I must begin this blog post with an unfortunate, but true statement: It's not IF you become the victim of a cyber attack, it's WHEN.
43% of Australian businesses have been victims of Cyber crime. That is a staggering number, however it's likely to be far higher as 1. many businesses don't report cyber intrusions, and 2. many businesses are unaware that their network or systems have been compromised. Statistically, your business will be attacked, and will likely fall victim to a Cyber attack in the next 3 years.
So being attacked is inevitable. Regardless of the technology, processes and (trained) people within your organisation, you will get hit. That prospect may lead some people to think "well it's going to happen anyway, so there isn't much we can do about it", however it's not just about detecting and being able to thwart attacks, it's about proactively planning for what to do WHEN it happens.
There are several steps you can take, and these must be done PRIOR to an attack. Once it's happened, I'm afraid it's too late to 'prepare'. So what can you do?
The 2 critical activities (and the documents created throughout) are Disaster Recovery (DR) and Incident Response (IR) planning.
The first, DR, involves assessing your systems, understanding what data you are holding and where it's sitting. Categorising these in terms of the business criticality is a good start - how long can your business survive without your email server, file server, of accounting system. Once you understand what you have, and how it's unavailability could impact the business, you can move on to the next step.
How are these systems and data sets being protected? How often are they backed up? Are the backups encrypted and kept off site? How long can your business survive without them, leading you to create a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each.
An RTO relates to how long it will take to get the resource back online. For instance, your finance system may be crucial to the business, however you can survive 4 business hours with it offline before seriously impacting the business. Let's set the RTO set at 4 hours.
The RPO is the maximum tolerable amount of data that can be lost. As an example, you may consider that if you lost 4 hours worth of work, your business wouldn't be drastically affected. So with an RPO of 4 hours, you must ensure backups are taken at least that often.
With your critical resources defined and an RPO and RTO set for each, you're ready to take the next step in your Disaster Recovery planning process. This involves creating documents including all this detail, plus a step by step guide of how to recover from a disaster, to hit those RPO and RTO targets. It should be clear, concise, and tested at least annually (or updated/tested after any significant infrastructure changes). Then, when the worst does occur, you have a straight forward, tested, plan of action to get your business back online. Great!
Secondly, an IR plan is required. This plan details what the business needs to do in case of a Cyber incident. Who are the relevant stakeholders (IT, C-Suite, department heads, legal, HR, service providers etc). It needs to be clearly defined who needs to be contacted, in what circumstance, and what their responsibilities in the situation. It should also include a communication plan - for notifying internal stakeholders of the issue, and communicating with vendors, police, or other external contacts. Having a solid, tested, IR plan in place will reduce panic in the event you get attacked, and result in a much faster, cheaper, cleaner response and recovery.
So the lesson here: PLAN TO FAIL (as failure to plan only leads to more PAIN). Robust DR and IR plans are essential to every business today.
This is our area. Our expertise. Our passion. This is what we do. If you need assistance or advice, please get in touch.
Founder and Cyber Security Advisor