If a business experiences a cyber attack, it should be able to resume basic operations quickly – provided it has a robust disaster recovery plan and has tested it regularly.
Pieter Vanlperen is chief information security officer (CISO) at Own Company, a software as a service (SaaS) data protection and activation solutions provider. He says leaders mustn’t get bogged down thinking the priority is to get the whole company back to business as usual.
In reality, businesses need a plan to deliver their essential core services to customers as soon as possible – without losing too much data.
He cites the example of an airline that, on a normal day, would be taking bookings and checking people in online, supplying meals and running marketing campaigns. However, if that airline’s critical systems are suddenly attacked, leaders must know what minimum level of service is required to keep customers happy.
For example, could it still get its flights in the air safely within a couple of hours without checking boarding cards digitally, serving meals or playing in-flight entertainment?
Get down to basics
Vanlperen urges companies to boil down their operation to a list of things they simply cannot continue doing business without.
“Ensuring people can make reservations online or using analytics for dynamic pricing might be numbers four or five on an airline’s recovery plan. Companies do not have to wait until they can get everything running smoothly again.”
Vanlperen says organisations must be prepared to make impulsive and quick decisions when a cyber disaster happens, as was the case for most businesses during the Covid pandemic.
“You have to think about worst-case scenarios and how you would go from zero to a minimal level of service,” he says. “Testing for this eventuality does not mean shutting everything down, which can be impractical, but looking at core processes and seeing how you would cope if one of them went down for a few hours.”
He suggests that companies should consider how they would perform if they lost their usual online communication channels, such as email or Slack. Or consider what would happen if the person who retains most of the IT knowledge within the business wasn’t available during a cyber attack.
“You start at the point where the company has stopped operating completely and build up from there. Can you get your basic functions working to satisfy customers and generate some revenue? There is an art to disaster recovery.”
Test, test and test again
Many organisations will claim to review their disaster recovery plan. In reality, they rarely go beyond randomly testing different databases from time to time and ensuring their data is backed up. The truth is more penetrative testing is essential to analyse whether the plan is vigorous and comprehensive enough should an attack render the business unable to function.
Often, organisations are also reluctant to test a disaster recovery plan thoroughly because, perhaps ironically, they worry about the disruption and cost of closing parts of the business down. However, when they do a test, leaders can be shocked by just how unprepared they are for a serious and sudden cyber attack.
“It can be a real eye-opener and a light bulb moment in understanding the potential threats to a business and the lack of preparedness for a quick recovery. This is why it is vital for organisations to start thinking about whether they have a disaster recovery plan and when and how they test it.”
Own Company’s advice is that testing should be as routine as a fire drill or servicing company cars so that enterprises are prepared for the unexpected.
“If you are not rehearsing potential disasters and training employees to deal with them, you will be panicking when something does happen,” says Vanlperen. “It is unlikely you will be in the right frame of mind to recover as quickly as you could.”
Vanlperen adds that when a business begins to experiment with different scenarios, it soon realises how getting those core services up and running can take longer than expected. “That time will be even longer when there is a real disaster because of the chaos. You need to have different issues ironed out before an attack happens.”
Shared responsibility
One dilemma for organisations is deciding who internally should be responsible for testing any disaster recovery plan.
When systems go down, it doesn’t just harm the security team but it harms the entire business
The task can inevitably fall on the IT department, but in reality, every function should be involved because this will become a fundamental business requirement as cyber threats grow.
“When systems go down, it doesn’t just harm the security team but it harms the entire business. Anyone in charge of a core function within the company must be involved. But other people within those functions should know what to do too, because when disaster strikes you do not know who will be available and when.”
He says companies can take their testing to different levels by adding extra chaos and assessing, for instance, how they would cope if one core function went down, such as finance or legal.
How does the business manage and react? Does it have outsourced partnerships in place to help at short notice? This extra focus will make a business more resilient when a disaster does occur, and things do not happen in the sequence expected or how the official plan might have predicted.
“To fight cybercriminals these days, businesses need to be like special forces. You need to train every day to be ready for when something unforeseen happens. Always troubleshoot for the things you are not expecting, the vastness of what you don’t expect is more likely what you will face than the few scenarios you expected,” says Vanlperen.
For more information, visit owndata.com
