10 Steps for Increasing Cyber Resilience
Cyberattacks happen, and even the largest organizations with the most well-funded security programs aren’t immune. That doesn’t mean that cybersecurity is worthless or that cyberattacks are inevitable. Chances are high, though, that a cyberattack, data breach or some other disaster that disrupts your IT operations could occur.
If one did, would your organization be able to continue operating or at least resume operations quickly? Ensuring your organization is cyber resilient can help ensure it could.
Cyber resilience is the ability to prepare for, defend against, respond to, and recover from cyber incidents while continuing to operate effectively. It encompasses cyber security, as well as risk mitigation, disaster recovery, business continuity, and business resilience.
While every organization’s approach to cyber resilience will vary, the following steps can help set a strong foundation. In many cases, these steps feed into each other and will be essential for providing a complete picture of what needs to be done to help your organization avoid the negative consequences of IT-related business disruptions.
1. Define “business as usual.”
Identify the operations, services, and/or functions required for your organization to be considered “operational” or able to conduct “business as usual.”
Does being operational require things like making sure transactions can be conducted on your website or that customer service is able to handle support issues? What is the very least you need to offer to your stakeholders to keep them happy – and what is optimal?
What is necessary to make sure you don’t run afoul of regulatory requirements? What hardware, software or other IT assets enable the required services or functions? Also, consider the direct and indirect costs your organization could incur if it experienced downtime for any length of time.
2. Audit and document your IT assets.
Your IT assets are critical to your operations. If a cyber incident occurred, which would be the most essential for protecting and/or recovering first?
Conduct a thorough audit of all your IT assets, including hardware, software, applications, and data. Make note of what each does, where it is, who has access to it, how it impacts your other IT systems and its criticality in terms of its importance to your organization’s operations.
Provide as much information as necessary to understand the importance of the asset to your business and the implications if a cyber incident took it out of operation temporarily or permanently.
If feasible, consider creating a “digital twin” – a simulated model – of your organization and its IT assets and processes to better visualize the interconnections between and potential impacts of your IT assets and operations.
Download Now: Tip Tips to Combat Ransomware
3. Perform a business impact analysis (BIA).
A BIA can help you more clearly understand the operational, financial and reputational effects to your business if any of your IT assets were not available. Look at the assets individually. Use information from the previous two steps to determine their importance to your company’s ability to conduct business. Establish the priorities for restoring business functions and related data or applications. Don’t forget about any compliance requirements.
This exercise will help you better understand the importance of each asset and the priority that should be assigned to it in terms of security, incident responses, backup operations and disaster recovery.
4. Conduct an IT-specific risk assessment.
Examine the vulnerability of your IT assets to cyber incidences such as malware infections. Look at all possible scenarios, as well as weaknesses that could make your IT assets susceptible to business disruption.
Whether as part of the assessment or in addition to it, review and evaluate your organization’s existing IT security practices and protocols. Engage a third party to conduct a vulnerability or IT security assessment if you don’t have the resources to do it internally.
Also include a review of the risks associated with any third parties that interact with or have access to your IT assets. This will also help identify potential vulnerabilities and security gaps.
5. Create a cyber incident playbook.
Develop a playbook for dealing with common cyber incidences, including any identified in the risk assessment. Work with various IT asset owners, as well as your own IT team, to create a list of potential cyber threats for each asset. Include cyberattacks such as ransomware, as well as insider threats like accidental deletion by a user. Build out scenarios for each. Consider the various ways these cyber incidences could play out if they’re dealt with immediately, put on the back burner or ignored.
Make a checklist for actions to take, including alternative actions in the case of unusual or unforeseen circumstances. Assign roles and responsibilities. This will inform the incident response (IR) plan that follows. Continuously analyze the risks of every interaction between users and networks, endpoints, applications, data and even other users.
6. Implement an Incident Response (IR) plan.
Use the information from your cyber threat playbook to create a thorough IR plan. It should cover preparation, detection, response, recovery, and follow-up. Specifically, it should specify:
- What needs to be done in the event of a failure or breach
- Who is responsible for the required actions
- How to get back to normal operations as quickly as possible
- How to recover data, if data has been lost or accidentally erased How and when to communicate the incident to stakeholders
- How failures should be reported to regulators (which may be a regulatory requirement in your jurisdiction)
- How to assess and report the impact of incident responses
There are industry standard incident response frameworks from organizations such as NIST and SANS that provide general guidelines on how to respond to an active incident. Your organization’s IR plan, however, should be much more specific and actionable.
