Cybersecurity recovery is a process that starts long before a cyberattack occurs
While most organizations have insurance in case of cyberattacks, the premium they pay depends on how the business identifies, detects and responds to these attacks – and on how quickly they recover.
Organizations that can prove their resiliency and compliance with NIS guidelines – showing that they will be able to recover quickly in the event of an attack – could reduce their risks and their insurance premiums. A great cybersecurity recovery program can save businesses from long-term damage and save them money.
An ever-evolving threat
Organizations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyberattack.
Until recent years, this cybersecurity recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.
Cybersecurity insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organizations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.
The four core components of an effective cybersecurity recovery program
1. Pre-emptive action
A good cybersecurity recovery plan is one which is never needed.
Recovery begins before disaster strikes, in the pre-disruption phase. The organization’s security operations center should have the ability to detect any infiltration quickly and activate the disaster recovery process (which involves the major incident management team) before the impact of the attack is felt.
2. Responsibilities and accountability
People need to know their role in the event of a cyber-security incident and how they should respond to the event.
That means giving them instant access to all the data they need to make quick decisions and to communicate effectively with the rest of the business. (These areas are often overlooked when conducting annual disaster recovery tests – the pressure on time and communication just isn’t there, and participants know the exercise is done for auditing purposes.)
Few organizations really work on analyzing and improving how people perform their roles and communicate their challenges in these situations, but these are crucial areas to get right.
3. Having the right IT architecture, security and recovery process in place
Organizations with the right IT architecture, recovery time and point objectives, and security policies are at a considerable advantage when it comes to the recovery process. Of course, systems and processes only work if they’re implemented correctly and address the needs of the business.
A well-defined, properly implemented and orchestrated architecture with secure backup can save millions in terms of data loss and ransomware costs.
4. Learning lessons and implementing changes
After any cybersecurity incident, organizations need to analyze what they’ve learned from the experience. This is a process that must be done openly, honestly, and without blame.
How did the business perform? Did everyone have what they needed to perform their roles? Did they communicate effectively? How did the systems and processes in place perform? Hold a full review to understand what worked, and what needs to change.
Once these factors are understood, and any weak spots identified, the organization can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).
Recovery is a process that starts long before a cyberattack occurs. It concludes not when the data is secured, but when the organization can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.