Cyber attacks are like earthquakes. There is the immediate shockwave when an incident occurs, as you hurry to identify the source of the breach, plug the vulnerability and fulfil your immediate regulatory requirements.
Then come the secondary waves that produce new problems. For example, how have essential operations been affected, and what are you doing to protect and restore your reputation?
Organisations often overlook the damage that these lingering problems cause, and the consequences can be far more expensive than they bargained for. According to one report, organisations could spend £3.6 million or more recovering from a security incident – and without appropriate processes in place, that figure could be much higher.
It’s why experts recommend a layered approach to cyber security that accounts for the steps organisations must take after an incident has occurred in addition to measures designed to prevent breaches.
The framework is known as defence in depth, and it contains five interrelated stages. Even if one of these defensive layers is breached, the next works to further contain the damage.
We’ve been looking at each stage on our blog, explaining what it encompasses, how it fits into an organisation’s overall approach to cyber security and the controls that can be implemented to establish it.
Having previously discussed the first four stages – detection, protection, management and response – we now turn our attention to the final layer of defence in depth: recovery.
What is threat recovery?
When all other lines of defence fail, you need to ensure your organisation can survive.
More often than not, you will be able to restore enough critical services to be able to continue functioning, but it can take months to fully return to business as usual. In the meantime, you need a plan for how you will manage, plus you need appropriate resources to implement those plans.
For a start, you need business continuity and disaster recovery plans. Business continuity is about ensuring that your organisation continues to operate in the event of disruption. It’s a way of temporarily addressing a problem until you’re able to address the underlying issue.
For example, say your office is flooded. A business continuity plan would outline how to secure your important assets and how to ensure staff can continue to work.
Meanwhile, disaster recovery is the process of resolving the disruption. At its most basic level, it involves identifying the source of the incident and finding a way to fix it.
The plans are usually very technical and focus on specific deadlines that must be met to prevent catastrophic damage. It will include things such as RTOs (recovery time objectives), which are estimates of how long it will take for a product, service or activity to become available following an incident.
Comprehensive documentation ensures that the organisation is prepared for whatever happens, but implementing these plans can be expensive. This is where cyber insurance helps.
Policies provide organisations with the means to implement incident response measures, such as forensic investigation, legal assistance and public relations support.
These activities aren’t typically included in standard business insurance policies, which usually only cover costs related to technical issues, such as corrupted hard drives and lost devices.
How we can help
If you want to know more about defence in depth or incident recovery, IT Governance is here to help.
We have webinars on each of the five stages of defence in depth, hosted by IT Governance’s founder and executive chairman, Alan Calder.
Stage 1 – Detection, Stage 2 – Protection and Stage 3 – Management are available to download now. You can also register for Stage 4 – Response on our website.
The presentation takes place on Wednesday, 16 November, from 3pm. Hosted by IT Governance’s founder and executive chairman, Alan Calder, this webinar explains the measures that organisations should implement to prevent and contain security incidents.