The cost of cybercrime is out of control.
While following government guidelines, such as those published by the Cybersecurity and Infrastructure Security Agency’s (CISA), and employing proper security practises can help keep your company safe, cybersecurity practitioners know that even the best security controls can’t guarantee you won’t be breached.
There’s one aspect of risk that even the most secure organisations overlook: compromised data recovery. Many organisations aren’t prepared to recover and restore compromised data after a successful cyberattack, leaving them vulnerable to financial loss, brand reputational damage and more.
It’s about much more than simply “cleaning” your backups.
Here are three things companies fail to realise about compromised data recovery.
1. Data backups established for DR don’t work for ransomware attacks
We can’t stress this enough: Traditional disaster recovery (DR) plans and capabilities will not work when you’re trying to recover compromised data after a cyberattack. In fact, they might make the situation worse.
These are two completely different “recovery cases” that require different approaches – especially when it comes to backup data.
Following a DR event, you usually use the most recently backed up data. However, in a cyberattack, that same data – and possibly multiple generations of your backups – are likely compromised, making it unusable. You may even find that you simply don’t have any viable data due to the efforts of your attacker.
2. You need a clean-room environment for forensic analysis
In a traditional DR situation, you transition data to a recovery environment where good data is pre-positioned and ready to go. With compromised data recovery, however, you need to find the most recent copy of uncompromised data and utilise that.
Before you do so, you need to ensure the backup data is “clean,” so you don’t roll back any potentially compromised data into your environment.
That means running forensics and validating that data in a clean-room environment. That way you have an isolated and secure location to run analysis and perform clean copy identification to ensure a successful recovery.
3. Responsibility for data recovery lies with infrastructure and operations
If your first inclination is to assign data recovery responsibilities to your chief information security officer (CISO), think again.
The CISO’s focus will be on malware containment and eradicating the root cause. At the same time, infrastructure and operations will be responsible for working on off-network activities to identify “clean” data that will be sent back to the production environment once the CISO has determined it’s malware-free and ready to use.
Instead of assigning recovery responsibilities to the CISO because the culprit is a cyberattack, select members from information and security, infrastructure and operations, leadership and more, and form a multi-disciplinary response team to take charge.
With this group in place, develop a compromised data response plan. Define your overall response structure as well as how you will address any unrecoverable data. Once you’ve established detailed procedures for recovering cyber-compromised data, regularly test them so your employees know their roles and update them to align with changes to your production environment.
Get started with compromised data risk management
As incidents mount and bad actors become more sophisticated and daring, organisations must be ready to respond if their data becomes compromised in a cyberattack. They must proactively reduce their risk of a failed data recovery effort.
Implementing proven best practises can help your business reduce the risk of a failed cyber recovery effort and enhance your overall cyber resilience. We’ve compiled these best practises into our compromised data risk management (CDRM) framework that’s designed to do just that. Learn more about how Sungard AS can help you diminish the risk of downtime and improve your chances of successfully recovering your data after a cyberattack.