Get Help Now



Creating a Disaster Recovery Plan for Data Breach and NIST Incident Response: Planning for the Worst

Posted May 13, 2018

What do you think about when you hear the word “disaster”? Hurricanes? Floods? Earthquakes? Fires?

In reality, a disaster doesn’t have to be so dramatic. When it comes to your business, disaster can mean something as simple as a power outage, broken pipes or, in today’s digital world, an employee that clicked on the wrong link. With the proliferation of new attack vectors and immediately crippling attacks such as ransomware, you can’t take any chances.

Being prepared isn’t just for big organizations and critical infrastructure. While the threat level is escalated and the impacts are ever increasing, the steps to prepare are well-known and doable. Your business is critical to you, so why would you treat it any differently?

It’s important to ensure that your business is resilient and is capable of recovering from not only a failure but also an attack. To this point, disaster recovery and incident response are tightly linked. The ability to respond to attacks with an incident response plan is often followed by the need to restore some or all of your infrastructure.

Ransomware is a great topic to discuss because it is new in the way it impacts the business. In the past, we saw largely breach-related attacks that stole or exposed private, sensitive information. This is a breach of confidentiality and it doesn’t often require any sort of system or data recovery. However, while ransomware may impact confidentiality, it is focused on leveraging the need to have systems and information available as its primary motivator; if you don’t pay, you will not have access to the information you need to run your business.

As part of being prepared you need two things: an incident response plan and a disaster recovery plan.

As part of being prepared you need two things: an incident response plan and a disaster recovery plan. That is to say that you need to quickly respond to cyberattacks and, if your defenses fail, you need to be able to recover your information and your systems quickly. Being quick is a key point. The quicker you mitigate the attack, the less impact you’ll suffer. Consider the business impacts of an incident that takes one hour to recover from as opposed to one week.

A good incident response plan will:

  • Take your current network infrastructure into account, including system architecture and information flows. It will also identify vulnerabilities and points of attack.
  • Assign roles and responsibilities to predetermine who does what in the event of a cyberattack or breach. This can include technical staff, media outreach, legal, and executive sponsors.
  • Provide for a communication strategy. Your incident response plan should specify who will handle internal communications with personnel and clients as well as external communications with the media or mandated reporting agencies.
  • Define response requirements and timelines. Everything from what resources are needed to contain the breach to what the minimum response times are.
  • Be tested regularly. An incident response plan shouldn’t be a “check the box” initiative. Routine testing can help you to better execute, develop a sort of muscle memory, identify new vulnerabilities and develop solutions to fix these problems.

A good disaster recovery plan:

  • Includes a business impact analysis (BIA). The BIA will help you determine how much data your organization is storing, where it is located, and how critical it is to the operation of your business. It will also allow you to set standard metrics for determining how much a disruption impacts the organization and how long the business can survive without this data.
  • Compiles an inventory of all hardware and software, in priority order.
  • Establishes recovery time objectives and recovery point objectives.
  • Ensures that all vendors and service-level agreements account for disasters. This should be a binding agreement that defines what level of service will be delivered in a disaster situation.
  • Defines procedures to safeguard sensitive information during the recovery process.

Don’t put all your eggs in one digital basket.

With the continually growing amount of data, organizations have more-and-more moved to online backups. You have to consider that any online system may be affected by ransomware and taken offline.

It is absolutely crucial that you have an offline backup of your information, some medium that is not accessible via a network, so that you can recover in the case that you cannot restore normal business operations after a ransomware attack. There are cases where ransomware encryption cannot be undone (technical failure) or you simply cannot afford to pay the ransom. This is also just good practice – no one knows what the next major attack vector will be and how it will impact your business.

In conclusion…

If your business goes away, we all suffer. We must be prepared to respond and recover quickly from cyberattacks. We need to mitigate the initial attack with a meaningful and practiced incident response plan and we need to have an effective way to recover data and information systems. It’s never too late to get started and there’s no good reason to put it off. Even a bad plan is better than no plan. And a practiced plan is even better.


Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us