Adobe. Yahoo. eBay. Equifax. LinkedIn. When you first see these names, you would be forgiven for thinking this is a roll of honor of sorts. These are some of the most recognizable brands in the world. But they are on that list because they have also been the target of among the largest data breaches of the 21st century. And these five are just a fraction of the many global brands that have found themselves on the receiving end of a cyberattack. The message here is clear. No one is safe. No one is immune. Every organization should recognize (or at least assume) that it is in the crosshairs of one or more cybercriminals out there. Some cyberattacks are difficult to prevent due to their scale and sophistication. What is, however, within the targeted organization’s control is how it recovers from such attacks. A cyberattack recovery plan is therefore essential. Here’s a look at some of the areas it should cover.
1. Recovery team leader
Situations are more likely to spiral out of control when there is ambiguity over who is responsible for leading a response. Executing the cyberattack recovery plan effectively is dependent on having a designated leader. They would be in charge of putting the plan into motion as soon as an attack is confirmed.
Their exact title isn’t as important as their appointment. They could be referred to as the cyberattack recovery team leader, recovery plan coordinator, recovery plan leader, recovery lead, recovery manager, and more. The team leader should be conversant with every aspect of the plan. They must have a deputy just in case they are not available or reachable as soon as an attack is confirmed.
2. Recovery team
The recovery team leader will head a team of individuals who assist the leader in getting things done. A cyberattack response is inherently multifaceted, with various response activities meant to be carried out quickly and simultaneously. The team should be ready to work together for weeks if necessary as they focus on restoring operations after the attack.
The cyberattack recovery plan team should comprise both internal and external representations. Some of the potential members of the team include senior leadership, IT security experts, forensic IT experts, cyberattack-experienced attorneys, cyber-insurance experts, and public relations.
3. Target identification
Recovery must begin with problem identification as this is the start of resolution. If you don’t have a good feel of the nature and target of the cyberattack, you risk misdirecting your recovery efforts.
Of course, sometimes the attack is too complex for internal IT security experts to fully map out. This is where external cybersecurity consultants who have experience with this kind of work would come in. They can help you determine what happened, when, to whom, and for how long.
Armed with knowledge of the problem, your next step is containment. Depending on the nature of the cyberattack, that may entail shutting down systems, disconnecting network segments, running a malware scan, closing problem ports, etc.
The faster the attack is diagnosed and contained, the less damage it will exact. Containing the cyberattack is best led by the technical members of the cyberattack recovery plan team including in-house IT security staff and external cybersecurity experts.
Problem identification and containment should give pointers that will form the initial basis for investigation. The investigation would be done by cyber-forensic experts. It would involve understanding how the incident originated and what gaps allowed its occurrence.
This is essential for charting the way forward, working with law enforcement, and absolving your organization or its employees from responsibility.
The public relations representative in the cyberattack recovery plan team may not have the technical knowledge of other team members. However, dropping the ball in communication can render all the technical work done to recover from the attack futile. Communication impacts the organization’s long-term brand reputation, customer trust, and legal compliance.
At the minimum, the business is under obligation to inform, as soon as possible, its customers, employees, regulators, and law enforcement agencies. Often, new knowledge of the cyberattack will emerge as time goes by. Therefore, communication is not a one-off event. It happens throughout as the enterprise seeks to keep all stakeholders informed.
8. Prevention of future cyberattacks
The cyberattack recovery plan’s prevention of future cyberattacks will have short-term, medium-term, and long-term components. In the short term, the vulnerabilities responsible for the attack have to be addressed immediately. These could be open ports, guest accounts, outdated software, and many more attack vectors.
In the medium-term, more extensive testing and analysis of the organization’s cyber defenses would be necessary to preempt attacks that could occur from yet undiscovered gaps. Over the long-term, the organization may have to re-assess its overarching cybersecurity strategy for more deep-rooted problems (such as enterprise culture) that could have facilitated the breach.
9. Alternate technology environment
A cyberattack may render the production environment malware-infected and unusable. There’s also inadequate knowledge in the first few hours and days on the true extent of the attack.
The organization may need to transition to an alternate technology environment in the interim to keep the business in operation. This is especially the case for crippling, pervasive attacks such as ransomware.
Cyber-insurance will not prevent an organization from being attacked. However, it can provide a soft landing in the aftermath in order to shield the business’ finances.
Compared to other forms of insurance, cyber-insurance is still in its infancy and evolving. Still, a cyber-insurance policy can cover the costs of forensic investigation, business interruption, data breach notification, lawsuits, legal settlements, regulatory fines, extortion, and reputational harm.
Create the cyberattack recovery plan early
A cyberattack recovery plan should be designed well before a cyberattack occurs. It must be subjected to drills, tests, and practices on a regular basis that ensures everyone knows what is expected of them in the aftermath of an attack.
Featured image: Shutterstock