COMMENT
As the digital landscape becomes increasingly treacherous, companies are finally starting to view cybersecurity as a major operational risk. And for companies that are reviewing their data security strategies, the updated guidance from the National Institute of Standards and Technology (NIST), the U.S. government’s chief technical standards consultant, is a good place to start. of NIST cybersecurity framework, first published in 2014, has served as the premier educational and academic guide. The latest version includes important updates, such as the addition of data governance as one of the key pillars. Unfortunately, it falls short in significant ways. It doesn’t say enough about the most crucial ingredient of any comprehensive, contemporary cybersecurity plan: the ability to do so recover from a cyber attack.
It is important to keep in mind that recovering from an attack is not the same as disaster recovery or business continuity. It is not enough to simply build the recovery function into a broader incident response plan. Recovery must be rooted in the security stack and response plans. And even outside of a crisis scenario, a continuous feedback loop must be established, where all parts of the cybersecurity function, including recovery, always share information and are part of the same workflow.
Given the persistent threat landscape and the growing number of mandatory regulations, such as the EU’s Digital Operational Resilience Act (DORA), companies must urgently close gaps in their cybersecurity preparedness plans.
Move from a frontline mindset
While NIST is a complete picture, the cybersecurity industry (and, by proxy, most companies) pays much more attention to the part that focuses on preventing cyber attacks. This is important, but prevention can never be guaranteed and should not be done at the expense of a comprehensive security plan.
A company using only the NIST Cybersecurity Framework will put it in a position where it will have underinvestment in responding to current and future cyber attack scenarios. This is a risk no organization can afford to take. You Want be violated. In fact, you are hacked, you just don’t know it yet. This means that the recovery platform must be integrated with the security stack to protect itself and the business environment to ensure that the business can get back to work, which is one of the main objectives of this work.
Both vendors and customers must invest resources to return to the post-attack state: how to get there and how to test and verify that capability. The secret to a solid recovery is planning. To be truly secure, companies must take immediate steps to integrate the technology and people responsible for recovery into the rest of their cybersecurity function.
Once this happens, although recovery teams can still operate independently, a continuous feedback loop occurs. Therefore, all the different parts of the security teams can still easily send and receive information to and from the other functions.
Test, test, test
While companies often have timelines in mind for how quickly systems need to be back online, many fewer have fully considered what it takes to reach that secure state after an attack.
The tests help determine how long each phase of identifying and remediating a breach should take, so that companies have a benchmark to use when a real incident occurs. And without properly testing backup environments, the restore function becomes much more difficult and potentially more dangerous. When recovering from an untested backup environment, the organization could inadvertently restore implanted malicious code, provide access to an attacker, or revert to a vulnerable state.
Companies must actively run simulated or real-world exercises that test all aspects of their cyber resilience to uncover weaknesses, including any issues that could impact a company’s ability to get its IT systems operational again.
Connection of steps
Integrating recovery tools into your broader incident response arsenal can provide valuable insights, both in preparing for and responding to an attack.
Nowadays, modern recovery systems can actively monitor backup repositories and regularly feed security teams to detect any anomalous behavior much more quickly than ever before – a vital capability as attackers increasingly focus their efforts on last mile data centers. And as a cyber-resilient recovery platform integrates into the modern security stack, it must connect with systems that transform the intelligence of various systems and services to provide security teams with better context on events that also occur in the their environment. as better control required by various compliances and regulations around the world.
Align people with the process
While many organizations have experts involved in every other process within the NIST framework, few have teams or even individuals dedicated to recovery management.
Often, the function falls between the domain of the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO), leading both to assume that the other owns it. The overworked security team typically views recovery as tedious and something that only happens at the end of a chaotic process that should be handled by the IT team.
Meanwhile, the IT team, unless immersed in security, may not even know what the NIST facility is. Faced with a deluge of complaints, their goal is simply to get the environment back online as quickly as possible, and they may not recognize how dangerous a rushed, unplanned recovery can be.
Taking this seriously means dedicating resources to overseeing recovery, ensuring this step isn’t overlooked in ongoing planning and testing, not to mention the chaos that often accompanies a breach.
When given strategic direction from senior management and given the right ongoing responsibilities, the recovery individual or team can ensure that response protocols are regularly tested, as well as acting as a bridge to connect recovery with the rest of the IT security function.
The most important step
In this era where every company should assume it has suffered a breach, recovery must be recognized as equally important as the other steps in the NIST framework. Or maybe even Moreover important.
Companies that limit themselves to cyber defense will ultimately lose. They’re playing a game where they think the score matters. Defenders can have 1,000 points but will lose to an attacker who scores once. There is simply no way to guarantee victory against an opponent who plays outside the rules and controls when and how the game is played.
Companies must allocate resources to prepare for cyber attacks. Without a tested response plan to resume operations safely and securely, businesses will have no choice but to capitulate to attackers’ demands, pay the ransom, and then embolden the attacker.