Frequently review, update and test it. Make sure you communicate it to the appropriate parties and implement frequently training to make sure everyone knows what to do and when.
Know the Difference: Data Protection Portfolio Comparison
7. Determine your RTO and RPO requirements.
An important component of incident response, and cyber resilience in general, is data backup and recovery. Some data you may be able to do without and still stay in business. The loss of other data could put you out of business. Determining RTO and RPO will provide critical guidance.
RPO refers to the point back in time from which you want your critical data restored after a system disruption or failure. It tells you how much time from the point of the outage you can afford to lose. RPO can be measured in intervals ranging from minutes, hours, or even days. A smaller RPO means that less data is lost, which is critical for normal business operations.
RTO refers to how quickly you must restore access to data and IT systems after a disaster or other business-disrupting event occurs, so your business can be up and running again. It’s less about data loss, and more about having the application or data available. By quantifying and ranking the RTOs for each critical process, you’ll be able to prioritize resources to restore the ones with lower RTOs before the rest of them.
8. Create and deploy a backup and recovery strategy.
Knowing your RPO and RTO will help you implement a backup and recovery plan.
Backup entails making copies of data files at intervals. It could be hours or days between copies, depending on your business requirements. The copies are saved to an off-site hard drive, tape, disk or to a virtual tape library (VTL). Or you can use cloud-based backups that you can access any time, from anywhere. Some providers offer backups as a managed service, handling everything from remediation of backup failures to system/file restores to source.
The techniques used will depend on the type of data you’re backing up and how convenient you want the recovery process to be. It may take time for your IT staff to retrieve and recover the data, so backup is usually reserved for data you can do without for 24 hours or more. Application performance can be affected each time a backup is done.
Your plan may also include data replication. It differs from backup in that it copies data in real- or near-real time, so you have a more up to-date copy. Replication is usually performed outside your operating system, in the cloud. Because a copy of all your mission-critical data is there, you can “failover” and migrate production seamlessly.
Replication copies every change, even if the change resulted from an error or a virus. To access data before a change, the replication process must be combined with continuous data protection or another type of technology to create recovery points to roll back to if required.
9. Review, test and update your DR plan.
Disaster recovery (DR) is a subset of business continuity (BC); both play key roles in cyber resilience. DR specifically focuses on getting essential data and IT systems back up and running after a disruptive event such as a ransomware attack. The emphasis here is on “after” as you want your data saved somewhere so it can be recovered after the business-disrupting event. Note that the data is not accessible during the disruptive event. It must first be recovered, and the speed at which it is recovered is dependent on the planning, resources and processes that are set forth and tested in the DR plan.
If you don’t have a tested DR plan in place, get one. If you do have a plan in place, make sure it’s tested and works as expected.
10. Consider managed security services.
Strong cybersecurity can strengthen your organization’s cyber resilience. However, it’s hard to stay on top of all the emerging cyber threats. It’s also difficult to recruit and retain experienced IT security experts. Managed security services enable you to take advantage of the leading-edge security technologies and specialized security expertise that outside firms can offer—and without any upfront capital investment.
Managed services are also available for incident response, vulnerability management and other security-centric activities. In addition to tapping the latest knowledge in these areas, using managed services for any aspect of enhancing your organization’s cyber resilience frees up your staff to focus on other business-critical activities.
Talk to US Signal
There are many more IT solutions, practices and protocols that can enhance cyber resilience. Following the 10 steps outlined in this blog will give you a good start. US Signal can help.
From HIPAA- and PCI-compliant cloud services to vulnerability management, US Signal offers a comprehensive, constantly growing portfolio of solutions to help organizations strengthen their cybersecurity and cyber resilience.
You can learn about some of them at the following links:
Security Advisory Services
Better yet, talk to a US Signal solution architect. Learn how US Signal can create a solution to meet your organization’s specific IT needs while enhancing its overall cyber resilience. Call (866) 274-4625 or email [email protected].