Cyberattacks are on the rise, are you ready to recover maliciously compromised data?
Few traditional disaster recovery programs are designed for recovery from a data compromising cyberattack. Without focused discussions, detailed planning, backup solution enhancement, cyber recovery tests and exercises, and a comprehensive data recovery program; you are putting your business at unnecessary risk to IT service delivery.
We brought together a group of CISOs, CIOs, and IT directors to discuss their organisation’s recovery programs and more about:
- What technologies and capabilities need to be considered
- What plans, teams, and tests should be put in place
- How to communicate compromised data recovery preparedness with executive leadership
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About Sungard Availability Services
Sungard Availability Services (Sungard AS) helps businesses transform their IT environments, ensuring they are resilient and recoverable. They leverage their experience across a broad range of IT landscapes to align the right workloads with the right infrastructures – whether hybrid cloud, legacy, or something in-between.
Sungard AS customers can streamline and manage complexity, minimise risk and adapt to change, all while capitalising on the opportunities that digital transformation offers. With 40 years of disaster recovery experience, they know how to keep mission-critical operations available for their customers. That’s why more than 70% of Fortune 100 companies rely on them for resilient and recoverable IT.
Ready to recover?
When considering cyber-attack preparedness, the first thought is prevention. Are we protected? Most organisations have more work to do than they think they do in terms of preparing for an attack, but what often goes overlooked however, is recovery. Are we ready to recover should the worst happen and the attack successfully compromises data? Prevention is no longer enough as cyber criminals have proven time and again that they are not so easily deterred. Without that investment in recovery readiness, a business can find themselves unprepared to take swift and effective action; something executive leadership no doubt expects.
Considering your strategy
There is a lot to consider when it comes to recovering data that has been compromised by a malicious cyber-attack. Ransomware requires an organisation to ask themselves: do they try to negotiate? Do they pay up? Are they restoring, if so, to where and when? How far back do you need to restore from? Does any interdependent but unimpacted data also need to be rolled back? These are all serious questions a business needs to consider and waiting to ask them in the moment will cost time and no small amount of money. And most importantly, talking about ransomware compromised data recovery through the lens of traditional disaster recovery is a mistake. A data recovery plan needs to be relevant and capable of this very special recovery case.
For a data protection strategy to function, you need to know what data is most vital to the organisation – what is the minimum suite of data that is essential to the viability of your business. Not only that, but systems are often interdependent and having a clear picture of these interdependencies is critical to planning recovery. Ensuring that data mapping procedures are regularly evaluated, and data governance practices and education are enforced is key to having the confidence needed to recover.
Where are your backups? What is the most recent point-in-time with un-encrypted and malware-free data? Regardless of how they secured, backups must be protected so that they can be restored with the confidence that viruses aren’t being restored along with them. Even if they are protected, restoring in a clean/safe room and thoroughly checking the backup first is a good security measure to take.
A modern backup solution that provides tamper-proof backups inaccessible to bad actors and uses stringent identity and access management to proactively validate data integrity is needed to increase the chances of successfully recovering compromised data.
Limiting the damage through planning
Response and recovery is not just an IT issue; it requires input from everyone from the top down. You need to know, not just your mechanisms for recovery, but also for the decision-making pipeline and that involves the executive leadership, particularly when it comes to down the deciding whether or not the network is shut down at first sign of an attack. It is important to work with leadership to establish under what conditions people have the authority to shut down the network. Confirming this before a cyber-attack incident will prevent the need to go five levels up in the organisation and get a whole committee together to figure out if the network should be shut down. All while the damage is perpetuating across your network.
Falling victim to a cyber-attack is something no organisation is fully equipped to deal with. Fortunately, most security insurance covers outside advisors who can provide a lifeline in these circumstances. These advisors can help run tabletop exercises, offer expert advice from experienced perspectives, and should be the ones negotiating with the attackers on your behalf. These advisors are a tool to be used like any other and should be factored into your recovery plans.
Knowing who will be doing what is essential and pre-defining that in a suite of plans and playbooks is vital.
Test, test and test again
There is often not a lot of testing done beyond what has historically been done for traditional disaster recovery, and if it is done, it is often not rigorous enough. Consider the following test types when defining your data recovery test program: vital data restoration from a specific point-in-time greater than RPO values, data recovery using a decryption key, recreation and re-entry of data by the business community, and rebuilding of data from other system sources. If there is concern about expanding a test program for this special recovery case, it’s important to remind business leaders what the cost to the business might be if they can’t operate as a result of an attack they weren’t prepared for.
Organisations need a modern data protection solution as well as specialised plans and procedures for ransomware recovery. If you are not testing and validating your technology solution and procedures with rigorous cyber recovery simulations, you might stumble upon lot of challenges which could result in an extremely lengthy and painful recovery. All organisations should be conducting at least one cyber recovery simulation every year to document lessons learned, remediate any gaps, and to improve overall maturity and confidence in ransomware recovery.
Tabletop exercises are a brilliant way for to engage recovery teams and test their recovery plans with minimal disruption while still yielding valuable results. Tabletops should feel real enough to expose the granular issues and process gaps that might cause big issues in a recovery scenario. The results of these exercises can then be used to create playbooks and step-by-step guides for handling situations like decrypting data and the simple yet myriad questions that need to be addressed such as who is doing it, who is running forensics, and where is it being restored to?
Communicating with the board
Preparing for a cyber-attack is a process that impacts the entire business and as such business leaders need to be involved from the inception of any plans. Effectively communicating the complexities of the situation can be a challenge, but honesty and clear explanation goes a long way. Many organisations break their cyber security posture down into identify, protect, detect, respond, and recover, and then clearly demonstrate the existing protections or vulnerabilities that need to be addressed at each stage. And that is no different for data recovery: Identify the data that is most vital to the organisation, Protect that data with modern backup solutions, Detect tampering with your data backups, Respond quickly and decisively through pre-defined protocols, and Recover safely in protected areas through a combination of IT and business teams that are well versed in their roles.
When it comes to speaking the language of business, translating risk into monetary consequences or impact on delivery is always an effective way to get their attention. A common response to hearing these risks is “why aren’t we already protected?” This is often as a result of a lack of context on their part. Bringing executives and perhaps board members into tabletop exercises helps to contextualise these risks and helps to prepare them for understanding these conversations from the security perspective.
Reducing the risk
Reducing the risk of failed data recovery is a complex issue. There is a lot that needs to be considered from a technical and operational perspective. Ensuring that your business is investing in the technology to facilitate a safe recovery is every bit as important as ensuring that your teams and the wider business is prepared for an eventuality that every day seems more and more like an inevitability.
Being ‘prepared’ is never truly prepared. Attackers continually upping their game and preparedness is impossible to maintain. There is no silver bullet for reducing recovery risk, but just the basics such as running business impact analysis, solid risk management, and communicating effectively with the board will go a long way to ensuring that if you go down, you get right back up.