Cyber recovery plans are essential for businesses to withstand IT breaches, focusing on isolated backups and data integrity.
Businesses today are well aware that outside events can have a major impact on their operations, and more and more are putting disaster recovery (DR) plans in place to ensure that things can get back up and running after any kind of disruption. According to Michelle Harris, Director of Cyber Recovery & International Growth at Triangle, it is a good idea. But having DR plans alone risks leaving a major hole in operational security:
“The focus has always been on disaster recovery, and most organisations think they have a recovery strategy in place, but what they do not have is cyber recovery.”
Cyber recovery is an explicit plan of action that is to be taken in the event of a hacking attack, ransomware or other security breach. Given the increasing likelihood of such a breach, this amounts to a recognition of the reality of where organisations find themselves today in terms of reliance on technology.
“The outcome is the same [as with DR] in that they both get you back and running, but one is very different from the other,” says Harris. A true cyber recovery plan is centred on having regular back-ups that are 100 per cent isolated from operational systems. “DR is often connected to production and that tight coupling means, in the event of a cyber breach, you have no recovery posture. Cyber recovery has to be architected very differently. The first thing is data isolation, and one of the other key things is analytics, which allows you to ask: do you have anomalies or corruption in the data, and do you know your data is good.”
Given the nature of cyber attacks, which often include a substantial delay from the moment of the initial breach until the ransom event, regular, daily back-ups that are analysed for anything out of order are essential.
“The big bang happens after people have been minimally corrupting small amounts of data over time.”
More broadly, a cyber recovery plan needs to identify the basic IT architecture and the applications that a business cannot be run without. “Many people don’t have a full ‘minimal viable company’ that can be used to bring the business up and running after a security event,” she said.
New regulations such as the Digital Operations Resilience Act (Dora) and the Network and Information Security Directive 2 (NIS2) have underscored the scale of the threat. “I think people have been thinking about it a long time but Dora and NIS2 are resulting in action being taken,” according to Harris. “The number of breaches has grown exponentially [and] the sophistication has also grown exponentially, so that is focusing minds.”
“The fact that Dora and NIS2 are bringing in fines is a significant move.
So now you have to show audited proof that you have the ability to recover and, in addition, people in management are personally liable,” she said.
Triangle’s view is that as breaches are now a fact of life, every organisation needs to plan ahead in order to be able to recover.
“You will go out of business if you can't, so planning and testing is vital,” she said.
This article first appeared in the Business Post - you can read the original here.
