The recent discovery by cybersecurity firm FireEye that they had been hacked and cyber security testing tools from one of its own suppliers had been compromised illustrates that no-one can be 100% immune from cyber criminals.
FireEye’s swift admission and response is admirable and will undoubtedly help reassure customers and help them tackle their own security concerns more effectively. In fact, the way the company focussed so quickly on repairing its reputation shows the importance of recovery in any organisation’s cybersecurity policy.
Companies are investing more and more in cybersecurity measures built around the principles of protect, detect, respond and recover. With finite resources, the dilemma is where to focus investment and the initial response is often to build a defensive wall around systems and data. But does this offer the best way to assure your company survives an attack?
A defensive approach may deter increasingly sophisticated cybercrime gangs who look for weaknesses to attack. Effective firewalls and protection will reduce the risk of a successful cyberattack, but no barrier is 100% effective; there will always be a weak point, often unwittingly provided by the human factor.
Assuming a breach will happen at some future point, you and your shareholders need to know that your business will recover control of its systems and data and restart operations as soon as possible after an attack. For balanced risk management, investment should therefore be distributed across detection, defence and recovery, especially at the start of a planned cybersecurity improvement programme when you are at your most vulnerable.
Cyber recovery is not disaster recovery
An important element of recovery is the point from which you have the data you need to start up again. Companies frequently rely on their routine back-up protocols – daily saves, weekly downloads and monthly transfers to an offsite storage facility – designed primarily for disaster recovery.
This may work against an immediate incident, such as a fire or flood, but criminal gangs are getting more sophisticated. When they could walk away with a relatively risk-free multi-million-pound pay-off from your continuity insurance policy, it’s worth them investing time and money in their plan of attack.
Months before an attack, hackers will look for ways into your back-up vault, a job often made easier if companies adapt their protocols to save time or money. Criminals may identify a disgruntled employee or even infiltrate one of their own into your organisation.
The result is that when you go to your back-up files, they’ve been wiped or encrypted over the past weeks or months, which means any data you can still access will be so out of date as to be useless for business recovery.
A cybersecurity breach is in many ways worse than a physical break-in because the burglars may still be in your premises after the attack has been detected, or they may have left a window ajar so they can return at a later date. In fact, the only way to be sure you’ve got rid of attackers is to “burn your house down” and start again from scratch.
This isn’t an option for any organisation, so it’s crucial for your recovery that you maintain a clean version of yourself, a “gold image”, to return to and start rebuilding from. This virtual version of your organisation must be as up-to-date as possible for a swifter recovery, contain only carefully designated key data and be kept behind a strong air-gap from your routinely running systems, to make sure the criminals can’t gain entry and hide inside.
All of this requires an active and well-funded recovery protocol far beyond a standard backup system in the event of flood or fire. However, our experience at Secrutiny has shown that while business recovery should be a key part of any cybersecurity plan from the outset, investment often only starts once defensive measures have already been erected around an IT system, by which time it may be too late.
Our Cyber Recovery services help clients to design a comprehensive recovery programme as part of that plan. We start with an audit of your business to identify those systems and data which are critical to a full and fast recovery of your business. Companies often focus on invoicing records and emails but forget about access codes to their IT systems.
We then look at stronger ways to keep that critical data safely isolated, using specialist software from companies such as Dell Software to create properly air-gapped data vaults and randomly-timed, fully automated, short-duration workflow windows. This allows movement of business critical data to an isolated environment via an operational air gap with minimal risk of interference.
An arms race is raging between security organisations to develop ever-tougher cyber protection software and the criminal gangs looking for new ways to beat it. The modern CTO faces a similar dilemma to that of a medieval knight; do you trust in thicker and thicker armour against increasingly deadly firearms? Or do you, instead, rely on agility, concealment and resourcefulness to recover and fight another day?