Cybersecurity frameworks can aid recovery from attacks

There is no guarantee a company can withstand a determined nation state’s cyberattack, but good cyber hygiene will go a long way to offer basic protection and recovery, experts say.

Many suggest adopting the cybersecurity framework recommended by the Gaithersburg, Maryland-based National Institute of Standards and Technology.

Companies should look at the NIST framework to see how it fits with their business, said Eric Byres, founder and chief technology officer at aDolus Technology Inc., based in Victoria, British Columbia, a critical infrastructure cybersecurity company.

“You have to do basically a risk assessment,” said Joshua Larocca, New York-based senior managing director at Stroz Friedberg, an Aon PLC unit. “Build a program that’s designed to harden and protect your business,” he said. 

“Eventually, a determined attacker will find a way in,” said Josh Lospinoso, co-founder and CEO of Rosslyn, Virginia-based Shift5 Inc., a cybersecurity company that specializes in transportation. “They will find a weakness in the armor, and then your job is to identify that intrusion as quickly as possible and remediate it.”

Mr. Larocca said the No. 1 question he gets asked is how soon a business can be up and running after an attack. The answer will be influenced by the environment it operates in and decisions made leading up to the incident, he said. 

Cybersecurity plans should be regularly updated, said Michael Bahar, a partner with Eversheds Sutherland LLP in Washington.

“Even if you were really buttoned up and secure two years ago, it’s time to look at it again, because people figure a way in,” he said.