Cyber Security

CIR BC Strategies: Recover

Written by Moh Heng Goh | Nov 23, 2022 3:21:37 AM

CIR BC Strategies: Recover

Recovery strategies refer to procedures that can be executed to ensure that the organization can continue operations of CBFs after eliminating the influence of cyber criminals from their systems.

Such strategies will be developed during peace times, where information from RAR and BIA is considered so the organization can continually provide products or services to its consumers during a cyber security attack.

1. Backup

Backup refers to making copies of data, so there is a secondary source of information should the primary be modified, tampered or deleted. This should be a regular practice for all organizations (Csaplar, 2017) because it is essential and straightforward. Regardless of whether it is malicious employees deleting data as they exit or employees accidentally deleting or overwriting their files, backup plays a critical role in ensuring the availability of the data.


1.1 Backup Best Practices

Although backing up data is easy, it should not disrupt ongoing operations. It is excellent to back up data regularly so that data loss is limited when a data breach occurs and Recovery Point Objectives are short. However, specific systems and applications have to be shut down to back up data. Therefore, these data can only be backed up during specific periods – usually in the morning when there are few workers. For processes that occur throughout the day, backup technology installed must be able to detect changes in data at regular intervals.

All data types must be backed up on physical or virtual servers. Because modern data centres contain a diverse mix of technological infrastructures and software, backup technology must be able to protect them.

Files, applications, volumes, and settings required to support full server replications must be copied, as recovery requirements are unpredictable. The organization does not know which data will be affected by a data breach. Therefore, it is better to be prepared by backing up everything so the affected data can be replicated as soon as possible.

A common misconception that organizations have when engaging cloud providers is that they believe that the cloud vendor will provide backup. The IT department of the organization is responsible for backing up both data (physical and virtual) from daily operations and cloud workloads. The organization is responsible for its cloud backups, not the cloud providers.

Microsoft Office is widely adopted in many organizations to carry out daily operations. These documents can be stored in the file. However, Microsoft permanently removes deleted files after 14 days, which is usually too late for someone to retrieve them.

During this 14-day window, recovery of deleted files also might take days. Therefore, organizations utilizing Microsoft Office need to establish their backup system with self-service recovery capabilities offering quick restores of deleted files.

2. Off-Site Replication

Backing up data to have a secondary source of information is pointless if both the backup and primary data are affected by the same event, regardless of whether it is malicious or accidental. Scenarios like these are very detrimental to the organization because the organization has to focus on recovering both the affected business functions and restoring lost data.

The IT department needs to carry out regular rotations of data backups that support restoring critical functions.

2.1 Off-site replication Best Practices

An organization can choose whether to store their data backups at their current location (where daily operations are carried out) or offsite. If the organization uses an offsite location (Csaplar, 2017) to store its data backups, it should engage a cost-effective vendor that provides dedicated services and support for remote backups.

Depending on the selected vendor, specific organizations have stored their backup data in the cloud; cloud providers will have security controls to protect the data. Hence, organizations, in the event of a cyber security incident, can retrieve their backed-up data from the cloud.

An alternative practice would be to utilize a technology called deduplication. It reduces the file size of information/data by identifying redundant elements. As the file size has decreased, the amount of storage necessary is reduced, and network transmissions are faster and less impactful on the internal bandwidth. Customer information/data during transit or at rest can be encrypted to prevent influence from cyber criminals as it is mandatory for specific industries such as healthcare and finance to protect them.

3. Archiving

Archiving refers to storing documents relevant to the organization’s operations, e.g. tax due to mandatory requirements. When documents are archived, they are stored in a medium that is not frequently used. Hence they might be overlooked (Csaplar, 2017) when it comes to cyber security. However, they are still sensitive organizational information that requires protection.

3.1 Archiving Best Practices

Archived documents can be stored in clouds that are specifically designed for archiving. The cloud provider replicates the documents, store them in the cloud, and installs security controls to protect them for a price. Cloud providers can offer additional disaster recovery services to recover backed-up data and applications. Comparatively, it is more affordable than building an off-site location.

4. Managing Complexity

Previously, organizations would purchase the best product on the market to provide a particular service to manage their data centres.

The IT unit's responsibility was to install the software, and they had the deluded mindset (Csaplar, 2017) that if each software were the best, all of the IT infrastructures would be far superior to anything in the market be resilient to cyber security attacks. However, data centre management practices have evolved, and the preferred approach has shifted.

4.1 Managing Complexity Best Practices

Engaging with a single vendor for the entire backup, recovery, and retention procedures ensures no shifting of blame. All of the responsibility lies with the single vendor. Hence they are held accountable if they cannot provide the agreed services.

Collaboration and alignment of objectives are simplified with a single vendor. For organizations that have facilities in other countries, it is advisable to perform backup, recovery, and retention procedures from a single console. All IT infrastructures' cyber security, regardless of location, can be controlled.

5. Cloud

When organizations begin shifting their business processes, architecture and technology to the cloud, the traditional security practice changes significantly. Previously, organizations would introduce security controls on business functions and ensure security before proceeding. Now, with the cloud, each person within the organization has a role to play in ensuring that their IT infrastructures (Lackey, 2017) are secure instead of establishing a dedicated team to implement the security controls.

Specific organizations are hesitant about shifting to the cloud as they are worried about the security aspect of putting their data into the cloud. At the same time, most organisations have a misconception that once a cloud provider is engaged, the cloud's data security lies with the provider.

Data security in the cloud is a shared responsibility of the organization (IDG Editors, 2017) and the cloud provider. The majority of data breaches occur because organizations are unaware of the functionalities that the cloud provider provides. Hence, organizations need to engage their cloud providers to deploy appropriate security controls. Through collaboration between organizations and cloud providers, cybersecurity incidents can be mitigated.

Another problem is that organizations have to manage the cloud's cyber security differently from on-site cyber security. Organizations are stuck in the history (Rick, 2017) of relying on outdated techniques to manage cyber security, which does not apply to the cloud.

Regardless of the motivation and techniques deployed by cybercriminals, specific steps are constant throughout all forms of cyber security attacks that the cybercriminals will perform. The key to effectively managing cyber security incidents is implementing preventive and detection measures at each step, minimizing the likelihood of a successful cyber security attack.

Component of Prevention/ Mitigation CIR BC Strategies

BACK TO: Mitigation and Response Strategies  CIR BC Strategies for Infrastructure CIR BC Strategies for People CIR BC Strategies for Policy

CIR BC Strategies for Process

CIR BC Strategies: Respond CIR BC Strategies: Recover CIR BC Strategies: Defence Lines

 

 

 

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 7 Developing Mitigation and Response Strategies 7.26 Recover

Note:  This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.