Why planning recovery from a cyber attack is important
By Simon Heath, Director, The Final Step
Often, but not always, I check the fire exit plan on my hotel room door to understand how to get out in a fire.
That's because one night, in San Francisco, I had to evacuate because of a fire. The corridor was a bit panicked with guests. I thought I knew enough not to take the lift and to advise those doing so against it. I followed the crowd to the stairs. After descending a few floors, we met smoke coming up. We now knew this wasn't a drill and making a good decision felt more urgent. Should we keep walking down; walk upstairs instead; or go back into the corridor to find another stairwell? None of us had looked at the map or knew our options.
Most of us tend to ignore fire drills, signs and extinguishers, but they are worth paying attention to every now and then. If you ever need them for real, being familiar with the detail keeps you calm and gives you options.
Cyber "attacks" are intended to knock us off-balance. Criminals want us chaotic with limited options so that paying a ransom makes sense. Planning and practising how to recover your operations in an emergency helps you take back some control.
If you want to be better prepared to deal with this problem, you need to pay it some attention and think ahead.
Practice makes perfect, or at least good enough
Practising your plan is valuable because of what you are going to learn from it and how you are going to improve your resilience. The first time we practised our own we realised the recovery plan we printed out wouldn't have been available to us. In the scenario we were testing, the printer we just used would not have existed and nor would the storage location of our plan.
That was the first of many learning points. I would say that if you don't learn anything from a recovery drill you are probably not thinking about it in the right way. The aim is to recover better and quicker whilst accepting it will never be as full, or as quick, or as painless as you want it to be.
These drills take place outside of normal office hours to avoid disrupting your business and clients. Although the plan should include how you are going to communicate to clients when it happens for real and you can't service them. It's best that the drill involve your own staff as well as your IT provider. You learn more this way. We once had a client report that a continuity solution was unworkably slow. It turned out this was due to them working on a Mac and on public WiFi, neither of which was "in the plan". Here was a conflict between what the plan said and what people in the real situation would actually want to do.
Watch Tony Thomas, Vice President of Strategy at ConnectWise, talking about resilience and citing The Final Step's fire drill approach as building peace of mind for organisations in the short video below.
Recovery mindset leads to peace of mind
There is a huge variance in how small and medium sized businesses approach cyber security and recovery. It varies from "it will never happen to me" to "let's get ISO 27001 certified".
When we had to evacuate that hotel in San Francisco, what ended our stairwell dithering was a firefighter coming up the stairs telling us all to keep going down, despite the smoke. That was still our safest, quickest way out.
If you are of a mind to improve your resilience it is good to find that trusted partner whose advice you can trust. Resilience is born of not just the right tools, but of setting expectations and practising your ability to meet them.
Non-technical business owners are going to want some expert input in order to make important decisions for their organisations:
- In a recovery situation what are the organisation's expectations around how much data can we afford to lose? What downtime is acceptable? In what order should we recover systems?
- What are my particular risks, how can I mitigate them and where does recovery fit in?
- Top tip: Listen to our founder Raja Pagadala talk to Richard Tubb about how he approaches the problem of Business Continuity and Disaster Recovery and how it is nothing to do with the underlying technology, it is a mindset. Listen to the short excerpt below or click here to listen to the full podcast.
How do I build an approach for me that gives me peace of mind
As risks, technology and your environment change you are going to need to adjust your plan. But you have to start somewhere. Here's a high-level view of how to start planning your response to an incident.
- Set expectations. What risks do you want to protect against? And, as mentioned before, what are reasonable and achievable targets for data loss, downtime and priorities for restoring services?
- Define your response team. They will be a combination of internal and external people with the following responsibilities: technical, legal, HR, communications, insurance and compliance. You will want a separate list and method for contacting them on the assumption your own systems may be down.
- Create a set of plans. Naturally we focus on the technical incident response plan, but members of the team will have their own plans to dovetail with that. For example, a communications plan to keep clients and all other parties informed.
- Practise the technical incident response. A list of steps to perform, including the priority order in which to restore systems and put in place continuity work arounds. All practices and real incidents should have a real-time log of what was done. This is important for notifications and reviewing so that improvements can be made.
- Review and improve. Apply the learning from practice drills, but also as circumstances change the plan will need to be modified.
James Clear says: "When you need to learn quickly, learn from others. When you need to learn deeply, learn from experience." Even for small and medium sized businesses, a cyber security incident is considered an inevitability. So, it's really a question of whether you want to get ready before it happens or if you are okay to learn in the middle of it.
Not sure where to start
If you want more on how to make your business unstoppable in the face of increasing risks, here are some resources: