Here we go over the steps and preplanning that need to be taken after a cybersecurity incident to get your business back to operational and restore public trust.
Moving into the final stage of the NIST cybersecurity framework, we now enter the “Recover” function. The activities involved in this function would take place after an organization first had gone through the steps to “Detect” a cybersecurity incident, then quickly had to act to “Respond” to the incident using proper planning, communications, analysis, and incident mitigation by containing it and eliminating the threat.
“Recover” is what happens after the incident response where you look to get operations back to normal, restore any reputational damage caused by the events, and adjust your strategies based on lessons learned from the incident. While this specific function is the least detailed of the five in terms of the number of activities you can do to “Recover” from an incident, it’s significant for getting everything back to normal and restoring public trust in your organization.
Planning to “Recover”
Similar to the “Respond” function, much of the “Recover” function involves preplanning in the event of a worst-case scenario. There are different areas of planning involved in the “Recover” function that should be thought out, tested, and documented for your organization to reference and execute during a cyber incident.
The first is a disaster recovery plan which is used to explain detailed processes, procedures and tools to responding to an unplanned situation such as a cyber attack. This is a crucial piece to recovery planning as it is meant to help reduce the impact of an incident and resume operational normalcy as soon as possible.
Another component of planning is constructing a business continuity plan. This one should be more narrowed in and specifically goes into detail on how the business will continue operations during a disruption like a cyber attack. It’s especially crucial to have a strategy for this in place so that an organization does not have to shut down entirely and can continue operating to bring in streams of revenue.
Additionally, there’s also the development of a crisis management strategy. This will go hand-in-hand with the other two recovery plans and the incident response plan (part of “Respond”) because it dictates how to effectively handle times of uncertainty and chaos, key attributes when dealing with any cyber attack.
As part of these plans to recover, you should have your data and systems already backed up and ready to go to get your business back to normal operations as soon as possible. On top of that, those backup systems should also be secured with solutions to “Protect” them, including access control management systems, data security controls, protective technology, and ongoing maintenance of those solutions.
Most people only consider investing heavily in the security measures for their primary, day-to-day systems and forget how crucial the backups are. If both the primary systems and backups are compromised, your organization could be at risk of a shutdown for an extended period of time.
Components of Recovering
Within the “Recover” function, NIST highlights three major categories that encompass all that needs to be done to get back to normal operations and restore public trust. Below are the components of “Recover”:
- Recovery Planning: Processes are planned and executed to restore data, systems, and technology assets affected by a cyber-related incident. Includes development of a disaster recovery plan, business continuity plan, and crisis management strategy.
- Improvements: Lessons learned from the incident are incorporated to update the recovery plans and overall security strategies.
- Communications: Activities for restoring reputation and relationships with outside stakeholders are conducted. Additionally, there is coordination within the organization for the plans and current status of the recovery activities.
“Recover” in Action
As part of seeing what the “Recover” function would look like in action, it’s best to use a scenario as an example. ABC Inc, a large accounting firm, discovered that unauthorized access into one of their systems resulted in a ransomware attack. The cybercriminal inserted malware into that specific system where users could not access the files or applications until a payment was made.
ABC Inc. refused to pay because their data and applications were backed up at a secure, external source. They still initiated their response procedures to isolate the incident and cut it off from the other critical systems, resulting in the failure of the ransomware attack.
Now that the incident was mitigated, they were ready to complete some of their “Recover” activities:
- Before the incident even occurred, ABC Inc consulted with cybersecurity and risk management firms to develop a disaster recovery plan, business continuity plan, and optimal strategies for handling a crisis. (Recover Planning)
- Critical systems and data were backed up at an external source and secured using the same controls and practices they used for their primary systems. Upon neutralizing the attack, they began restoring the data and applications of the compromised system to get operations back to running. (Recover Planning)
- The ABC Inc marketing and PR team had notified their customers and third-party vendors of the incident while also giving them information on who to contact for questions, concerns, or if their personal information had been compromised. (Communications)
- ABC Inc. documented the incident, its response to it, and its activities to restore operations and public trust. They took that information based on what worked well and could’ve done better to adjust their incident response plan and overall security strategies. (Improvements)
Are You Prepared for the “Recover” Stage?
As seen with this incident example, the primary objectives of “Recover” are to get the business running back to normal, manage public relations with customers and outside stakeholders, and learn from the experience to make improvements. Ascension Global Technology can ensure that your business is ready for the “Recover” stage of the NIST framework in the event of a cybersecurity incident. Schedule a consultation with one of AGT’s cybersecurity experts today to get started.