One of the top benefits of a Business Continuity Plan is that it helps the business react more quickly and effectively to disruptive events like cyber breaches. In the face of new and emerging legislation like GDPR and CCPA that mandates tight timeframes for breach reporting, this is more important than ever.
But when an information security breach or cyber-attack occurs, compliance with reporting guidelines isn’t the primary concern. If hackers were able to compromise your systems in the first place, chances are they weren’t planning on a “one and done” scenario. The harm they could do to you during recovery could be much worse than the initial attack.
Returning IT Systems to a Trusted State
To give your organization a fighting chance after it’s been knocked down, you need to recover IT systems and data not just to an up-and-running state, but to a trusted state. This means taking specific steps in the correct order as soon as possible to minimize impacts, mitigate risk and protect the business now and going forward.
If these steps are known, planned and agreed in a Business Continuity Plan (BCP), recovery will flow much more smoothly than if the activity is unplanned and ad hoc. Post-breach bungling not only increases risk exposure but has also proven to be a major source of reputational damage even to major multinationals like Yahoo, Target, and Sony.
Roll Back to the Most Recent Backup
It’s highly likely if you have real-time mirroring or even near-real-time mirroring that the hack has infected your most current backups as well as your primary system(s). To recover your data to a trusted state, you need to roll back to the most recent backup that you know wasn’t compromised by the hack.
How far back do you have to go? That usually requires in-depth analysis and testing of the compromised system(s), and then looking backward at your backups. Therefore, from an IT perspective, you need to go beyond fixing the damage/symptoms and mitigate the “cause” and associated vulnerabilities, or you’ll shortly be hacked again.
Assess Your Network
As part of analyzing compromised systems, it’s a best practice to assess the state of your entire network infrastructure to uncover both exploited and potential access points. Any device on the network, from routers to printers to VoIP phone systems are potential attack vectors that also need to be evaluated and, if necessary, recovered to a trusted state.
Post-Breach Recovery Challenges
With so much forensic analysis, testing/assessment, reporting, system reconfiguration, etc. involved, no wonder the average cost of a data breach in 2018 was estimated at $3.86 million. But cost and time aren’t the only challenges. Not every business has the necessary depth of expertise to conduct these kinds of open-ended, ongoing analyses in-house.
Because post-breach analysis can be so involved, the business impact analysis (BIA) that should be part of your recovery plan is critical. If you’ve done a BIA, you know how to prioritize the recovery of key systems and the underlying infrastructure. In most cases, it makes sense to recover the hosting infrastructure to a trusted state before proceeding to systems and data—because if the infrastructure itself is compromised, “disinfecting” individual systems, databases and applications won’t address the systemic issues, leaving everything else prone to “reinfection.”
Another way that a BCP supports recovery from a cyber-attack is by helping to create a holistic view of the process that identifies team members and shared responsibilities. This reduces the likelihood of counter-productive finger-pointing, promotes honest disclosure to stakeholders, and facilitates people and teams working together towards a common goal of strengthening the security posture.
To connect with an expert to review your current state of business continuity planning and cyber incident response, contact Pivot Point Security.