In case you missed the memo: Cyberattacks ran rampant in 2021.
Now, with recent cyber incidents in Ukraine and destructive malware targeting many of the country’s organizations, the Cybersecurity and Infrastructure Security Agency (CISA) has released a memo encouraging all organizations to prepare now to defend against cyber threats.
CISA lays out clear measures and near-term steps that businesses can, and should, take to reduce the likelihood and impact of a potentially damaging compromise. We encourage everyone to implement the steps outlined in the memo and offer recommendations on how to put some of the CISA directives into practice.
How to increase your chances of an effective response
Putting the measures in place to prevent an attack is essential, but your organization must also be ready to respond if an attack occurs. What does this entail? Let’s look at some CISA recommendations and how best to implement them.
CISA: Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity.
A cyberattack is a business crisis and should be treated that way. So, it is essential to pre-establish a multi-disciplinary team with representatives from information security, infrastructure and operations, executive leadership, business operations and more. This group should be focused on the business and technology issues that are most likely to emanate from a data-compromising ransomware attack, such as calling in a breach coach, ransom payment decisions, customer messaging, ramifications of permanent data loss and so much more.
CISA: Assure availability of key personnel; identify means to provide surge support for responding to an incident.
In the aftermath of a cyberattack, data and infrastructure recovery efforts will likely take a week or two, possibly longer to get everything back to normal. This typically requires round-the-clock work, so there’s a good chance that all parties involved will be stretched thin, which makes pre-planning support coverage that much more important. The need for outside assistance should also be considered and planned into the approach in advance of any actual incident that may occur.
To help these individuals build muscle memory, consider rehearsing these efforts using well-defined recovery tests where data is recovered in a controlled off-network environment. Conceptually, this is like disaster recovery (DR) testing, but the differences are extensive requiring specialized tests focused on this unique recovery case. In this instance, recovery will focus on what has been impacted – servers, data, configurations, credentials, etc. – making rehearsals more complex.
CISA: Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Tabletop exercises are important, but they’re about more than just understanding roles and responsibilities.
It may take days for a business to resume operations following an attack, and during that time, you may have to make crucial business decisions in the heat of a ransomware response and recovery effort. The multi-disciplinary cyberattack response team should use these tabletop exercises to make sure these areas are addressed.
It’s better to plan for scenarios your business might face before the attack happens than risk being caught off guard during the real thing.
How to successfully recover compromised data
Having protections and safeguards in place is great, but what do you do if your data is compromised during a cyberattack? Are you prepared to successfully recover it? If you’re unsure, this can help.
CISA: Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
Just like with traditional DR, testing for compromised data recovery is essential. However, you can’t use your traditional DR plan. These are completely different recovery cases, so recovering compromised data requires a different approach. It should be noted that tests focused on data recovery are simply different.
Through a progressive series of functional data recovery tests, your organization can hone its skills and reduce the time it will take to recover compromised data.
Preparing now can save you big time later
The consequences of a cyber security breach can be severe. It could result in reputational damage, financial losses, theft and even fines.
Right now, cyberattacks are only growing more severe and complex, so it behooves your organization to prepare ahead of time. The CISA memo lays out the steps businesses should take to protect themselves from future attacks. It’d be wise to heed its advice.
Check out our Cyber Incident Response Kit to learn how to secure your environment with three easy steps.