Up next in 10
We clarify the distinct but coordinated roles of Incident Response (IR) Plans, Disaster Recovery (DR) Plans, and Business Continuity (BC) Plans, which together form a resilient defense system against modern disruptions. This episode details the foundational controls essential for organizational readiness, emphasizing cyber hygiene basics like Multi-Factor Authentication (MFA), timely patching, and establishing isolated data backups. Drawing on NIST and CISA guidance, we break down how effective planning and regular exercises transform chaos into a structured, continuous improvement cycle for security.
https://irmaturityassessment.com (https://irmaturityassessment.com/)
Ā
Sponsor:
www.cisomarketplace.com (http://www.cisomarketplace.com)
Show More Show Less View Video Transcript
0:00
cyber security preparedness. It's really
0:02
not just an IT task anymore, is it?
0:04
Something you hand off and just hope
0:05
works out.
0:06
No, not at all. It's fundamentally
0:08
shifted. It's now an operational
0:09
survival strategy,
0:11
right,
0:11
for the whole organization,
0:12
right? And today we're doing a deep dive
0:14
into some really critical guidance on
0:16
this. We're pulling from CISA, that's
0:19
the Cyber Security and Infrastructure
0:21
Security Agency, and also from experts
0:23
advising, interestingly, the judicial
0:25
system,
0:26
all focused on one core idea. How do
0:29
leaders you whether you're running a
0:31
small shop or a huge company actually
0:33
build genuine cyber readiness?
0:36
Exactly. And our mission today is well
0:39
to take those cis cyber essentials which
0:41
can be a bit dense and those detailed
0:43
incident response frameworks.
0:45
Yeah, they can be a lot.
0:46
They can boil them down. We want to
0:47
focus specifically on the non-technical
0:49
foundations leaders must lay down
0:51
because the sources are crystal clear.
0:54
surviving modern attacks, things like
0:56
ransomware or massive DOS events,
0:59
the really nasty stuff.
1:00
The really nasty stuff. It isn't just
1:02
about having the fanciest firewall. It's
1:04
about culture. It's about planning.
1:07
Cyber risk isn't isolated anymore. It's
1:08
a holistic threat.
1:10
It's everything. Operations, reputation,
1:12
customer trust,
1:13
your bottom line, even your
1:15
organization's basic survival. It's that
1:17
serious now. And look, as we talk about
1:20
the investments needed for this, the
1:22
planning, the tools, we really want to
1:24
thank our sponsor. When leaders like you
1:26
need to invest in the right cyber
1:28
security capabilities, the place to find
1:30
those specific tools and services is
1:32
www.somorarketplace.com.
1:35
A great resource for exactly these kinds
1:37
of challenges.
1:38
Let's unpack this then. If we accept
1:40
that readiness starts at the top, that
1:42
it's cultural, what's the absolute first
1:45
step, the maybe hardest thing a leader
1:47
needs to do?
1:48
It really starts and honestly it ends
1:50
with a leader, with you. Your main job
1:53
here is driving the strategy, getting
1:55
the budget, and then rigorously
1:58
enforcing that culture of security.
1:59
And you don't need to be a tech wizard
2:00
to do this.
2:01
Absolutely not. Being a cyber leader
2:03
isn't about coding or network diagrams.
2:06
It's about having the uh the political
2:09
will really to drive change to make sure
2:12
everyone is aware across every single
2:14
department.
2:15
So leading the investment not just in
2:17
shiny new tech but
2:19
but crucially in continuous training
2:22
awareness programs for every single
2:24
person on the payroll. That human
2:26
element is key.
2:28
That brings us right to the staff,
2:29
doesn't it? The sources we looked at
2:31
consistently point to the users, the
2:33
people actually clicking things as well
2:35
often the first line of defense,
2:37
sometimes the weakest link.
2:38
Precisely. You can have the best tech
2:40
stack in the world, but one wrong click
2:42
on a malicious link
2:43
and you're compromised.
2:44
So, the training needs to be different.
2:46
Exactly. It needs to shift from just,
2:48
you know, informing people to actively
2:49
changing their behavior. It can't just
2:51
be that once a year PowerPoint
2:52
clickthrough anymore,
2:53
right? Like cyber hygiene.
