The calm before the storm: A cyber incident that doesn't start with an outage is all the more danger
The calm before the storm: A cyber incident that doesn't start with an outage is all the more danger
Imagine a normal working day. The company deals with business results, people and their performance, common operational topics and problems... The management has a head full of priorities, the market is nervous, the outside world is uncertain. And it is at such moments that the company tends to be more vulnerable than it admits. Not because it has somehow failed. But because her attention is elsewhere. This is when cyber threats tend to be more dangerous. The attackers try to see what passes. They map the environment, test weak points, look for a way through suppliers, partners or ordinary users. Most attempts do not work. But those that succeed are often not noticed for a long time. And that's the most treacherous thing about it.
Often, a cyber incident doesn't start with an alarm, a dramatic collapse, or a message that "it crashed" or "something is happening." It often starts completely inconspicuously:
Many companies say: we have invested in security, we have perfect tools, a great team of IT security officers, we are sufficiently protected. All of this is of course important.
But the real problem is not just whether our infrastructure is well secured.
Something else is crucial: will we know in time that something unusual is happening? And can we react before a security problem becomes a business, operational and reputational problem?
The boundary between a manageable incident and a full-fledged corporate crisis is often determined by only two factors, and these are the speed of detection and the appropriate predefined response. If an attack goes undetected or is not adequately addressed, even simple phishing can become an incident with a significant impact on the entire company.
As soon as key systems are affected, the impacts immediately penetrate the functioning of the entire company. Production will slow down. The store will get stuck. Transactions fail. Customers perceive service limitations. The pressure on communication, reputation and management decision-making is increasing. What just a moment ago looked like a technical incident is turning into a test of the company's overall resilience.
And the situation today is complicated by one more thing: companies no longer operate for themselves and "on their own". They are connected to clouds, third-party providers, third-party software, service partners, and digitally connected supply chains. Each such connection increases efficiency. At the same time, however, it expands the space through which the problem can get inside. Therefore, attackers are increasingly looking for the weakest point within the company, but the weakest link in its wider ecosystem. The entry point may not be your organization itself, but someone who is connected to it.
Therefore, the debate in the leadership should shift. Less about what we "have in place" and more about what we really understand, we have verified and under control today.
And the following essential questions lead to this:
In a world where external uncertainty is growing and cyber threats are growing with it, it is not enough to feel that "we have it well set up". True resilience is not based on self-confidence. It is based on a clear overview, a realistic view of one's own vulnerability and the ability to recognize a problem before it grows into a crisis.
And perhaps the most important question for every owner or management member is ultimately very simple: If a cyberattack began quietly and inconspicuously in our company today, would we notice it in time?
What can you do to answer this question with peace of mind and affirmatively?
2. Have an incident response plan ready and rehearsed
3. Determine what is really key for the company
4. Work with accesses so that no one has more permissions than they really need
5. Don't automatically trust anyone, check everything on an ongoing basis
6. Test for real durability, not just documentation
7. If you watch yourself, watch your suppliers
8. Have backups that can really be restored
9. Stay on top of what's happening across your environment
10. Make cybersecurity a topic for business management
Often, a cyber incident doesn't start with an alarm, a dramatic collapse, or a message that "it crashed" or "something is happening." It often starts completely inconspicuously:
- Someone logs in with someone else's data.
- A suspicious connection looks credible.
- The systems work. People work. The business continues.
- Nothing is happening on the outside.
- But at that moment, it is quite possible that a stranger is watching how the company works.
- And it is precisely such a "calm before the storm" that tends to be the most dangerous.
- The attacker is not yet fully attacking. They are learning.
- It finds out which systems are crucial, where the sensitive data is, who has higher privileges and what would hurt the company the most.
- When the problem finally manifests itself in full — with outages, blocked systems, data loss, or paralyzed services — it's usually too late to react calmly.
- At that point, the attacker often knows the environment better than the organization understands what is happening to it.
Many companies say: we have invested in security, we have perfect tools, a great team of IT security officers, we are sufficiently protected. All of this is of course important.
But the real problem is not just whether our infrastructure is well secured.
Something else is crucial: will we know in time that something unusual is happening? And can we react before a security problem becomes a business, operational and reputational problem?
The boundary between a manageable incident and a full-fledged corporate crisis is often determined by only two factors, and these are the speed of detection and the appropriate predefined response. If an attack goes undetected or is not adequately addressed, even simple phishing can become an incident with a significant impact on the entire company.
As soon as key systems are affected, the impacts immediately penetrate the functioning of the entire company. Production will slow down. The store will get stuck. Transactions fail. Customers perceive service limitations. The pressure on communication, reputation and management decision-making is increasing. What just a moment ago looked like a technical incident is turning into a test of the company's overall resilience.
And the situation today is complicated by one more thing: companies no longer operate for themselves and "on their own". They are connected to clouds, third-party providers, third-party software, service partners, and digitally connected supply chains. Each such connection increases efficiency. At the same time, however, it expands the space through which the problem can get inside. Therefore, attackers are increasingly looking for the weakest point within the company, but the weakest link in its wider ecosystem. The entry point may not be your organization itself, but someone who is connected to it.
Therefore, the debate in the leadership should shift. Less about what we "have in place" and more about what we really understand, we have verified and under control today.
And the following essential questions lead to this:
- How quickly would we notice that something was happening?
- Which blackout would paralyze us the most?
- Where are we vulnerable right now?
- How dependent are we on partners who can be a weaker link than ourselves?
