WP What to Include in a Cybersecurity Disaster Recovery Plan | Imperva

What to Include in a Cybersecurity Disaster Recovery Plan

What to Include in a Cybersecurity Disaster Recovery Plan

If the unthinkable were to happen to your business, what’s your disaster recovery plan? If bad actors were to inject ransomware into your system, what’s your process for a return to normal working? Google the words “What do I do if I have a cybersecurity breach” and the first twenty results will start with the words “Refer to your cybersecurity disaster recovery plan (DRP).” The size of your business doesn’t matter – some simple work up-front can help you avoid a lot of problems should disaster strike.

Putting the right person in charge

Whether an internal team or an external contractor, it’s important to have clear lines of communication between whomever owns the cybersecurity DRP and the overall enterprise DRP.

The person or people that own the cybersecurity DRP should be the first responder in the case of a security breach, and they should know your enterprise DRP inside and out. Their out-of-hours contact details should be at the top of your list of designated respondents (written on Page One of your printed enterprise DRP). Department heads and critical stakeholders will need to support first responders with assistance in cybersecurity disaster recovery plan creation and maintenance. First responders will need help in securing the recognition and attention the plan requires to ensure cooperation and assistance across your organization. Cybersecurity is important, and from top to bottom it needs to be recognized as critical business functionality – and not as just more work or an inconvenience.

When choosing a capable person to head this initiative, it’s important to choose an individual who is organized, passionate about what they do, and an expert communicator comfortable liaising with people in different departments across your whole organization that have different levels of technical knowledge. This person needs both the knowledge and capacity to champion the development, analysis, and upkeep of the DRP as a permanent part of their regular workload.

To create an effective cybersecurity DRP, you will need input from all areas of your enterprise to identify departmental essentials, critical tools, and data. You should have dedicated representatives from each area, with your cybersecurity DRP leader coordinating information and requirements. These departmental representatives will also be useful when creating “worst-case scenario” exercises and will be a great help in establishing friction-free lines of communication.

Identify critical tools and data

When working across departments and liaising with team representatives, it’s important to find out from them which specific software, applications, information, and systems are critical to the ongoing operational functionality of each of their departments. This information is the key to restoring operations efficiently with minimal downtime.

You should conduct an audit to identify which tools and data are most important for each department to function properly. Plan for individual departments’ requirements to be very different. For example, what is important to the dispatch department will be materially different from what’s critical to your sales team out on the road, or to the finance department, or to human resources. Some of these requirements may even be time – or seasonally – dependent, with some resources being more important in the run-up to year-end, for example. Payroll data may be more critical in the week before payday. There may even be changes in data usage for some departments in the mornings versus afternoons. Departmental knowledge is invaluable to get the most value from this exercise, and your department representatives will offer important insight. Be sure to identify where backups exist for this critical data, how/where to replace critical tools and software, who requires what levels of access, and the detailed roles of the departmental stakeholders.

It’s worth noting that the latest version of any DRP should be printed and stored in a safe place – under lock and key if this includes any major passwords of confidential information. There’s no point in having a plan digitally if you can’t access it due to your network being compromised.

Knowing the dangers

Department by department, and for the organization overall, create a list of possible cybersecurity disaster scenarios that could affect your operations. Identifying potential weaknesses up-front gives you a window into your vulnerabilities and, therefore, insight into how to mitigate them.

What would you do, for example, if a dissatisfied former employee deletes data before leaving your organization? How would you respond if important data was corrupted by viruses or malware? Even human error and hardware damage could be part of this exercise if you choose to conduct a full IT audit and investigate a backup solution at that time.

Creating this documentation and identifying your weak spots will bring up many issues that you can address now. It’s possible, for example, to stop the disruption of supply chain attacks with runtime protection software, protect managed databases with cloud data security solutions, or automate API protection. The first step is knowing your vulnerabilities and identifying and documenting how you would respond.

Create a communications plan

If a cybersecurity breach does occur, especially during off-hours, who needs to know about it and how will you let them know? Curating a prioritized list of those who need to be in the loop, and those whose expertise is critical to operations restoration will be an important part of streamlining recovery efforts.

In addition, if relevant, how will you communicate the existence of a security breach to customers, suppliers, or vendor partners? Who will handle any media queries? How will you inform the general staff? Not every breach will require communication with everyone, but a plan should include how and when these communications should happen as well as who is responsible for that work.

Get around the table

Arrange for some coffee (and biscuits), grab a wad of sticky notes, then get everyone involved around a table – and practice. Take some of your scenarios and walk through how you’d go about recovering from them.

If you can, come up with a few complications and throw them in randomly – making people draw from a deck of possible hurdles to success. What if the designated DRP leader is on holiday in another country? What if your primary backup has also been corrupted? What if a secondary attack is distracting resources with a distributed denial-of-service (DDoS) attack? What other barriers to success can your team come up with and how can you resolve them so that you don’t have to think this through in a crisis? This process will allow you to put solutions in place now and you are likely to experience fewer surprises to overcome if a breach does occur. The more you practice, the better and more efficient your team will get and the more prepared you’ll be. You may wish to consider Red Team Exercises to take this one step further.

The old adage of “prior planning prevents poor performance” is as true for cybersecurity as it is in any operational area. Having a cybersecurity disaster recovery plan in place, with a well-informed and practiced team behind it, will be critical if the unthinkable happens. Let’s hope it never does, but with more and more security breaches happening every day that’s probably not a pair of dice you want to roll.