66 percent of organizations would not recover from a cyberattack if it occurred today. Is your organization prepared? Here’s what every CIO and CISO needs to know to start or improve their cybersecurity recovery plan.
Disaster recovery plans (DRP) have always been the cornerstone of business continuity. When it comes to protecting your critical assets and avoiding downtime, cybersecurity is an often-overlooked piece of the puzzle—but a critical step in the risk management process. No federal policies, standards or guidelines focus specifically on recovering from a cybersecurity incident. It’s up to you to develop, test, and improve your cybersecurity recovery plan for 2018. Use our expertise to help you along the way.
Disaster Recovery is not the same as Cybersecurity Recovery
It’s a common misconception that disaster recovery and cybersecurity recovery are one in the same. Although they are similar and have some overlap, disaster recovery’s primary objective is to provide business continuity after disruption from man-made or natural causes. Security recovery, on the other hand, protects data assets after a data breach.
“The nature of the threats within security recovery plans are more dynamic than within disaster recovery… for example, recent ransomware attacks, such as WannaCry, are incredibly destructive and require security recovery plans to examine how to effectively respond to new threats and risks,” says Mark Testoni, president and CEO of SAP National Security Services. Most security experts recommend different plans with complementary policies and procedures.
Figure 1: Differences in disaster recovery plan versus security recovery plan (Source: CSOonline.com)
At the end of the day, both plans are part of a larger security objective to ensure the confidentiality, integrity, and availability of your company’s systems and data assets. Disaster recovery directly ties into availability objectives for information security. However, most organizations don’t have a true understanding of which elements impact availability.
For instance, most DRPs start with a secondary location for running data replication between their primary site and secondary DR site. Consider that a cyberattack may corrupt data, in which case the DR implementation will not protect the information, as the corrupted data would be replicated to both locations. To avoid this, you should use layered defense tools, and build relevant controls for your risk management process.
Cybersecurity Recovery Objectives
Additional goals for your cybersecurity recovery efforts may include, restoring information systems using alternate methods, performing standard operating procedures in alternate ways, recovering information systems in backup locations, and implementing contingency controls based on the business impact of the incident. When focusing on your cybersecurity response plan, you should follow these steps—and customize each part to your business.
- Implement Tools and Controls for Layered Protection
As mentioned before, you’ll also need advanced protection to ensure the success of both your disaster recovery and cybersecurity efforts, such as:
- Preventive elements such as firewall with content inspection and antivirus to block vulnerabilities, exploits and viruses in addition to the address and ports
- Strict control on changes and software uploads
- Strict access control and audits on activities to prevent compromised data or services
- Applicative firewalling, local anti-virus, and malware protection on business service compute and storage elements
- Timely patch management
- Integrity and availability monitoring to detect issues as early as possible
- Plan for the Recovery Phase
According to TechRepublic, one billion accounts and records were compromised worldwide in 2016. That’s approximately 3x per person in the U.S. in one year.
While it is preferable to avoid a cyberattack in the first place, the National Institute of Standards and Technology notes that over-reliance on prevention is just as bad as not being prepared. Some cyberattacks simply cannot be stopped, so focusing solely on prevention is a flawed approach. Instead, plan for all possible cyber incidents, their containment and the recovery process. To determine priorities, perform a business impact analysis to evaluate potential effects—financial, legal, regulatory, etc.—of cyber events on your business. With these priorities in mind:
- Define incident management roles and responsibilities
- Develop a Cyber Incident Response Plan and larger Business Continuity Plan with a Crisis Management Strategy
- Make arrangements for communication channels in the event of downtime
- Identify alternate services and/or facilities for your data
- Create and solve “what-if” scenarios based on recent cyber events that have impacted similar organizations
- Identify and fix gaps in crisis planning before an incident occurs
- Consider additional ramifications of a breach including how personnel and stakeholders will be affected and the legal and financial implications of noncompliance
- Seek Constant Improvement
As you plan for the eventuality of a cyber event, realize the recovery planning process should be fluid. Your organization must update your cybersecurity recovery plan regularly based on up-to-date visibility on threats and risks landscape, best practices and lessons learned from response to breaches that have affected similar businesses. Consider creating a task force to periodically test and evaluate your recovery efforts—and overtime, you’ll uncover what works and what doesn’t. After a breach, gather your task force and address any vulnerabilities and issues with your plan for more favorable results in the future.
- Create and Track Recovery Metrics
Rather than simply guessing that the recovery process did or did not work well, use real data and specific metrics to support your position. These suggestions are a great jump-off point when starting from scratch:
- Patch Policy Compliance
- Mean-Time to Patch
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Information Security Budget as % of IT Budget
- Mean-Time to Incident Discovery
- Incident Rate
- Percentage of Incidents Detected
- Mean-Time Between Security Incidents
- Mean-Time to Mitigate Vulnerabilities and Recovery
- Number of Known Vulnerability Instances
- Number of Applications and Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
- Percent of Changes with Security Review
5. Document Everything
Procedures, roles and responsibilities, metrics tracking, and adjustments should be documented for improved response times and recovery. This includes:
- Develop diagrams of infrastructure and equipment
- Maintaining assets and systems inventory, including copies of support agreements with vendors and providers
- Application dependencies and prioritization (Prioritize restoring applications in order of most critical.)
- Regulatory compliance information—who, when, and how to contact regulatory bodies and stakeholders in the event of a breach
- Recovery team members and contact information for those employees
With adequate documentation and a comprehensive backup plan, you’re more likely to withstand a breach. Think of your cybersecurity recovery plan as a playbook that’s shared with your security, business continuity, and contingency planning teams.
Both disaster recovery and cybersecurity recovery planning are a necessity in today’s cyber risk culture. Data security has become more complex, requiring organizations to invest more resources in issue prevention and remediation.
Having an appropriate well-documented plan spread throughout your departments will maximize your chances of a swift recovery. Practice, training, and metrics will spur continuous improvement that will help your company mitigate risk, and thrive despite the growing cyberthreat environment.
Additional Resources on This Topic:
2017 Cybercrime Trends: Expect a Fresh Wave of Ransomware and IoT Hacks
10 Questions to Ask a Prospective Cyber Insurance Provider
Cybersecurity Standards and Guidelines—Are You Just Checking the Boxes?
This article was first published on OnRamp.
Nikola Todev has more than 18 years of experience leading infrastructure and security design, as well as operations for high performance financial and telco services. He is in charge of OnRamp’s information security strategy, practices, and implementation.