Best practices for cyber recovery and resilience
Bank failures are back in the news, reigniting security concerns and conversations about risk management. We live in a digital economy, with assets measured in both dollars and data. When a bank fails in the US, depositors have up to $250,000 of coverage per bank from the FDIC and since 1934, no depositor has lost insured funds due to a bank failure. Things are different in a cyberattack. In a cyberattack, there are no such guarantees for your data – and without the proper plans in place, it’s just gone.
According to CPO Magazine, 65% of board members globally feel their organization is at risk of a material cyberattack in the next year. Yet only 47% feel they are prepared to deal with the fallout. Cyberattacks are increasing in volume and variety, including the damage and destruction of data, stolen money, lost productivity, theft of intellectual property, encryption of your servers and associated data, and even more sophisticated methods of disrupting the normal course of business. The results can be devastating. Analysts estimate the global cost of cybercrime will surge in the next five years, rising from $8.44 trillion in 2022 to an unimaginable $23.84 trillion by 2027. Combined with significant reputational harm and loss of consumer confidence, one cyberattack can tank an entire company almost overnight.
Get to Work Planning How to Get Back to Work
Creating a proactive cyber recovery plan exponentially speeds up your recovery time, mitigates downtime, reduces the financial exposure of a cyberattack, and allows you to get back to work for your customers. Every CIO and CISO has one thing in common: a desire for control—control over their network, control over their data, and control over how to recover when their organization is attacked. (And make no mistake, the organization will be attacked. Almost 240 million ransomware attacks occurred globally in the first half of 2022 alone.)
So what can organisations do? It starts by creating a cyber security plan with a two-pronged approach, focusing on cyber resilience and cyber recovery.
What is Cyber Resilience and Why is it Different than Recovery?
Many organisations make the common mistake of not putting equal focus on recovery and resilience. No one will argue that data recovery is critical after an attack occurs as the organization must get up and running as soon as safely possible. But much of the work establishing ongoing cyber resilience takes place well before the attack. Cyber resilience is all about setting up a set of tools, processes and policies for keeping attacks from penetrating your infrastructure. Addressing a Cyber resilience strategy must be done regularly and be supplemented by continuous learning.
One reason cyberattacks have gotten so prevalent and damaging is that bad actors are consistently probing for weaknesses and adapting their tactics. CIOs and CISOs need to take the same approach with their own operations. When exploring a cyber resilience plan, ask yourself the following:
- Do we have the right protection? External consultants can help organizations navigate evaluating their current cyber resilience posture. Does the organization have the right tools, too many overlapping tools, and are there gaps in the security environment? The organization needs a modern approach to cyber resilience that is manageable and extensible as attacks change.
- Do we have sufficient internal knowledge and training to keep pace with industry change? Does the organization have the right team in place for the long term? This is where reskilling and upskilling play an important role in managing future threats, especially during the increased competition for cyber talent across every industry.
When building a recovery plan, ask the following questions:
- Is my data available for recovery after an attack? When an attack occurs, especially a ransomware attack, the bad actors attempt to corrupt your backup data. Therefore, it needs to be stored in immutable storage, preferably in an environment that is isolated from the production environment, both physically and with an air gap in the network.
- How do I know it is safe to resume operations? Not only do you have to recover a version of the data and applications that are not corrupted, but you must also ensure that the malware is not present in the version of the backup used for recovery. The malware must be determined and remediated if it is still in the recovered images.
- Do we have the proper external support in place to respond to an attack? This is a question for management and executive leadership, not just IT. It is important to recognize that issues like finding and onboarding a forensics team, an insurance company, legal support, a communications agency, or a negotiating firm all take time. Time is not something an organization has during an attack. It is best to have the relationships established well in advance.
Why Cloud is Critical for Cyber Recovery
As IT teams consider their compute and data strategy, the choice often comes down to hosting on-premises (“on-prem”), via a cloud infrastructure, or a combination of both (“hybrid-cloud architecture”). Both on-prem and the cloud have advantages—cloud vendors offer scalability, pay for what you use, and access to advanced technologies, whereas on-prem generally provides more cost predictability, and visibility. By far, the biggest movement has been toward the cloud. As of 2022, 60% of all corporate data is now stored in the cloud, versus 30% in 2015.
But here’s the issue—cloud vendors are not responsible for protecting your data, and they usually even say so right in their online agreements. While many cloud vendors have some robust security measures in place, security is a shared responsibility between the customer and the cloud provider. Organizations must invest as much in protecting their cloud environment as they do their on-prem environment. A recent Censys study found more than 1.93 million exposed databases on cloud servers alone.
Performing “CRR” for Risk Management
Developing a proactive cyberattack plan is a daunting task and can quickly overwhelm companies with limited resources. The next time you’re in a cyber planning meeting, write these three letters on the board – “C.R.R.” Then create two columns, one for cyber resilience and one for cyber recovery. Focusing your team on how an effective cyberattack strategy involves both (apart, and in tandem) will ensure you’ll be able to bring your operations back to life when, not if, the worst happens.