How to structure your recovery from a cyber attack

Recently, 9News was at the centre of the 'largest cyber attack on a media company in Australia's history', which brought television and digital production systems around the country to a grinding halt for more than 24 hours. This event turned out to be the latest headline-making reminder for business leaders about the dangers of becoming complacent about cyber-security. 

Needless to say, these attacks threaten the integrity of your company's information and sensitive data, and challenges the ability of organisations to protect the details of their customers and employees affecting day-to-day business operations. One of the latest victims was Colonial Pipeline, the largest fuel pipeline in the United States which was forced to shut down 5,500 miles of pipeline and the US declared a regional state of emergency affecting 17 States and the District of Columbia. 

In the last year alone, cyber attacks have become more common, primarily due to COVID and changes to staff working environments with potentially less secure networks. In March 2021 computer giant Acer also suffered a REvil ransomware attack where the hackers demanded the largest known ransom to date - a whopping US$50 million ransom! Almost every week, news headlines break about the latest victim of a massive data breach or cyberattack, but WHY are so many organisations still struggling so much?  

Gartner analysts have predicted cyber-physical security incidents will rapidly increase in the coming years due to a lack of security focus and spending aligned to cyber-physical systems instead. Its analysis predicts 75% of CEOs will be personally liable for cyber-physical security (CPS) incidents by 2024 and a financial impact that will reach over US$50 billion by 2023.

The best way to avoid becoming a victim is of course to arm yourself with as much information as possible to avoid vulnerabilities and seek professional security advice, however, should a breach occur, it is imperative that you have a tried and tested plan on how to respond and recover. We've put together some recovery tips for you to enhance your disaster recovery plan. 

8 Steps to recover from a cyber attack

Gartner defines Disaster recovery (DR) as the use of alternative network circuits to re-establish communications channels in the event that the primary channels are disconnected or malfunctioning.

Once a cyber attack has occurred, make sure you have a plan in place to begin recovery immediately. In the aftermath, most businesses see a reduction in their operational abilities, reputation, and revenue. Here are 8 key steps to recover from a cyber attack:

1. Identify what is lost and the extent of the damage. This is the first step because the data/information stolen will directly determine your next step. Form a task force to manage the recovery process. Ask your IT team to collate all the facts that will help formulate an effective plan. Ensure that you document - when it happened, how will it affect customers and suppliers, what assets were impacted, who are the victims and the type of attack. 
2. As an Australian organisation, under the Notifiable Data Breach (NDB) scheme you must notify affected individuals and the office of the Australian information commissioner (OAIC) about an eligible data breach. Work with your PR and Marketing teams to issue a statement in the event of a data breach. It should entail compensation information and a high-level plan that you will implement to prevent any future security incidents, such as a new cybersecurity policy/procedure.
3. Replace old systems and technologies with robust systems and apply security patches where necessary. Look for automated solutions that are highly scalable, integrated, viable, and with alert options. Consider including in-house or additional third-party products or expertise that can enhance security capability.
4. Validate the integrity of your remaining data, deploy backups where available. Conduct a complete backup of your data on each computer and mobile device hourly, daily, or weekly depending on your business needs. Evaluate how much information is changed or the impact of losing the information in a loss event.
5. Know your company's compliance obligations, both in terms of what obligations your organisation may have to others and what obligations others may owe to it. Your organisation may experience extreme scrutiny from customers or third parties who may seek audit rights, assurance, or seek commitments to address future risks. Multiple regulators may also seek reports as part of legal and compliance obligations. 
6. Determine how the security breach may have affected stored sensitive data and what privacy legislations may be in breach and plan remediation.
7. Educate employees about keeping strong passwords and passphrases, identifying and avoiding cyber threats, what to do during an attack, and how to report a cyber threat. Conduct training or tabletop exercises. Consider multi-factor authorisations.
8. Purchase cyber insurance for your facility. These services can help you recover from a data breach quickly and effectively and may assist with costs recovering from a future loss event.

Who is involved in the recovery process?                                       

Your employees are the biggest asset during a cyber attack. Establish a comprehensive response team to help create a multi-faceted plan addressing all issues a data breach may create. The Head of IT, cyber-security experts, IT disaster recovery (ITDR), risk management, legal and compliance teams should all be involved in post-attack recovery processes. 

• IT and cybersecurity teams should do a thorough analysis post-attack. For example, what was targeted during the attack? Which controls failed? How do you improve security or are any enhancements needed to make a more effective system? etc. Once secure they can also share the information with cyber security forums to create more awareness and prevent similar attacks. 
• Risk Management teams should create a post-incident report that exposes the root cause, what was affected, and the extent of the damage. They should also review and update risk management and business continuity plans wherever identified. Perform risk assessments regularly to ensure the root cause was clearly identified and no other vulnerabilities are at risk.  
• Legal and compliance teams should be prepared for any scrutiny from customers, stakeholders, regulatory bodies, suppliers, and even senior management.  

The most effective cyber recovery plans are customised to your organisation’s needs directly involving employees. 

Tips to enhance your disaster recovery plan.

Here are a few ideas on how you can streamline your disaster recovery program:

• Align ITDR plans with business continuity so that you can identify critical processes and systems based on recovery time objective (RTO) and recovery point objective (RPO) required by the business users.
• Evaluate multiple recovery strategies per asset by taking into consideration data backups, alternate sites with available resource and hardware, server recovery (on-prem or cloud), technical recovery plans, emergency management plans etc.
• Prioritise your risk. Determine what risks would be the most fatal to the business and ensure thorough handlings for those first. 

 Continue testing and enhancing disaster recovery strategies, audits, and plans.

• Conduct individual component testing or a full DR test simulation. 
• Test the most challenging disaster recovery plan. Vary the scope and depth of DR testing.
• Plan for DR program updates and reviews 
• Make sure you are using the best tools. Carry out audits of your recovery tools and software and seek non-bias up to date professional advice from external agencies. 
• Simplify your systems. If you find in the process of testing that you are constantly juggling multiple operating system versions, outdated software, or competing systems that do the same thing, you may need to rethink your entire IT strategy and simplify your processes. 

Cyber attacks have had a devastating impact on businesses worldwide and caused a loss of millions if not billions of dollars. ReadiNow’s disaster recovery solution provides an effective way to simplify and automate the steps your business needs to take during a recovery process. The ReadiNow platform allows your business to continuously monitor, analyse, report on and manage processes with automated workflows and team alerts. If you'd like to see an award-winning solution built by industry experts, book a demo now.

 For further reference:

https://www.gartner.com/en/documents/3981595/16-tips-to-enhance-your-it-disaster-recovery-program

https://learn.g2.com/recover-from-a-cyber-attack

https://amtrustfinancial.com/blog/insurance-products/what-to-do-after-a-data-breach-or-cyber-attack

https://www.nist.gov/blogs/manufacturing-innovation-blog/how-recover-cyber-attack