In a world where external uncertainty is growing and cyber threats are growing with it, it is not enough to feel that "we have it well set up". True resilience is not based on self-confidence. It is based on a clear overview, a realistic view of one's own vulnerability and the ability to recognize a problem before it grows into a crisis.
And perhaps the most important question for every owner or management member is ultimately very simple: If a cyberattack began quietly and inconspicuously in our company today, would we notice it in time?
What can you do to answer this question with peace of mind and affirmatively?
Ten Commandments of Resilience to a "Silent" Cyber Incident
1. Reduce the time it takes to detect the problem to a minimum- In a cyberattack, it is often not only about whether it occurs, but mainly about how quickly the company notices it. The sooner you detect suspicious activity, the less damage there is.
- Therefore, it is important to have continuous supervision of the corporate environment, i.e. to monitor what is happening in the network, on computers, servers and in the cloud.
2. Have an incident response plan ready and rehearsed
- When a security incident occurs, the biggest problem is chaos: who has what to do, who decides what and who communicates with whom.
- Therefore, every company should have an Incident Response Plan (IRP) ready. It should clearly say:
- who is responsible for what,
- to whom the problem is reported,
- who decides on the next steps,
- how the company will communicate internally and externally.
- However, it is important not only to have a plan, but also to test it regularly.
- Without practice, even a good plan may not work in a moment of crisis.
3. Determine what is really key for the company
- Not everything has the same value for the company. Some systems, data or processes are essential for its functioning, others less so. Therefore, the company should know what its real priorities are — that is, what it must protect in the first place.
- These are the so-called "crown jewels" of the company: for example, key customer data, accounting systems, production technologies, business applications or important internal know-how.
- An analysis of the impact on the business can help. This helps to determine:
- what would hurt the company the most in the event of an outage,
- that would stop the operation,
- what would have the greatest financial or reputational impact.
- This makes it easier to decide where to concentrate protection, monitoring and the ability to quickly recover.
4. Work with accesses so that no one has more permissions than they really need
- A large part of the incidents are related to someone gaining access to places where they normally should not get to. Therefore, it is crucial to manage user accounts and permissions well.
- This means regularly checking:
- who has access to what,
- whether people have unnecessarily broad permissions,
- whether sensitive powers are concentrated in the hands of one person.
- For privileged accounts, i.e. accounts with higher privileges, the management and control of privileged access helps.
- Simply put: the smaller and better managed accesses, the less room for abuse.
5. Don't automatically trust anyone, check everything on an ongoing basis
- In the past, companies often followed the principle that what is "inside" is trustworthy. This is no longer the case today. An attacker can get in through a stolen password, compromised device, or an external vendor.
- That is why the Zero Trust approach, i.e. "never automatically trust, always verify", is increasingly being applied.
- In practice, this means in particular:
- Use multi-factor authentication, such as a combination of password and mobile confirmation.
- Specifically protect remote access and higher-privileged accounts.
- continuously authenticate not only users, but also the devices from which they log in.
- The goal is that the password alone is not enough for someone to get access to sensitive systems.
6. Test for real durability, not just documentation
- Having guidelines and rules is important. However, this in itself does not say whether the company will stand up to a real attack. Only practice will show.
- Therefore, it makes sense to carry out:
- penetration tests – professionally conducted testing of whether and how systems can be penetrated,
- Red Teaming – simulation of a real attack, which verifies not only technical security, but also the readiness of people and processes,
- simulated phishing campaigns – tests of how employees react to fraudulent emails.
- It is important that the result is not just a report in a drawer, but a specific list of measures: what to fix, what to change and what to monitor further.
7. If you watch yourself, watch your suppliers
- Many companies invest in their own security, but forget that their partners, suppliers or external service providers may be a weak point.
- Therefore, it is also necessary to manage the risks of so-called third parties, i.e. all entities that have access to your systems, data or operations.
- This includes:
- Vetting suppliers before starting cooperation,
- clear security requirements in contracts;
- Continuous assessment of their security posture
- An overview of who has access to what.
- A company should know not only who it trusts, but also why and under what conditions.
8. Have backups that can really be restored
- Backups are one of the last safeguards when there is an outage, attack, or loss of data. But a backup is only valuable if it can be restored quickly and reliably.
- A good practice is the 3-2-1 rule: have at least 3 copies of data, on 2 different types of media and 1 copy separately, ideally outside the main environment of the company.
- The rule of thumb is: a backup you've never tested is not a certainty. If the company does not try the recovery in practice, it cannot rely on everything to work at a critical moment.
9. Stay on top of what's happening across your environment
- A "silent" incident is often revealed only by small signals. For example, by an unusual login, unexpected data transfer or a change in the behavior of the system. In order for a company to notice them, it must know about them at all.
- Therefore, it is necessary to collect and evaluate logs, i.e. technical records of what is happening in the systems. Ideally centralised, from multiple locations at once:
- from servers,
- from workstations,
- from cloud services,
- from network elements.
- These records need not only to be kept for a sufficient period of time, but also to be analyzed continuously. It is in them that the first inconspicuous signs of compromise often appear, i.e. signs that someone has entered the environment.
10. Make cybersecurity a topic for business management
- Today, cybersecurity is not just a technical discipline for IT departments. It has a direct impact on operations, finances, reputation and the company's ability to operate in a crisis. Therefore, they must be part of the management of the company and the work of the management.
- Management should receive regular information in a language they understand — not just technical details, but above all answers to questions:
- what is the risk,
- what would be the impact
- how likely the problem is to occur,
- how well the company is prepared.
- Cybersecurity should thus be part of broader risk management, business continuity and corporate strategy. Not as an isolated IT topic, but as part of the overall resilience of the company.