2:55
That's a perfect analogy. Like
2:56
handwashing. Yeah. You're not just
2:58
teaching what fishing is. You're
2:59
building a habit of vigilance, of
3:01
skepticism,
3:02
and reinforcing it constantly. Testing,
3:04
policy, adherence, the whole package.
3:06
Okay. Culture and people are
3:08
foundational. Let's shift to some
3:10
concrete actions. What are those
3:12
immediate high priority technical things
3:15
leaders can mandate maybe without
3:18
needing a giant consulting project?
3:20
Yeah, there are some basics outlined by
3:22
CS that are just essential. We can group
3:23
them into three steps around inventory
3:25
and access. First, learn what is on your
3:28
network.
3:29
Simple, but crucial.
3:30
It sounds simple, but it's often
3:32
overlooked. You absolutely cannot
3:34
protect what you don't even know you
3:35
have. This means keeping up-to-date
3:38
inventories, hardware, software, all of
3:41
it.
3:41
Especially with shadow IT and cloud
3:43
services all over the place now.
3:44
Exactly. You need to know what's in
3:47
play, as they say, and therefore what's
3:49
actually at risk. What's your attack
3:50
surface?
3:51
Okay. Know your battlefield. That's step
3:52
one. What about the people on that
3:53
battlefield? Step two. Step two, learn
3:56
who is on your network. Inventory all
3:58
connections, not just employees, but
4:00
vendors, partners, remote workers,
4:03
everyone. And then this is probably the
4:04
single biggest technical impact a leader
4:07
can mandate implement multiffactor
4:09
authentication.
4:09
Yeah. FA
4:10
for everyone. You start immediately with
4:13
the privileged accounts, admins,
4:15
remote access users because they hold
4:17
the keys. Yeah.
4:18
But ultimately, everyone needs it. No
4:20
MFA, it's like leaving the front door
4:21
wide open. Seriously,
4:22
MFA is huge. foundational, but I imagine
4:26
rolling that out across a big complex
4:29
organization that's a major lift
4:31
culturally and logistically. What's the
4:33
push back?
4:34
Oh, absolutely. It's inertia. It's
4:36
perceived inconvenience. It takes too
4:37
long. It's annoying. But you have to
4:39
weigh that against a catastrophic
4:40
ransomware attack.
4:42
No comparison, right?
4:43
None. Leaders have to frame MFA not as
4:45
optional, not as a suggestion, but as a
4:48
core operational requirement tied to
4:50
policy. You can't log in securely. you
4:52
can access the systems. Period.
4:54
Tough but necessary. Okay. And step
4:56
three, you mentioned access control.
4:58
Yes. Strict access control. This is
5:00
often called the principle of lease
5:01
privilege. It's vital.
5:02
Explain that simply.
5:04
Think about keys to your house. You give
5:05
the house cleaner a key to the front
5:07
door. Maybe you don't give them the key
5:09
to your safe,
5:10
right? Makes sense.
5:12
Same idea. You restrict access and admin
5:14
permissions based purely on what someone
5:16
needs to do their job. Need to know. If
5:19
the marketing team doesn't need to
5:21
change firewall rules, they don't get
5:23
permissions for that. It minimizes the
5:25
blast radius if an account does get
5:27
compromised.
5:28
Okay, this is where it gets well really
5:30
interesting and frankly a bit
5:31
terrifying. If we operate on the
5:33
assumption that a breach, especially
5:36
sophisticated one, might be inevitable,
5:38
which is a safe assumption these days,
5:40
right? Attackers only need to succeed
5:42
once. So, what's the absolute lynch pin
5:45
for survival? The most critical asset.
5:47
It's got to be the data, right? and
5:49
getting it back.
5:49
It is absolutely the data, your IP, your
5:52
customer data, your financial records,
5:53
your operational plans. That's the
5:56
lifeblood. Recovery has to start there.
5:58
So, how do we ensure data survival
6:00
according to these frameworks?
6:02
Two core elements come through loud and
6:03
clear. First, you must inventory
6:06
information assets. This goes beyond
6:08
just knowing your hardware. You need to
6:09
know what sensitive critical data you
6:11
actually have, where it lives, where it
6:12
moves, is it on prem, in the cloud,
6:15
both.
