I write all the time about how to prevent ransomware attacks and how the root cause in so many cases is an improperly secured third-party vendor. But even with strong internal controls and effective vendor management in place, a breach can still happen. Without the proper preparation, results can be disastrous.
AMCA, a medical bill debt collection agency at the heart of the Quest Diagnostic/Labcorp massive 20,000,000 customer record breach, quickly filed for Chapter 11 bankruptcy earlier this year after it became clear that it could never weather the expenses and lawsuits coming their way. The consequences for smaller businesses can be equally catastrophic, with regional retailers, banks, and even physician’s offices closing following ransomware attacks.
So, planning for data breaches and thinking through disaster recovery before a potential issue happens should now be a baseline activity for all organizations. To improve your organization’s response to a cybersecurity event, here are some things to consider having in place to speed your recovery process:
The Right Tools: Backups
The most important tool of all is having good, current and offline backups. I say offline because with the rise of cheap online and disk-to-disk backups, many companies are neglecting to keep copies of their backups offline. Ransomware and cyber thieves can’t touch offline backup if they are properly managed in a secure, offline location.
The Right Tools: Logs
You will want to make sure that you have granular logs of any activity that might be relevant well before an incident. Having these audit logs will allow you to do the forensic research to get to the root cause, determine if there is any deeper damage, and help put back the pieces afterwards. You will want to have these logs centralized so that you aren’t looking through dozens of different servers and trying to understand the timeline of activity. Emerging technologies such as Vendor Privileged Access Management (VPAM) have these capabilities, specific to third-party vendor access, built in.
Note: Make sure you keep a sufficient log record that goes back far enough to be able to recover from an event that started weeks or months before. Hackers often lie in wait for a significant time period while their malware infects systems across the network. So, if your logs roll off after a few weeks, you may be missing critical data for your investigation and restoration process.
The Right Helpers
If you don’t have a dedicated, full-time disaster recovery or forensic staff, consider having an incident response firm on retainer that maintains these kinds of experts. They should be on call 24/7 to assist in your response and recovery. Also, having third-party experts to do your forensic work bolsters any criminal or civil action you may be considering following an incident.
Note: You should also consider reading your legal and PR teams in on any cyber-incident response plans and tests. They will be critical to helping you deal with press inquiries and threats of legal action. Plus, make sure you do regular reviews of your cyber-insurance policy to make sure that it covers all the areas needed and is sized appropriately for the full potential costs of any breach.
The Right Practice
You need to regularly test your cybersecurity recovery plan to make sure it works as intended. This should include walkthroughs, tabletops exercises where test scenarios are thrown out and reacted to by the team, and live simulations where you actually recover full servers and environments, not just individual data items. Since your business can’t run on a recovered row or column, you need the whole database with all its supporting infrastructure. Test it, improve it, and test again.
Key takeaways for a quick recovery
Justifying a budget to create an incident response plan should be easy – just reference the AMCA case example of how a single incident took down a reputable company. Plus, it’s important to note that the average cost of a data breach has now reached $3.8 million dollars— but keep in mind that is just the average. The cost for your firm might be much higher, depending on your business and size.
With massive cybercriminal gangs and nation-state actors, any company can become the victim of a data breach or cybersecurity event. That makes considering the recovery process a critical part of an organization’s overall defense strategy. Planning ahead will pay tremendous dividends if the Grim Reaper visits your door.
Author: Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.