Incident Response and Disaster Recovery Planning: Preparing for the Worst

What do you think about when you hear the word “disaster”? Hurricanes? Floods? Earthquakes? Fires?

In reality, a disaster doesn’t have to be so dramatic. When it comes to your business, disaster can mean something as simple as a power outage, broken pipes or, in today’s digital world, an employee that clicked on the wrong link. With the proliferation of new attack vectors and immediately crippling attacks such as ransomware, you can’t take any chances.

Being prepared isn’t just for big organizations and critical infrastructure. While the threat level is escalated and the impacts are ever increasing, the steps to prepare are well-known and doable. Your business is critical to you, so why would you treat it any differently?

It’s important to ensure that your business is resilient and is capable of recovering from not only a failure but also an attack. To this point, disaster recovery and incident response are tightly linked. The ability to respond to attacks with an incident response plan is often followed by the need to restore some or all of your infrastructure.

Ransomware is a great topic to discuss because it is new in the way it impacts the business. In the past, we saw largely breach-related attacks that stole or exposed private, sensitive information. This is a breach of confidentiality and it doesn’t often require any sort of system or data recovery. However, while ransomware may impact confidentiality, it is focused on leveraging the need to have systems and information available as its primary motivator; if you don’t pay, you will not have access to the information you need to run your business.

As part of being prepared you need two things: an incident response plan and a disaster recovery plan.

As part of being prepared you need two things: an incident response plan and a disaster recovery plan. That is to say that you need to quickly respond to cyberattacks and, if your defenses fail, you need to be able to recover your information and your systems quickly. Being quick is a key point. The quicker you mitigate the attack, the less impact you’ll suffer. Consider the business impacts of an incident that takes one hour to recover from as opposed to one week.

A good incident response plan will:

  • Take your current network infrastructure into account, including system architecture and information flows. It will also identify vulnerabilities and points of attack.
  • Assign roles and responsibilities to predetermine who does what in the event of a cyberattack or breach. This can include technical staff, media outreach, legal, and executive sponsors.
  • Provide for a communication strategy. Your incident response plan should specify who will handle internal communications with personnel and clients as well as external communications with the media or mandated reporting agencies.
  • Define response requirements and timelines. Everything from what resources are needed to contain the breach to what the minimum response times are.
  • Be tested regularly. An incident response plan shouldn’t be a “check the box” initiative. Routine testing can help you to better execute, develop a sort of muscle memory, identify new vulnerabilities and develop solutions to fix these problems.

A good disaster recovery plan:

  • Includes a business impact analysis (BIA). The BIA will help you determine how much data your organization is storing, where it is located, and how critical it is to the operation of your business. It will also allow you to set standard metrics for determining how much a disruption impacts the organization and how long the business can survive without this data.
  • Compiles an inventory of all hardware and software, in priority order.
  • Establishes recovery time objectives and recovery point objectives.
  • Ensures that all vendors and service-level agreements account for disasters. This should be a binding agreement that defines what level of service will be delivered in a disaster situation.
  • Defines procedures to safeguard sensitive information during the recovery process.

Don’t put all your eggs in one digital basket.

With the continually growing amount of data, organizations have more-and-more moved to online backups. You have to consider that any online system may be affected by ransomware and taken offline.

It is absolutely crucial that you have an offline backup of your information, some medium that is not accessible via a network, so that you can recover in the case that you cannot restore normal business operations after a ransomware attack. There are cases where ransomware encryption cannot be undone (technical failure) or you simply cannot afford to pay the ransom. This is also just good practice – no one knows what the next major attack vector will be and how it will impact your business.

In conclusion…

If your business goes away, we all suffer. We must be prepared to respond and recover quickly from cyberattacks. We need to mitigate the initial attack with a meaningful and practiced incident response plan and we need to have an effective way to recover data and information systems. It’s never too late to get started and there’s no good reason to put it off. Even a bad plan is better than no plan. And a practiced plan is even better.

 

About The Author: Dan Didier

Dan Didier is a cybersecurity pragmatist who partners with business leaders to appropriately position cybersecurity for the practical, effective and relevant protection of business assets through risk management.

With the mission of empowering organizations to have the tactics, resources and intelligence required to defend their most critical assets, in 2007, he founded NetSecure, a cybersecurity consulting company dedicated to providing top-tier services for businesses and their stakeholders.

Dan’s unique background in technology and business allows him to bridge the gap between people, process and technology, implement effective business processes and adapt to the unique cybersecurity challenges that organizations face.

After 20 years of experience in a wide range of industries including critical infrastructure, finance, healthcare, technology, manufacturing and other industries, Dan now serves as GreyCastle Security’s Vice President of Services where he leads one of the nation’s largest teams of cybersecurity professionals.

Dan is accredited with several industry certifications and he received his bachelor’s degree in Telecommunications from SUNY Polytechnic Institute and graduated Summa Cum Laude with his Master’s degree in Information Assurance from Norwich University.