Recovery
No matter how good your prevention measures are, cybersecurity events are bound to happen. A user will exercise bad judgement and click a link in a phishing email, an important security patch will be neglected and an intruder will exploit the resulting weakness, or someone’s password will be compromised. It’s bound to happen, so your cybersecurity plan must include recovery measures as well as prevention measures.
A recovery plan should also protect you against threats that aren’t necessarily malicious. For example, what if a hardware failure takes out a key file server and you lose all its data? Or what if there’s a fire in the server room? Disasters like this are unlikely but not impossible. For more information about disaster recovery planning, check out Book 10, Chapter 4.
The most important aspect of recovery is to plan for it in advance. Don’t wait until after a cyberattack has succeeded to start wondering how you can recover. Instead, assume that a cyberattack will eventually happen and plan in advance how you’ll recover.
The basis of any recovery plan is a good backup plan. In fact, planning for backup is an integral part of planning any network. I’ve devoted Book 3, Chapter 6 to this topic, so I won’t go into every detail here. But for now, know that backups must be:
Comprehensive: Identify every critical server and data store in your organization and make sure it’s backed up regularly.
Up to date: When you’re forced to recover from a backup, you’ll be rolling your business back to the date the backup was made. If that was three weeks ago, you’ll lose three weeks’ worth of work.
Redundant: You should keep multiple copies of your backups, each representing a different recovery point. At the minimum, keep at least three generations of backups. That way, if the most recent set of backups doesn’t work, you can revert to the set before that and, if necessary, the set before that. A key factor to consider is that if your files have been corrupted by a cyberattack and you don’t discover the attack right away, your backups may contain copies of the corrupted data. You want to make sure that you have a good backup that was made before the attack occurred.
Kept off-site: If a fire burns down your server room and your backups are kept on a shelf next to the servers, you’ll lose the backups, too. At that point, you won’t be able to restore anything.
Offline: It’s not enough to keep backups off-site, they must also be offline. Backing up to the cloud has become popular recently, but keep in mind that a hacker skilled enough to break into your network and delete files on your servers may also be skilled enough to delete your cloud backups as well.
Automated: Don’t rely on remembering to run a backup every Friday at the end of the day. You’ll forget. Make sure your backup processes are automated.
Monitored: Don’t assume backups worked this week just because they worked last week. Monitor your backups regularly to ensure they’re working as designed.
Tested: Don’t wait until the pressure of a recovery to see if your backups actually work. Regularly test them by restoring individual files and entire servers.
Here are a few other elements your recovery plan should include:
Spare computers: If a cyberattack compromises one of your desktop computers, make sure you have a spare or two that you can quickly configure to quickly get the user back to work.
Emergency disk capacity: Restore operations often require that you have plenty of spare disk capacity available so that you can move data around. Inexpensive network-attached storage (NAS; see Book 3, Chapter 5) may fit the bill, but keep in mind that this type of storage is very slow. If you rely on it, you may find that it takes several days to recover multiple terabytes of data.
Communications: In the midst of a recovery from a cyberattack, it’s vital that you communicate with your users. They’ll need to know what’s going on, how long you expect the recovery to take, and so on. Unfortunately, this communication may be difficult if the normal channels of communication — such as email — have been disrupted by the attack. So, you should plan in advance for alternative methods of communicating with users, such as cloud-based communication platforms like Teams or Slack.
Cybersecurity Frameworks
It’s tempting to think that all you need to do to secure your network is install a firewall, run antivirus software on all your computers, and back up all your data. Those are important first steps, but cybersecurity is much bigger than a checklist of things to do.
In fact, cybersecurity should be baked into your IT systems from the ground up. Every aspect of your system designs should take cybersecurity into account, not as an afterthought but from the very beginning. That includes your servers, storage platforms, desktop computers, network infrastructure (including switches, routers, firewalls, cables, and wireless networks), mobile devices, operating systems, software, and anything else that’s part of your IT environment.
It’s a daunting task, but fortunately you’re not alone in figuring out how to make cybersecurity a top priority in your IT organization. Plenty of resources are available to you — including standardized frameworks that can help you plan and implement your security environment.
There are plenty of cybersecurity frameworks to choose from. In fact, the top hit on a recent Google search for “cybersecurity frameworks” was a website that listed the 23 top cybersecurity frameworks. That’s a lot to choose from. Although most of these frameworks are similar, there are subtle differences.
Here are five of the most popular cybersecurity frameworks you may want to investigate:
NIST: The NIST Cybersecurity Framework is probably the most commonly used framework in the United States. It’s governed by the National Institute of Standards and Technology (NIST). (For more information about this popular framework, refer to “The NIST Cybersecurity Framework,” later in this chapter.)
ISO/IEC 270: This is the most popular international cybersecurity framework. For more information, browse to https://iso.org/isoiec-27001-information-security.html
.
ISA 62443: The International Society of Automation (https://isa.org
) sponsors a series of standards known as ISA 62443, which comprise a flexible framework for managing security. For more information, see www.isa.org/technical-topics/cybersecurity/cybersecurity-resources
.
CIS-20: The Center for Internet Security (CIS) is an organization that provides a list of 20 cybersecurity controls that can be used as a framework for organizing your cybersecurity measures. For more information, see www.cisecurity.org/controls/cis-controls-list
.
COBIT: Sponsored by the Information Systems Audit and Control Association (ISACA), COBIT (which stands for Control Objectives for Information and Related Technologies) is one of the more popular cybersecurity frameworks. For more information, head