response service. Why? If you do not have a team of professionals ready to respond to a cyber-attack in less than 1 hour, the ability of criminals to escalate, persist and fulfill all their criminal objectives increases. And with it, the economic and reputational costs to the attacked company.

Is proactive Incident Response limited to conducting a Readiness Assessment? No, although it is a crucial task, it is not the only activity that cyber security specialists carry out to ensure that companies can successfully deal with a cyber attack.

What are all the tasks involved, and what are the benefits of over-reactive incident management?

3.1. 10 benefits of a proactive incident response service

1. Having a specialized Incident Response team with extensive knowledge of the company, its assets, and its people.
2. Conduct ongoing Readiness Assessments to streamline the deployment of the Incident Response team as much as possible.
3. Conduct regular Compromise Assessments to identify malicious activities not detected by the defense mechanisms.
4. Design and implement incident drills to optimize response actions.
5. Conduct threat analysis to identify hostile actors that could attack the company or public administration and make a prevention plan to anticipate their actions.
6. A comprehensive Incident Response Plan allows the organization to act in real time.
7. Respond to a cyber-attack in less than 1 hour because the necessary information and access are already available.
8. Identify the scope of the compromise in the shortest possible time.
9. Orchestrate tailored responses to drive out the malicious actor and securely restore normality.
10. Have a comprehensive analysis of the incident to identify the weaknesses exploited, have all the information on the malicious actors, and optimize the functioning of security controls to prevent a similar incident from occurring again.

3.2. Every second counts

Responding to a cyber-attack in less than 1 hour is a critical issue for companies. In the course of a security incident, every minute counts. Therefore, the professionals in charge of managing the response must have extensive knowledge of the organization and access to all sources of information and tools. In this way, they will be able to:

• Identify the scope of the compromise.
• Contain the attack.
• Eradicate the threat, limiting its spread through the technological infrastructure.
• Remove the malicious actors.
• Ensure business continuity.
• Restore normality with efficiency and agility.