The digital age is old enough that everyone understands the inherent risks of doing business online. More to the point, they understand that doing business today — regardless of how “online” an organization may be — exposes firms to cyber risks that few understand and even fewer know how to defend against.
The good news is that mounting an effective cyber defense doesn’t require an advanced degree in computer science. It’s 80 percent common sense, with a few dashes of expertise thrown in for good measure.
The bad news is that there’s no such thing as a completely effective cyber defense. If a sophisticated cyber actor wants to gain access to your firm’s data or disrupt its operations, it can probably do so. Sometimes, it’s not even clear what happened, as with the intrusion that impacted Asiaciti Trust and other international fiduciaries in 2021 — an intrusion that left no conclusive evidence of system compromise.
No matter what form the cyber event that affects your organization takes, you need to be able to spot the early warning signs. This is your best chance at containing the damage to your business, your reputation, and your stakeholders.
Here are five hints that your firm could be in the midst of an intrusion.
1. Unexpected Changes to Your Firm’s Data
Monitor your databases for unexpected changes to sensitive data — and not-so-sensitive data, for that matter, since attackers might not know at first what’s really important.
Look for changes to specific filenames and folders as well as wholesale changes to the structure of your databases. Anytime you see something that doesn’t look right, confirm with the database manager that the changes were authorized; if they’re not aware of the issue, that’s a clear red flag.
2. Suspicious Patterns of Access and Activity
Such patterns could include bursts of activity at suspicious times, such as the wee hours of the morning in your home country. They could include “activities above permission level” — that is, administrative actions performed by users who aren’t cleared to perform them. They could even include activity by formerly inactive accounts, which could be suggestive of a broader system compromise.
Detecting these sorts of activities requires a lot of monitoring and analysis. In addition to tracking logins and DNS queries, you may want to retain an outside cyber security consultant to help you make sense of subtler patterns.
3. Signs That Your Defenses Are Being Probed
Look for signs that outsiders are looking to exploit vulnerabilities in your defenses. Telltale signs of such probing include port scans that look for gaps in your firewall, frequent login attempts (both by legitimate and inactive accounts), and breaches of your employees’ personal email or social media accounts.
Correct any vulnerabilities you can, but be aware that by the time you become aware of them, an intrusion may already be in progress. It’s worth noting that neither Home Depot nor Target, two U.S. retail firms that sustained digital intrusions in the mid-2010s, knew what was happening until it was too late.
4. Nonpublic Information Appearing Elsewhere Online
This is almost certainly a sign of an intrusion in progress — or one that’s already complete. It takes time for nonpublic information, such as customer data, to appear in the sketchier corners of the Internet; once you find it, there’s no time to waste in identifying the source.
You can take this step even if the vector isn’t clear — and even if it’s not yet clear that an intrusion occurred. The data release that affected Asiaciti Trust and its competitors was not preceded by a known intrusion, but the precise means by which the data came to be released isn’t really important — what mattered to Asiaciti Trust and its stakeholders was mounting a forceful response to what quickly became a public relations crisis.
5. Poor System Performance
One of the clearest signs that a data intrusion is in progress is a sudden negative change in system performance or capacity. This is a hallmark of spyware and grayware as well as more obviously harmful viruses and worms. And don’t rely on your anti-malware software to sniff out the cause of the slowdown — novel malware often slips past such defenses.
Pretending Won’t Make It Go Away
Every leader hopes that they won’t fall victim to a cyber intrusion or disruption. This is understandable; as long as contingency plans exist, it’s perfectly fine to hope they never need to be put into practice.
It’s when hope becomes a substitute for doing that things get dangerous. Call it what you will: burying your head in the sand, whistling past the graveyard, rearranging the deck chairs. It’s a risky proposition, one that could come back to hurt your organization and those who depend on it.
No one wants that. So, hope all you want that you’ll never need to worry about a significant cyber