While your organization may have safeguards and protections in place to keep your data out of the hands of bad actors, that’s not enough. You also need a way to recover your data if it’s compromised during a cyberattack. And unfortunately, your traditional disaster recovery (DR) plan won’t work for this unique recovery case.
Using your traditional DR plan to recover compromised data following a successful cyberattack is like throwing water on a grease fire – it might be your first instinct, but it can make the situation worse.
Traditional DR plans concentrate on physical infrastructure that’s not usually impacted by a cyberattack, thus making it an entirely different “recovery case” than data recovery.
Data recovery differs from DR in four areas:
DR plans are triggered by a failure in your physical data center, and focus on recovering infrastructure, applications, and network services. In contrast, data recovery is triggered instead by a data compromising event, such as a cyberattack.
Rather than transitioning data to a recovery environment like you do in DR, data recovery usually recovers data in the original production environment.
Backup data might be compromised in a cyberattack, so the DR approach of using recently backed up data could backfire. Instead you must look for the latest available “clean” data to use in the data recovery process.
In DR, it’s much more likely, and expected, that you’ll meet your recovery time objectives (RTOs) and recovery point objectives (RPOs). However, for data recovery, it’s much harder to hit your RTOs and RPOs, since you need more time to understand the nature of the attack.
Because it’s such a different situation than DR, recovering data after a successful cyberattack demands a different approach.
Each data recovery scenario is unique to the company, the data and the attack. Before reacting, you need to understand what happened to determine the best way to proceed. You also need a plan in place before you’re hit with a cyberattack so you have recovery options available.
Determine your vital data assets and keep them safe using a 3-2-1-1 protect and recovery architecture: three areas of resource separation, two defined recovery strategies (DR and data recovery), one off-network or immutable data copy, and one secured recovery environment.
Establish a multi-faceted team to direct your cyber-compromised data recovery and, to ensure they’re ready to respond quickly and effectively, consistently test your plan for various scenarios.
Recovering data after a successful cyberattack is different than the typical DR process, but with the right preparations, successful data recovery shouldn’t be a problem. If you plan for the differences, implement the right strategies and regularly test your plan, you’ll be better prepared to recover compromised data, rather than just making things worse.