If cyber breaches are now an expected part of doing business, what matters most is the ability to rapidly and securely recover.
Cybersecurity has changed significantly in recent years, with new approaches and technologies being deployed to face an ever-evolving threat. Despite this, the threat continues to grow, with what was once hacking now a major criminal enterprise.
One positive move is that the focus on security is moving from infrastructure to data security, indicating that organisations realise that what they really need to protect is their data, not their computers.
Michelle Harris, Director of Cyber Recovery & International Growth at Triangle, says that many organisations were going further. Businesses today realise that the cyber threat is so serious that they want to ensure they can get up and running quickly in the event of a breach.
“I think the focus is not only moving to data, it’s also moving from prevention to recovery, because I think the realisation has hit home that breaches happen.”
In practical terms, this means businesses need to be on top of their data, including knowing what data is essential for operations and what is not. “It's about understanding what data you have and classifying it, knowing what is throwaway and what is critical,” says Harris. “You really need to understand what data you need to run your business and therefore what you need to recover first. It still won’t protect you from the pain you go through or the brand damage, but it will allow you to get back up and running.”
The goal, following a breach, is to get back to a state of being a minimally viable company, and that should guide what data matters and what does not. Of course, every single piece of data could be designated vital, but that is not the reality.
Regulations such as the Digital Operations Resilience Act (DORA) and the revised Network and Information Security Directive (NIS2) are among the factors driving the renewed focus on recovery. “Up until two years ago, the requirement even at enterprise level was to have a tick in the box of the business continuity plan. With the regulations coming out now, that has changed,” according to Harris. “It has been driven by DORA, in particular. For NIS2, it’s a little more vague, it’s not as clear as DORA. What we’re finding is people are adding budget based on DORA,” she points out.
In addition, high-profile attacks got a conversation going. “The HSE attack made a lot of people sit up and gave people permission to talk about security,” she explains.
Immutable backups are a good first step, Harris says, and are useful for day-to-day recovery of files. However, to counter the cyber threat and be able to recover, more is needed.
“Backups are the most commonly attacked surface in an organisation and they are visible throughout the network. With cyber recovery, backups don’t meet the requirements; you need your data to be both logically and physically separated.”
Core data should be physically copied into a data domain storage that is not visible on the network, going in via a one-way method and being deep content scanned at the time. “That methodology is where people are going in financial services and insurance, as well as in telecoms.”
Cloud-based disaster recovery is common today, but while it is extremely useful in the case of a physical site being shut down, it is not designed for recovery after a security breach. “One of the first things you do [when there is a breach] is shut down your network; you sever the link to the outside world,” explains Harris. “You can have a DR [disaster recovery] plan but that does not give you cyber resilience. With DR you typically know what happened and you are just trying to get a platform up and running; whereas with cyber you have a lot of forensics.”
It sounds daunting, but Harris advises that having a recovery plan in place is a real help. “Because you are doing scanning on a daily basis you catch things much quicker.”
In addition, organisations should not throw their hands in the air.
“As the old expression goes, you eat an elephant one bite at a time. You need to sort out priorities. There are things you can do. There absolutely are.”
This article first appeared in the Business Post - you can read the original here. And find out more about Triangle's cyber recovery services here.
