Unfortunately, every organization is vulnerable to a cyberattack. We have seen in the last years a considerable increase in cybercrime and the negative impact that it causes on businesses. The obvious consequences are financial, but that is just the tip of the iceberg. There are several other aspects to consider, such as intellectual property loss, reputation damage, or data privacy breaches. It is undeniable that there is no way to be totally safe, but it is always good to work on a plan to mitigate disasters and cyber-crisis.
Although a disaster recovery plan and a cyber recovery plan overlap to a certain extent, their aims are different. While the disaster recovery plan intends to ensure business continuity after a cyber-attack, the cyber recovery plan seeks data protection. Preparing a plan against disaster can enable a fast repair of the systems that allow the reactivation of the operations after the attack occurs. On the other hand, a cyber recovery plan will aim to regain the access to critical data as soon as possible. In the light of the increasing trend of cyberattacks against organizations, especially ransomware, it is vital to have in place both protocols to ensure data protection and business resumption.
A cyber-attack could be devastating for an organization. Consequences could be frightening, to the point of affecting a state or a nation, as it was the case of the Colonial Pipeline in the US, the ransomware attack to the HSE in Ireland, or the current emergency situation in Costa Rica. At KuppingerCole, we discussed about these incidents and the impact to the societies afterwards in a previous blog post.
Even though it may sound obvious, keeping the team calm is key during a cyber-attack. Different responsibilities should be assigned to different people and teams, to spread the workload and expedite recovery. When organizations suffer major incidents, it is common that an immense pressure takes over the environment, and it contribute to make it harder to respond and coordinate actions. However, following the protocols prepared in advance are vital in this scenario.
A security alert arrives at your SOC or helpdesk. Who investigates? Who performs triage? How is the severity determined? Who needs to be made aware? Who are the decision makers? Identifying stakeholders and responsible team members is a good first step to take. Communications protocols need to be established. Rushing the recovery could itself cause greater harm. Starting cleanup procedures before ensuring containment may take critical time away from the investigation, allowing other assets to be compromised while the initial victim assets are being restored. There are some steps that are essential to succeed with recovery during and after a cyberattack:
Yes, it is possible, but the time that it takes to reverse the damage will depend entirely on the organizational plan. Nowadays, cybersecurity must be pro-active and not reactive. Having the right cloud backup and a cyber insurance policy could make the difference. Although the cyber insurance does not eliminate the risk, it may help in many cases to minimize the impact, for instance in cases where equipment is damaged, and productivity is lost due to the event. In the CSLS we will have special tracks discussing the importance of increasing resilience, and we discussed in a previous blog post that a cyber insurance policy is an essential component to protect the digital economy.
Transparency with other organizations and individuals affected is also important after being targeted. One goal cyber-attackers have in some types of incidents is to acquire and use personal data to impersonate real individuals and request bank loans fraudulently. Informing users about the unfortunate incident and contacting the authorities is now required in many jurisdictions. Although many companies do not feel comfortable reporting that they have been the target of a cyber-crime, it is essential to understand that consequences for non-compliance in reporting can add fines and legal fees to the cost of cleanup.
Understanding your IT and OT environments, including your asset inventory and their vulnerabilities will contribute to building a better recovery plan and a better cybersecurity stance. Hiring a third-party like KuppingerCole Analysts could help your organization to measure the risks and make better plans to repel attacks.
You can learn more about this topic at the Cybersecurity Leadership Summit.