Step 5: Recover
Step 5: Recover | Business interruption is the greatest risk; access experts to recover quickly
In earlier posts in this series ‘Five steps to cyber resilience’, we advised all businesses to assume that they would be breached, to prepare for the expected and realize it’s a matter of when, not if, such an attack could take place. In this post, the final one on NIST’s five steps, we focus on the Recover function, and look at how business interruption is the greatest risk, emphasizing the need for timely recovery and the critical importance of guaranteeing access to the right expertise.
The interruption and potential unavailability of critical business processes following a hack can cause disastrous consequences for any business and unless you can recover quickly and mitigate the potentially long-lasting damage, the incident will play out in full view of customers causing additional reputational risk. In that context, NIST describes the Recover function as identifying the appropriate activities to maintain plans for resilience, restoring any capabilities or services that were impaired due to a cyber security incident and ensuring that recovery planning is properly implemented.
Picking up the pieces with a recovery plan
The growing severity and frequency of cyber-attacks show no sign of letting up which means true cyber resilience must include comprehensive recovery planning. Formalized and tested plans enable rapid recovery from incidents, helping to minimize the impact and ensuring effective communication to both internal and external audiences – a vital element of the long-term protection of a business’s reputation.
NIST states that recovery needs to address three critical outcomes:
- Recovery planning: recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cyber security events.
- Improvements: recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications: restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacked systems, victims, other Computer Security Incident Response Teams, and vendors.
Preparing for the expected requires detailed planning for the recovery from a cyber-attack and having that plan as part of your information security program. The plan should document system dependencies and identify key personnel including their specific roles in incident management. The plan should also provide for back-up to regular communication services and tie into your organization’s overall Business Continuity Plan (BCP).
Building the playbook to restore business function
Having a documented playbook allows you to consider various scenarios that evaluate impacts, responses and recovery processes before an actual cyber-attack takes place. Remember that many such attacks are launched and remain undetected for an average of 206 days, underscoring the need to build playbooks that quickly restore critical business functions after detection and response.
NIST provides helpful advice in terms of developing playbooks in its “Guide for Cybersecurity Event Recovery” including recovery scenarios and checklists for what should be included. The playbook is divided into three sections: pre-conditions required for effective recovery; tactical recovery phase; and strategic recovery phase. For example, NIST recommends in the tactical recovery phase that there is an ‘initiation’ step that includes receiving a “briefing from the incident response team to understand the extent of the cyber event” and informing “all parties that the recovery activities have been initiated.”
Scenario planning also plays an important role in the testing of current incident recovery capabilities. This aspect usually requires outside assistance from Incident Response (IR) experts who have experience in responding to real world incidents and can advise on the necessary recovery process to have in place. They can help simulate a real breach and stress test your response plan. Reality-based tabletop exercises are also invaluable in getting ahead of impending attacks especially when conducted with an after-action debrief document, helping to identify gaps and delivering reports that prioritize results and recommendations for improvement.
Protect your balance sheet and recover more quickly
The evolution of digitization means the risks from cyber are only going to increase as hackers find new ways to exploit system vulnerabilities and disrupt organizations. Consequently, cyber insurance has a central role to play in how a business manages and mitigates the risk. Cyber insurance can protect an organization’s balance sheet by providing a financial pay-out after things have gone wrong, but it also offers expert consultancy to improve security and on-the-ground incident response support during a crisis. Two of the key benefits of cyber insurance are pre-loss prevention to try and stop an incident from happening in the first place and post-loss services to help organizations recover more quickly.
Evolving cyber risks and privacy laws and regulations such as the EU General Data Protection Regulation (GDPR) have created a greater awareness of the financial impact of cyber risks and emphasized the need for organizations to increase their understanding of cyber insurance. Recent increased business interruption losses following a cyber-attack have also heightened awareness. However, many mid-market organizations remain under-insured and can benefit from Aon’s approach to cyber risk management.
Carrying out a cyber risk scenario analysis for example can be particularly useful in helping companies better understand their exposure. After that process they might decide to strengthen their own internal IT security and incident response preparedness before they consider buying cyber insurance cover.
Over the last five years, more internal stakeholders have become involved in helping to recognize cyber risk within a business which has helped to develop better knowledge around cyber threats and, in turn, increased the understanding of the value of cyber insurance.
