Two schools of thought exist for Business Continuity strategies in relation to ransomware and cyber-attacks. One side argues that having a DR plan automatically means that data is protected from a cyber-attack, whereas the other side argues that a business needs a completely separate cyber-attack recovery plan. And depending on the age and scope of an organization’s DR strategy, both of those views may have a bit of truth in them. However, it’s important to see an alternative perspective when hardening a DR strategy. Perhaps both camps can offer improvements against cyber threats and traditional disasters, encouraging an organization to adopt the best options available.
Cyber Threats Grow Each Year
The cybersecurity landscape is enormous. Cybercrime estimates from 2019 said that ransomware attacks were occurring every 11 seconds and downtime after an event without a cyber-hardened DR strategy takes several weeks to recover. If you can imagine how threats have grown since then, you can also imagine how investing in guard gates alone isn’t enough. Eventually, a protective strategy will fail. Is your DR plan attack-ready for a ransomware event?
Here are a few tips to align your existing DR strategy with modern times:
1. Delineate Regular Recovery vs. Cyber Recovery
After a cyber-attack, such as ransomware, there are usually steps needed to both clean the recovered workloads and isolate the attacked machines for forensic purposes. In delineating the difference between a traditionally prepared-for disaster such as a weather event or a power outage and a new, ever-evolving cyber event like ransomware; businesses must include steps to recover from both event types in their DR runbooks, but do so with an understanding of the nuances in each approach. Because of these differences, businesses should also understand the impact on a typical recovery time objective (RTO) target, and your DR plan must have adjusted expectations in this type of event.
2. Include These Aspects in Your DR Strategy
Including air gapping, immutable backups, and multi-factor authentication (MFA) may seem like small details in the larger spectrum of resiliency, but they can make all the difference during a ransomware attack. Air gapping prevents the spread of the ransomware and eliminates attack vectors. This protects all your recoverable data from widespread, immediate infection. Immutable backups prevent cybercriminals from simply deleting or encrypting your backups before an attack, something we are starting to see happen. And MFA is crucial to prevent one of the simplest attack vectors where cybercriminals infiltrate as one of a company’s own employees.
3. Your Datacenter May Become a Crime Scene
One of the first steps when faced with a cyber-attack is usually to get cyber insurance involved. Often regulators, law enforcement, or even the insurance company themselves require the environment be preserved for forensic investigations. When this happens, organizations must have the capacity to restore normal operations without risking further breaches. Even if your datacenter isn’t locked down, can you trust a compromised datacenter? Even in cases of no risk, will you have enough storage capacity to recover and maintain the isolated source workloads? These are concerns that organizations must strategize. Keep in mind that you are selecting an environment that could become the home for your operations should your normal environment be inaccessible indefinitely. This challenge is why so many organizations have been interested in targeting their DR plans to the cloud, such as AWS or Azure. The cloud allows an easier mobility into subsequent environments should you lose existing environments for long periods of time.
Evolving Your Strategy to Address New Threats
Cyber threats won’t be diminishing. As resiliency strategies improve, cybercriminals will evolve to continue to make a profit. Building a process for ongoing iteration into your DR strategy will go a long way in establishing a reliable future for business. A common solution for those who are overburdened is to offload these responsibilities to a trusted third-party expert.
*A version of this article was first published on InterVision’s website.