Photobank - Fotolia

Matching disaster recovery to cyber threats

While it is important to take steps to prevent cyber attacks, they can still happen. That is why disaster recovery practices are equally critical

As the connected ecosystem continues to expand, it is easy to predict that cyber attacks will keep growing in rate and complexity. Research from Cybersecurity Ventures estimates that cyber attacks will cost the global economy $6tn by 2021, while the human attack surface will grow to six billion people by 2022.

Businesses that experience severe cyber attacks face devastating consequences, including financial loss, legal action and reputational damage. Therefore, it is crucial to have systems in place to fend off cyber criminals. Unfortunately, security mechanisms are often rendered useless by technical faults and human error, which is when the focus shifts to disaster recovery procedures.

These consist of policies, tools and strategies that ensure critical technology systems continue to operate during and after a disaster. At the same time, disaster recovery strategies can help companies recover important assets once a crisis has been resolved.

But are these in step with today’s threats, and how can CIOs utilise them to maintain and support business operations during and immediately after an attack?

Contextual awareness

Meerah Rajavel, chief information officer at cyber security company Forcepoint, says companies need to develop a contextual understanding of threats in order to prevent and tackle breaches. She believes that companies should pair human capital with big data analytics.

“With GDPR [EU General Data Protection Regulation] now in effect, one of the key challenges is reducing the time from initial breach to detection. By taking an approach which recognises the context and intent of user behaviour early, and proactively flags potential threats, companies can protect against breaches before they happen,” she argues.

“Understanding the behaviour of users as they interact with data and systems to determine an identity risk level is a crucial tool to prevent against a cyber attack.

“However, organisations must be prepared for the eventuality of a breach and solutions such as user and entity behaviour analytics (UEBA) can assist with the detection and analysis of an incident and data loss prevention (DLP) can provide valuable forensic insight to understand the nature of an attack quickly and meet the strict requirements now in place under the GDPR.”

Responding to attacks

Clearly, being targeted by cyber attackers can have devastating effects on businesses, which is why it is important to be one step ahead of them. George Tunnicliffe, head of IT operations at the National Theatre, says it is vital to have tools and processes in place to identify and respond to increasingly sophisticated cyber attacks.

“As a national institution, we are in a position of trust with our customers, employees, directors, actors and the individuals that come through our doors.

“Understanding where our data is, who is accessing it and whether individuals are behaving maliciously is crucial as we look not only remain compliant with the GDPR regulations, but also protect the sensitive information that is stored within our network,” he says.

“Working with Forcepoint, we have created unique processes that enable our team to identify and monitor potential threats on a daily and hourly basis. In doing so, and by embedding these checks into our security postures, we are able to concentrate our efforts where they are needed, maintain the efficiency of our team and have real-time clarity on the systems in use and behaviour changes that could lead to a breach.

“Critically, by understanding the behaviours and movement of data on our network, we can ensure that any threat is neutralised and that we can focus on protecting our customers, employees and brand.”

Continuous plans are paramount

Ian Pitt, chief information officer at software firm LogMeIn, says businesses and IT teams need to view disaster recovery as an evolving plan because the cyber security landscape is always changing.

“Unfortunately, there’s no magic eight ball when it comes to cyber security; it is a moving target. Just because something protected a business last year, does not mean it will keep the company safe this year,” he says.

“Therefore, CIOs need to be particularly vigilant, carry out regular risk assessments of the business, and use this information to draw up a security plan that ensures there aren’t any vulnerabilities that can be exploited in the future.”

The basis for this plan, he says, should be an understanding of the behavioural changes in people. “The best technological defences can be unwound by a social engineering attack, so it is important that employees are trained to be both the first and last lines of defence. Security plans should be reviewed regularly to try and stay one step ahead of threats as well as changes to technology used in the company.”

Traditional approaches won’t work

Developing a disaster recovery plan takes significant time and effort. But Mike Osborne, founding partner of the Business Continuity Institute and executive chairman of Databarracks, says creating and implementing one for cyber security is particularly challenging.

“You can group together most of the traditional risks like natural disasters, terrorism, epidemic or IT failure into a small number of resulting impacts. They all have the same impact on your business – you can’t access your premises, staff are unavailable, IT systems are unavailable, etc,” he says.

“Cyber incidents, however, are not as simple – you cannot just fail-over because you bring the same problem with you, whether that is  malware or a hacker with access to your systems. If data has been locked and encrypted, you need to factor in significant data loss because you will need to restore data from a backup before the ransomware infection.”

Read more about disaster recovery

The solution? “Cyber incident management,” says Osborne. “First, you need to be able to identify the problem, then you move to containment and eradication before you can consider a move to recovery.

“The first point to note here is that security and business continuity [BC] teams need to be working very closely together and BC plans need to account for the growing cyber threat. It’s never been more relevant to say that prevention of a cyber incident is far better than the cure.

“Second, your ability to continue operations depends on your ability to contain the issue. You need to ensure that you can isolate certain parts of the network and remove them because if you can, the total impact to business operations – in the short term at least – will be minimal. However, you still need to contend with the impact of the breach that may come later – the potential fines from regulators and damage to reputation. But in terms of traditional business continuity, you are at least able to keep the working.

“Third, if you aren’t able to isolate the issue, you will potentially have to take the entire network/system/business down until the issue is resolved. When Sony Pictures was hacked it was operationally crippled for a month because it was unprepared for such an incident.”

Hindsight is a gift

Steven Furnell, a senior IEEE member and professor of IT security at the University of Plymouth, says companies should reflect on previous IT vulnerabilities to respond to cyber attacks.

“Obviously, it is rather a challenge to ensure that cyber security breaches never happen again, but it is perhaps reasonable to expect to be prepared when they do, and not to have the same vulnerabilities still in place,” he says.

“The key is clearly to learn from previous experiences – and these should ideally be the experiences of other people rather than waiting for the same thing to happen to you!

“It is important to understand what went wrong and why. The aim should be to avoid the need for recovery in future by ensuring that the overall approach to incident response includes prevention.  At the same time, recovery lessons still need to be learned in case that stage is reached again.

“Another key thing – if you are directly affected – is to match your response to the event that occurred. For example, if the vulnerability was identified as a lack of staff awareness, then awareness-raising ought to feature somewhere in the response as well. While this may seem like stating the obvious, surveys often suggest a significant mismatch between the nature of reported breaches and planned security expenditure.”

Hackers are constantly coming up with new ways to compromise devices and networks, and businesses obviously need to be aware of this.

However, despite being prepared to tackle these threats, they can still fall victim to attacks – and that is why it is crucial to have the right disaster recovery plans in place. These must not only complement preventive measures but be constantly reviewed to ensure they are in line with new and emerging threats.

Read more on Business continuity planning