6:15
Know what you have, where it is. Got it.
6:18
And the second piece, the what if it all
6:20
goes wrong plan,
6:22
that's multi-level redundancy with
6:23
backups. The CISA guides, the judicial
6:26
advice, they're all unequivocal on this.
6:28
Even the best defenses can be breached.
6:30
Your entire contingency, your ability to
6:33
not pay a ransom hinges on recovering
6:35
systems and data from known accurate
6:38
backups.
6:39
If you can't restore, you're basically
6:41
stuck. You pay or you potentially fold.
6:44
That's the stark reality.
6:45
And the sources were really specific
6:47
here. Just having a backup isn't the end
6:49
of the story anymore. They talked about
6:50
advanced security for the backups
6:52
themselves.
6:52
That's right. It's not enough to just
6:54
run a backup job. You need regular
6:55
automated backups. Sure, redundancy. But
6:57
the critical piece, especially against
6:59
ransomware, protecting the backups
7:01
themselves.
7:02
Ah,
7:03
encryption is table stakes. Physical
7:05
security for any tapes or drives.
7:07
Yeah.
7:08
And the absolute non-negotiable
7:10
offline copies, what we often call
7:13
airgapped storage.
7:14
Okay. Explain airgapped for a leader who
7:16
isn't deep in IT. Why is that separate
7:19
isolated copy so vital?
7:21
Think of it as your fireproof fault,
7:23
completely disconnected from the main
7:24
building. Sophisticated attackers know
7:27
about backups. They actively target
7:30
them. They'll try to encrypt or delete
7:32
your online backups right after they hit
7:34
your main systems.
7:35
So they cut off your escape route.
7:37
Precisely. An airgapped backup one
7:39
that's physically disconnected or
7:41
logically isolated with network controls
7:44
so stringent it might as well be is the
7:46
only way to guarantee they can't touch
7:47
it. When your network is burning down,
7:49
if that backup is safe in its vault, you
7:52
still have a path to recovery.
7:54
That's a powerful image. The sources
7:56
also mention long-term retention.
7:58
Keeping backups for months. Why so long?
8:01
It's because of dwell time. The
8:03
detection gap. Attackers can be inside
8:04
your network for weeks, months,
8:07
sometimes over a year before they
8:08
actually pull the trigger on the
8:09
ransomware or start stealing data.
8:11
Wow, that long.
8:12
Oh yes. So if your backup cycle is only
8:15
say 30 days, you might just be backing
8:18
up systems that are already compromised.
8:21
You need retention going back several
8:23
months ideally. So you can restore to a
8:25
point in time before the initial
8:26
intrusion happened, a clean state.
8:29
Okay, so that's the preparation side.
8:31
Now let's shift gears. What happens when
8:33
the alarm bells do go off? Active crisis
8:35
response,
8:36
right? The moment of truth.
8:37
The sources give us a really clear
8:39
framework for this. Sometimes called the
8:41
ABCs of cyber security incident
8:43
response. It stands for assess, block,
8:46
collect, and disseminate.
8:47
ABC's. Okay, sounds manageable. When
8:50
that first alert hits, what's the focus
8:52
under assess, and block?
8:53
First up is assess. You need visibility.
8:56
Use your logging and monitoring tools,
8:58
hopefully automated, to figure out the
8:59
scope. How bad is it? What's affected?
9:01
And the logs themselves are critical
9:03
here.
9:04
Absolutely critical. Think of them like
9:05
an airplane's black box. But crucially,
9:08
those logs must be stored securely,
9:10
tamperresistant, and ideally isolated
9:12
from your main production network.
9:14
Why isolate?
9:15
Because attackers know logs track their
9:17
movements. A primary goal for them is
9:19
often to delete or alter those logs to
9:21
cover their tracks. If your logs are on
9:23
the same compromised network, they're
9:24
gone. Secure off-network storage is key
9:27
for forensics.
9:28
Makes total sense. Secure the evidence.
9:30
Then fast reaction block. Containment.
