John Beattie, principal consultant at Sungard Availability Services outlines the critical steps organisations must take to ensure data and operations are recoverable after a successful cyber-attack.
Cyber-attacks are depicted in popular culture with scenes of utter panic. There’s feverish typing, a series of hectic phone calls, and computer screens flashing or shutting off.
They are in fact, a reality for many businesses in the UK. The scenes of utter panic may be exaggerated on screen, but the impact on real-life organisations are scary.
On the surface, post breach customer protection, cyber security improvements, regulatory fines and PR costs for reputation restoration are all tangible and quantifiable costly impacts of an attack.
However, there are many more intangible costs, including value of lost potential contract revenue; devaluation of reputation; and lost value of customer relationships which are harder to equate for, and can damage organisations for years after the event.
Cyber-attacks continue to dominate the headlines, so it was no surprise to that a recent report from the Department for Digital, Culture, Media and Sport revealed that the number of active cyber security firms in the UK has increased 44 per cent from 2017 making the UK’s booming cyber security sector worth £8.3 billion.
In an ever-evolving world of threats, while preventative measures are essential, much more is needed to properly protect an organisation’s critical data from malicious activity.
For example, what happens once an attack has been successful? As was seen in the recent ransomware attacks on Travelex which forced staff to use pen and paper, it can take weeks to get business processes back up and running.
One of the most concerning outcomes of a cyber-attack is the compromise of data. Multinational manufacturers and U.S. city and county governments parted with more than $176 million responding to the biggest ransomware attacks of 2019, spending on everything from rebuilding networks and restoring from backups to paying the hacker’s ransom.
Top of the list was the attack on the Danish hearing aid manufacturer Demant which resulted in recovery and mitigation costs estimated between $80-95m.
Starting off on the right foot
A meaningful security posture starts with preventative security measures and a defensive in-depth data protection strategy.
From leveraging server and desktop malware protections to teaching employees, contractors and vendors about social engineering tactics and malicious email phishing campaigns that find their way into an organisation’s data.
Having strict systems access protocols already in place to ensure only authorised personnel can access data is of utmost importance too, so that no one has similar ability to compromise both production and backup data.
However, even with the most robust protection capabilities, successful attacks on data are a reality.
Backups are an integral part of protecting production data. They focus on ensuring organisations are ready to recover the IT environment and data in case of a disaster recovery situation. They also enable the ability to recover a file if it is corrupted due to a hardware or software failure.
However, recovering data after a successful cyber-attack presents a much more complex challenge so organisations need to enhance their data backup strategy, capabilities, and plans to significantly improve their odds of effectively responding. Failure to do so jeopardises the likelihood of a successful and timely data recovery effort.
Not all data assets are vital to an organisation; and in turn, they all can’t economically be given the same level of enhanced recovery risk mitigation. Identification of which data assets qualify for extra duty-of-care should be based on organisationally defined criteria.
Organisations need to identify and justify their Vital Data Assets (VDAs) and for each, define the relevant maximum loss and downtime requirements. These requirements can be used to determine a go forward VDA protection and recovery risk reduction strategy and the supporting technical architecture. Much like RTOs and RPOs drive disaster recovery strategies and capabilities.
As with any Disaster Recovery program, a Cyber-Compromised Data Recovery program should be formally established and tested regularly to assure people, processes, and capabilities are well understood and will enable a successful recovery when needed.
Organisations should establish a discipline of frequent testing with varying scope and situational parameters that would include participation from various business disciplines and stakeholders.
A data-compromising cyberattack can happen to any organisation, so it is imperative to establish plans and capabilities in advance that reduce data loss risk and enable timely recovery of the most current data possible.
In summary, organisations should take the following considerations in to account when creating a Cyber-Compromised Data Recovery program:
- Data optimised for traditional disaster recovery and database restores is likely to be ineffective for cyber-compromised data recovery
- Off-network data with a retention timeframe that exceeds an organisation’s minimally acceptable data loss requirements can mitigate dormant viruses
- Create a flexibly sized off-network safe room for analysing data before it gets restored back into a production environment
- Quarterly testing will help to assure plan, team and archive effectiveness