First, to mitigate zero-days, you must have systems and people in place that can quickly locate zero-day exploits and patch them as soon as found. However, zero-day exploits are the most challenging digital attack to prevent and fix; once they’re discovered, it takes highly skilled IT professionals to promptly understand the problem and its impacts on the organizational infrastructure. Once the discovery has been made, you’ll need to mobilize a team to get it done promptly.
Mobilizing a team should have an Incident Response Plan. An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. This staff would be your ‘tip of the spear’ on a zero-day attack. Developing a plan would address what to do during a zero-day attack, cybercrime, data loss, and service outages that threaten daily work.
What if you are compromised by a Zero Day?
The organization’s bottom line will be a financial hit (marginally). The organization will need to spend dollars and muster-up resources to remediate any issue(s). Another risk that is often looked over is the organIzation’s reputation capital. Most companies can weather attacks, fix system vulnerabilities; however, recovering from reputation capital loss takes months to years to rebuild.
A recent study, “Do Data Breaches Damage Reputation? Evidence from 45 Companies Between 2002 and 2018“, found that the economic impact isn’t all that bad. The study found that brand power and familiarity increased by 12-16% following a data breach. On a sample of 16 of the largest and most salient data breaches, brand power and familiarity decreased by 5-9% following a data breach. After reading the study, we can say security vulnerabilities and breaches can cause significant damage to an organization; however, the study shows that organization end-users/customers are not affected or phased by these issues. An analogy to this customer human behavior; if you were walking in a forest and you heard screaming, your first instance would be alarmed, concerned, and frightened; then the screaming stopped. You then move on about your business. Someone would rarely head towards the screaming or do anything about it. In the research study, the question was raised; Does the lack of any negative effect on real economic outcomes imply that consumers are inattentive or myopic about data privacy [Kvochko and Pant, 2015], or do data breaches coincide with other time-varying organizational efforts?
A zero-day that turns into a compromised system albeit not good for the organization; however, the effect on an organization’s bottom line isn’t felt in most cases. We can expect that hacking attacks will happen, vulnerabilities will be found in software or malicious code implanted on machines. The answer is how well the organization manages these issues and quickly remediates them.