9:33
Containment is everything in those first
9:35
minutes and hours. Limit the damage. If
9:37
you suspect ransomware, the guidance is
9:39
often stark. Disconnect the affected
9:41
machine. Pull the network cable. Isolate
9:44
that segment of the network immediately.
9:47
Don't wait. Just cut it off.
9:48
Don't wait. You have to stop the
9:49
bleeding. Prevent data excfiltration.
9:51
Stop the spread across other systems.
9:53
Fast recognition. Rapid isolation. That
9:56
could be the difference between losing
9:57
one machine and losing the entire
9:58
company.
9:59
Okay. Contained. Now what? Collect. This
10:02
sounds like forensics. What does a
10:04
leader need to understand about
10:05
collecting evidence?
10:06
It means preserving the digital evidence
10:08
in a way that's legally sound. Think
10:11
chain of custody. Making sure data isn't
10:13
altered. You need to understand what
10:15
happened, the type of attack, where it
10:17
came from, how long it lasted, which
10:19
systems were hit. This isn't just for
10:21
fixing things. It's crucial for legal
10:24
action. insurance claims, understanding
10:26
your vulnerabilities, you're building
10:28
the case essentially.
10:30
And there's a legal dimension here, too.
10:32
The sources specifically warned against
10:34
what was it? Hacking back.
10:36
Yes, absolutely. Critical point. Under
10:38
US law, you must never hack back.
10:40
Even if you think you know who attacked
10:42
you, trying to access their systems,
10:44
even to retrieve data or retaliate, is
10:46
illegal. It constitutes unauthorized
10:48
access. You have to rely on law
10:50
enforcement. Period.
10:51
Good warning. Okay, the final step.
10:53
Disseminate. Communication.
10:55
This often seems like where companies
10:57
stumble publicly. Why is speed and
10:59
transparency so important even if you
11:01
don't have all the answers yet?
11:02
Because trust evaporates quickly,
11:04
especially now. Rumors fly, social media
11:07
lights up. You lose control of the
11:08
narrative almost instantly if you stay
11:10
silent.
11:10
So, get out ahead of it.
11:12
Get out ahead of it early. Proactive
11:14
communication is vital. Acknowledge the
11:16
incident. State what you know honestly,
11:18
even if it's incomplete. Explain what
11:20
you're doing about it. Provide a
11:21
timeline for updates. Having a single
11:24
authorized spokesperson is key. It
11:26
prevents mixed messages and helps
11:28
preserve that public trust. And frankly,
11:31
trust is often harder to rebuild than
11:33
your servers. And it's not just about
11:35
PR. There are serious legal teeth here.
11:38
Absolutely. Many places have laws with
11:40
strict timelines for notifying people if
11:42
their data might have been compromised.
11:44
Failure to safeguard data, failure to
11:46
notify promptly, that brings statutory
11:48
penalties.
11:49
We saw that emphasized in the materials
11:51
related to court systems. They have very
11:52
specific federal and state breach
11:54
notification rules. These aren't
11:56
suggestions. They're are legal
11:58
requirements with potentially hefty
11:59
fines for delays. We're talking hours
12:01
sometimes, not days or weeks.
12:03
Okay, this is complex stuff.
12:04
Implementing robust MFA, designing those
12:07
secure airgapped backups, getting the
12:10
logging right. If you're leading this
12:12
strategy and need to find the right
12:14
technology partners or specific services
12:16
to make these CSA essentials a reality,
12:19
that's where our sponsor comes in. Check
12:20
out the resources at
12:22
www.seomarketplace.com.
12:25
Exactly the place to find those
12:27
solutions. All right, let's talk about
12:28
the final piece of the puzzle. Testing,
12:30
training, and exercise.
12:32
Tiny.
12:33
Ah, yes. The drills. Sometimes feels
12:36
like homework. Maybe
12:37
leaders might see it as a cost. Yeah.
12:39
But the source materials treat it as
12:41
absolutely essential. Like insurance you
12:43
hope you never use, but you must have.
12:46
An incident response plan sitting in a
12:48
binder is useless. It needs to be muscle
12:50
memory.
12:51
And the NIS materials we looked at broke
12:52
down the types of exercises nicely. Good
12:55
for leaders figuring out where to start.
12:57
First, the tabletop exercise,
12:59
right? Tabletops are discussion based.
