What should a cybersecurity emergency kit for businesses contain?

● The European Union has recommended that citizens prepare an emergency kit in case of a 72-hour supply disruption, which could be caused by a cyberattack on critical infrastructure, such as water or electricity.

● At Thales S21sec, we advise companies to also take preventive measures against a possible cyberattack that could disrupt their business continuity. Planning ahead is the best option before, during and after an incident.

● The cybersecurity advice for this emergency kit for businesses is valid in any context and situation, because a power outage, caused by an attack by criminal gangs, can cause major damage to any organisation that is not prepared with contingency or resilience plans.

Thales S21sec, one of Europe's leading cybersecurity services providers, acquired by the Thales Group in 2022, has published a cybersecurity emergency kit . Following the European Union's recommendation that citizens prepare an emergency kit in case of a possible 72-hour supply disruption, which could be caused by a cyberattack on critical infrastructure such as water or electricity, Thales S21sec advises businesses to take preventive measures against a possible cyberattack that could disrupt their business continuity.

"Planning ahead is the best option before, during and after an incident. Being prepared is the best defence," says David Conde, Head of DFIR & Threath Hunting at Thales S21sec. For this reason, the cybersecurity emergency kit for businesses places special emphasis on the importance of having a prevention and response in place in the event of a cyberattack, which is key to minimising the impact and restoring normality.

This kit brings together 10 essential elements that every company should have in place to respond effectively to a cybersecurity crisis.

1. Incident response plan: there should be a clear document detailing the procedures to follow in the event of a cyberattack, including identification, containment, eradication, recovery, roles, owners of key systems and responsibilities in the event of an attack.

2. Data backup: ensure that up-to-date copies of all critical data are stored in a secure, offline location or in the cloud, and can be restored quickly.

3. Internal and external communications: plan how to communicate with employees and external stakeholders during and after the incident. This includes having information ready for press releases in the event of an attack.

4. Detection and response tools: software that can identify and respond to threats in real time, such as intrusion detection systems (IDS). In industrial environments, it is also essential to maintain the integrity of safety systems so as not to affect the physical integrity of workers.

5. Containment and system shutdown protocols: a procedure for disconnecting compromised systems to prevent the spread of the attack, as well as protocols for secure remote access.

6. Authentication, authorisation and access: ensure that robust authentication mechanisms and limited access to sensitive or critical information are in place, such as two-factor authentication. Add protection and closure of physical access to prevent unauthorised access, theft of intellectual property and raw materials.

7. Education and training: have resources to train employees on how to recognize suspicious emails, malware and cybersecurity practices.

8. Incident response team: have a team of IT and OT experts at your disposal who can intervene immediately if an attack occurs, as well as the ability to liaise with LEAs (law enforcement agencies, government entities, etc.).

9. Inventory of critical IT and OT resources: a detailed list of all technological assets, including hardware, software and data, to ensure that they are adequately protected and can be recovered. Regular testing: conduct cyberattack simulations to assess the effectiveness of the response plan and make adjustments as necessary.

10. Regular testing: conduct cyberattack simulations to assess the effectiveness of the response plan and make adjustments as necessary.

In 2024, geopolitical tensions increased significantly worldwide, turning the cybersecurity landscape into a battlefield with cyber threats related to regional political struggles and power transitions. The Threat Landscape Report, presented by Thales S21sec to analyse cyber threats in the second half of 2024, highlights the 2024 Paris Olympics, because attackers have targeted critical infrastructure, such as the transport and telecommunications industries, and the US presidential elections, which were crucial for global geopolitics.

The report highlights that cyber threats related to the war between Ukraine and Russia can be classified into two types: campaigns sponsored by the Russian state, mainly targeting Ukraine and its allies, often to disrupt critical infrastructure; and hacktivist operations, which typically carry out distributed denial-of-service (DDoS) attacks and data leaks, targeting NATO members to create a sense of insecurity and fear.