Rethinking organizational resilience in response to the evolution of cyber attacks
While cyber security protection is still important, the focus is moving to a ‘When, Not If’ approach to cyber breaches. Coupled with changes in the targets and methods of cyber attacks, this means that organizations need to review their approach in this area. Mark Saville explores…
Earlier this year the Head of the UK’s National Cyber Security Centre, Ciaran Martin declared that organizations should plan for a ‘When, Not If’ scenario as they assess their risk from a significant cyber attack. Soon after, John Drzik, President, Global Risk & Digital at Marsh, presented to the World Economic Forum that by their estimate, the economic loss from cyber attacks is costing $1trn annually, and placed this estimate in context, by comparing it to the economic loss of $300bn, caused by natural disasters in 2017.
The need for up to date cyber security protection is essential; we should not make it any easier for criminals that are sophisticated in their approach, and have industrialised their methods to locate, and exploit any vulnerability they discover. But, the message from Ciaran Martin was clear: planning for organizational resilience is about accepting that you will be breached, ensuring that you can identify and cauterise the breach to prevent a re-occurrence, and have a plan that is tested, to enable you to recover with the integrity of your data intact.
For many years, IT disaster recovery, within business continuity planning, has focussed on geographically dispersed, high availability IT infrastructure. This is achieved through replication or clustering technology to maintain near real-time copies of the same data at all locations. This approach comprehensively protects against environmental or localised threats, like hardware failure, fire, flood or power outage, but unfortunately it now provides a very efficient method for distributing the outputs of malware and ransomware encrypted data.
Organizational resilience planning now has to contend with systems in multiple data centres / centers in different locations being compromised simultaneously; and adopting public cloud services doesn’t address or transfer the risk.
A typical cyber attack in 2018 is focussed on damaging the real and unique asset that organizational data represents, and this requires a rethink on how we plan for recovery.
Having surveyed over 570 end user organizations, in July 2018 the Business Continuity Institute published the findings of its fourth annual Cyber Resilience report. For the first time, cyber attacks became the number one business continuity threat. The report also sited that the top three attacks were: phishing and social engineering; malware; and ransomware, and that with each, the objective is to compromise the integrity of data. We are seeing the evolution of threats targeting data, not IT infrastructure, building on the very public success of WannaCry and NotPetya.
What can be done to prepare effectively for recovery from a cyber attack that compromises your data?
The options look more like data backup than high availability of systems, and a return to the 3, 2, 1 of good data protection practice is a start:
3 copies should be retained as a minimum, the source and at least two in backup. One backup copy may get compromised, so keeping multiple copies increases protection;
2 separate systems infrastructure, using different hardware, storage, firmware, software, completely isolating the architecture of the recovery systems from the operational systems, to avoid single points of failure;
1 to keep at least one copy of the data offsite. Physically separating of the operational and backup copies provides protection against localised threats and does prevent immediate compromise of the offsite data.
The experts at the Business Continuity Institute also recommended that organizations identify their critical data which would be the minimum needed to operate their businesses, that they create ‘gold’ copies of this data, keeping it updated and stored in a vault offsite, and that they select a backup service or solution with known high recovery rates.
Increasing the likelihood of a successful recovery can be achieved if the solution or service can scan for malware, is updated to address emerging cyber threats and the system consistently scans its data stores to maintain the integrity of the data it is protecting offsite.
Organizational resilience will only occur following a cyber attack if the form of recovery can rebuild the operational data with high level of integrity.
We are now seeing the convergence of data protection (backup and recovery) and cyber security. Creating or updating a recovery plan to address the What, Not If scenario is not a reflection of poor cyber defences, it just means that organizational resilience is your priority; and that your recovery plan has been evolved in-line with emerging threats and the latest independent advice from the National Cyber Security Centre and the Business Continuity Institute.
Mark Saville is a director of Data2Vault.
If you would like to know more about converged data protection and cyber security services or how Data2Vault’s Insured Data Environment could support your business continuity and organizational resilience please contact [email protected]