Cyber Security Response & Recovery Planning

Cyber Security Threats

Cyber security threats typically rank highest amongst executive concerns as they recognise the significant reputational, financial, regulatory and other impacts that these could cause. In some instances, they can even bring down an organisation if not managed effectively. Teed supports clients to extend response planning to include cyber security within business continuity and disaster recovery processes.

At Teed, we work with organisations regularly to help them develop and implement comprehensive security incident response procedures. It is of utmost importance to keep systems secure at all times, thus maintaining confidence in the workforce and with stakeholders that the business is not going to take a reputational hit because of a reduced focus on cyber security threats.

Risk

The “real risk” to the organisation needs to be understood. Consider questions such as:

• What are the potential impacts in the event of a cyber security incident causing a long term unavailability of IT services or a data breach?
• Could critical activities continue?
• Would client or stakeholder confidence be jeopardised?
• Could responsibilities be taken away or market share be reduced?

The business continuity discipline considers the “what ifs?” and provides an opportunity to assume that worst case incidents can still happen, however low the likelihood. Internal and external cyber security threats are omnipresent, even in those organisations that have really effective risk controls; implementing appropriate response plans and strategies provides the mechanism to ensure organisations remain in control and critical activities continue should risk controls fail.

Protecting the confidentiality, integrity and availability of data is paramount and backup practices and technology should be rigorously assessed and tested. Ask these questions:

• Could any one member of staff take action that would cause the complete and irretrievable loss of our data? If yes, then a hacker may also have this ability and controls need to be improved upon.
• Is our replication/backup capability sufficiently robust to ensure that we will always be able to recover data to a point that would be acceptable to the business? You do not want to be in a situation where data access has been compromised and this data is not available elsewhere. In extreme circumstances companies may find themselves having to give serious consideration to a ransomware demand.

Understanding the level of risk faced by the organisation is necessary to ensure that the level of investment in cyber security risk mitigation measures is appropriate. Clients, shareholders, regulators and other stakeholders are becoming less forgiving with organisations who are found wanting in the event of an incident due to a lack of preparation and mitigation.

Linking cyber security with business continuity and IT disaster recovery planning ensures this type of threat is given due consideration. Senior managers must be given information that allows them to understand the risks that they face and the options available to reduce these. Appropriate mitigation activity should then be taken forward, with any residual risk being fully understood and signed off.

IT Response & Recovery

Cyber security guidance and checklists must be documented to ensure prompt and effective action is taken and responsibilities understood in the event of a security incident. This can be achieved by writing cyber security response procedures and/or incorporating the appropriate information into existing IT incident response and disaster recovery plans.

It is often difficult to ascertain the exact cause of an IT disruption until part way through the response and investigation process. Protocols should be embedded within the response process to take effect as soon as it is recognised that a cyber security incident is being faced. Guidance, checklists and playbooks should take account of the different types of security events (e.g. data loss, data breach, malware, ransomware, DDoS, DoS, insider threat, access without authorisation) during the various stages of response.

Whilst drafting the response and recovery procedures, it is important to identify the required pre-incident actions and technology improvements to maximise the speed and effectiveness of detection, analysis, containment, eradication and recovery.

Business Continuity

It is essential that the potential consequences of security incidents are fully understood so that business continuity plans and strategies can be adapted to ensure critical activities can continue at acceptable levels. Workarounds and contingencies should be developed and documented that would prove effective in the event of a situation causing the loss of IT services for an extended period. For physical incidents, such as the loss of a data centre, it is possible to be fairly prescriptive on the achievable RTO (recovery time objective) and RPO (recovery point objective), whereas more flexibility is required for security incidents.

Questioning should be incorporated within business impact analysis discussions to consider the feasibility of workarounds for time critical activities in the event of an extended loss of IT situation. There are often straightforward pre-incident actions that can be taken to allow effective contingencies and workarounds to be adopted. For example, exporting or printing data reports to ensure key contact and operational information are always readily available.

Responsibilities, communication channels, recovery tasks and guidance should be incorporated into the business continuity plan. It is important for business recovery checklists to consider required actions whilst resources are unavailable or reduced. Unfortunately, it is all too common for recovery tasks in business continuity plans to start at the point where staff are sitting at a recovery seat with access to all usual IT services available. Real incidents are rarely so straightforward.  

Exercising & Testing

Cyber security incident scenarios should be incorporated into an exercise and test programme to ensure that plans, procedures, capabilities and responsibilities are appropriate and understood. All different elements of an incident should be covered, including incident management, security response, business continuity and IT disaster recovery.

Teed consultants regularly develop, facilitate and write up cyber security exercises and tests on behalf of clients, ensuring that they are sufficiently focused, challenging and effective.  Independent observations, preparedness scores and identified improvement actions are incorporated within the exercise outcome report, increasing the confidence of senior managers and other stakeholders that cyber security risks are being effectively managed.