Unfortunately, every organization is vulnerable to a cyberattack. We have seen in the last years a considerable increase in cybercrime and the negative impact that it causes on businesses. The obvious consequences are financial, but that is just the tip of the iceberg. There are several other aspects to consider, such as intellectual property loss, reputation damage, or data privacy breaches. It is undeniable that there is no way to be totally safe, but it is always good to work on a plan to mitigate disasters and cyber-crisis.
Disaster plan vs Cyber recovery plan
Although a disaster recovery plan and a cyber recovery plan overlap to a certain extent, their aims are different. While the disaster recovery plan intends to ensure business continuity after a cyber-attack, the cyber recovery plan seeks data protection. Preparing a plan against disaster can enable a fast repair of the systems that allow the reactivation of the operations after the attack occurs. On the other hand, a cyber recovery plan will aim to regain the access to critical data as soon as possible. In the light of the increasing trend of cyberattacks against organizations, especially ransomware, it is vital to have in place both protocols to ensure data protection and business resumption.
A cyber-attack could be devastating for an organization. Consequences could be frightening, to the point of affecting a state or a nation, as it was the case of the Colonial Pipeline in the US, the ransomware attack to the HSE in Ireland, or the current emergency situation in Costa Rica. At KuppingerCole, we discussed about these incidents and the impact to the societies afterwards in a previous blog post.
Even though it may sound obvious, keeping the team calm is key during a cyber-attack. Different responsibilities should be assigned to different people and teams, to spread the workload and expedite recovery. When organizations suffer major incidents, it is common that an immense pressure takes over the environment, and it contribute to make it harder to respond and coordinate actions. However, following the protocols prepared in advance are vital in this scenario.
The organization suffered an attack, what to do now?
A security alert arrives at your SOC or helpdesk. Who investigates? Who performs triage? How is the severity determined? Who needs to be made aware? Who are the decision makers? Identifying stakeholders and responsible team members is a good first step to take. Communications protocols need to be established. Rushing the recovery could itself cause greater harm. Starting cleanup procedures before ensuring containment may take critical time away from the investigation, allowing other assets to be compromised while the initial victim assets are being restored. There are some steps that are essential to succeed with recovery during and after a cyberattack:
- Safe backups: It is true that having a backup is a must, however, backed up copies of the data are also at risk. It is vital to contract with an appropriate Cloud Service Provider that provides a useful solution ensuring a high degree of resilience. Offline backups area also necessary. Ransomware operators can leverage compromised credentials to encrypt backups they can find online within the targeted organization.
- Prevent re-infection: Some ransomware perpetrators break into systems days or weeks before they detonate their payloads. Backups may be contaminated with malware, such that restoring it would also restore the threat. Assessing the damage to critical systems will help the company to determine the extent of the impact and the origin of the attack in the Cybersecurity Supply Chain.
- Business continuity plan: Organizations should be able to restore the affected services quickly. Achieving this will depend upon how well the data was backed up and the selection of the essential backup services.
- Improve the process: Once the attack occurs, it is important to recognize and fix the vulnerabilities to close the gaps that allowed the breach. Improving the security posture will reduce the risk of a future incident.
Then, is it possible to recover after an attack?
Yes, it is possible, but the time that it takes to reverse the damage will depend entirely on the organizational plan. Nowadays, cybersecurity must be pro-active and not reactive. Having the right cloud backup and a cyber insurance policy could make the difference. Although the cyber insurance does not eliminate the risk, it may help in many cases to minimize the impact, for instance in cases where equipment is damaged, and productivity is lost due to the event. In the CSLS we will have special tracks discussing the importance of increasing resilience, and we discussed in a previous blog post that a cyber insurance policy is an essential component to protect the digital economy.
Transparency with other organizations and individuals affected is also important after being targeted. One goal cyber-attackers have in some types of incidents is to acquire and use personal data to impersonate real individuals and request bank loans fraudulently. Informing users about the unfortunate incident and contacting the authorities is now required in many jurisdictions. Although many companies do not feel comfortable reporting that they have been the target of a cyber-crime, it is essential to understand that consequences for non-compliance in reporting can add fines and legal fees to the cost of cleanup.
Understanding your IT and OT environments, including your asset inventory and their vulnerabilities will contribute to building a better recovery plan and a better cybersecurity stance. Hiring a third-party like KuppingerCole Analysts could help your organization to measure the risks and make better plans to repel attacks.
You can learn more about this topic at the Cybersecurity Leadership Summit.