13:01
You get the key people in a room. Could
13:02
be two hours, could be a full day with a
13:04
scenario. Maybe it's that fishing attack
13:06
that turns into ransomware.
13:07
And you just talk it through. You talk
13:08
it through. What's your role? What does
13:11
the plan say you do? What communication
13:13
happens? Who calls who? It's very
13:15
cost-effective for just validating the
13:17
plan itself.
13:19
Does it make sense? Do people know their
13:21
part?
13:21
Okay, that tests the plan on paper. What
13:23
about testing the actual execution, the
13:26
tech, the people under pressure? That's
13:28
the functional exercise, right?
13:29
Exactly. Functional exercises are
13:31
hands-on. You actually simulate the
13:33
incident. Maybe you do take a a system
13:35
offline. You make people use the backup
13:38
communication channel so they perform
13:39
their actual response duties in a
13:41
simulated environment.
13:42
Sounds more involved.
13:43
It is. It can last hours or even days,
13:46
but it provides that invaluable hands-on
13:49
practice. Can we actually restore from
13:51
backup? How long does it really take? Do
13:53
the emergency procedures work?
13:54
And the big benefit here, maybe beyond
13:56
just the practice, is that these
13:58
exercises give you hard data, proof
14:00
points for investment.
14:01
Absolutely. They expose the gaps in a
14:03
way nothing else can. If your tabletop
14:06
says backups are secure, but the
14:08
functional exercise shows it takes three
14:09
days to restore critical systems. Well,
14:11
that justifies the budget request for a
14:13
better backup solution.
14:14
Or if staff can't find the paper forms
14:16
when the network is down.
14:17
Exactly. It highlights training needs,
14:20
process flaws for those critical
14:23
functions like court arraignments or
14:25
protective orders mentioned in the
14:26
judicial guidance. Exercises prove you
14:29
can maintain operations even if the
14:31
digital systems fail. Yeah,
14:32
that's real operational continuity.
14:35
So, wrapping it up for the leader
14:36
listening, what's the bottom line? Cyber
14:38
readiness needs tech investment, sure,
14:40
but it seems like the real core is
14:42
strategic leadership, driving that
14:44
culture change, demanding proactive
14:47
planning, and then testing it all
14:49
relentlessly.
14:50
That's it in a nutshell.
14:51
We've covered a lot today, really
14:52
digging into building cyber resilience,
14:54
focusing hard on what leaders need to
14:56
own. The key takeaways for you seem
14:58
pretty clear. You have to drive the
15:00
investment both financial and cultural.
15:02
You absolutely must prioritize robust,
15:04
secure, offline, airgapped backups.
15:07
That's your ultimate safety net. And you
15:09
have to test your plans regularly.
15:11
Simulate the crisis before it happens.
15:13
And remember, the threats aren't going
15:14
away. They just evolve. Whether it's
15:17
simple attacks hitting unpatched systems
15:19
or those really targeted spear fishing
15:21
campaigns SISO warned about, proactive,
15:24
tested planning is genuinely the
15:26
cornerstone of resilience. It's what
15:27
lets you survive.
15:28
And one last reminder for leaders
15:30
looking for the specific tools, the
15:32
partners, the services to build this
15:34
readiness from MFA to backups to
15:37
logging. Find solutions and providers at
15:39
our sponsor www.comarketplace.com.
15:43
Okay, final thought to leave you with
15:45
something provocative.
15:47
The data suggests the average time an
15:49
attacker stays hidden inside a network
15:51
before being detected is around 181
15:54
days.
15:54
6 months.
15:55
6 months. And then the average time to
15:57
actually contain and clean up the mess
15:59
is another 60 days.
16:00
Two more months,
16:01
right? So ask yourself this. If you
16:03
found out today that you were
16:04
compromised 6 months ago, how would your
16:07
organization actually function if you
16:08
lost all your main digital systems for
16:10
the next two months? That massive gap,
16:13
the hidden compromise plus the lengthy
16:15
cleanup,
16:16
that's where all this preparedness truly
16:18
proves its worth. That's the gap you're
16:20
trying to survive.
#Business Operations
#Computer Security
#Network Security