Increased Frequency of Cyber Attacks Forces Companies to Develop Smarter Cyber Recovery Initiatives
Why enterprises need both disaster recovery and cyber recovery plans to protect their data.
- By Rebekah Dumouchelle
- May 20, 2021
Q: What are you more likely to face in the coming year: a disaster recovery (DR) event or a cyber recovery (CR) event?
A: A cyber recovery event.
Disaster recovery initiatives address devastating events, such as earthquakes, power outages, or terrorist incidents. Those events are relatively rare, though, compared to events that would trigger the need for a cyber recovery initiative: cyberattacks and ransomware events, which may occur as frequently as once every 11 seconds in 2021—a dramatic jump from 2016, when they took place once each 40 seconds, according to research from Cybersecurity Ventures.
Most recently, Colonial Pipeline paid nearly $5 million to hackers after a ransomware attack shut down the pipeline that supplies the eastern region of the US with fuel. In addition to Colonial Pipeline's direct costs, the ongoing disruption is causing Americans to panic buy gas while transit operators are reducing schedules to conserve fuel. Traditional DR plans may not be enough to handle ransomware events such as the one Colonial Pipeline experienced.
Cyber recovery fills the gap in disaster recovery, providing a clean, immutable copy of data and workloads. CR allows you to protect mission-critical data (in on-premises and cloud repositories) in a physically and logically isolated data vault that provides air-gap protection mechanisms.
The Difference Between DR and CR
When disasters such as floods, power outages, and weather events occur, a DR plan is usually adequate to quickly contain the impacts to a region and restore business operations. Cyberattacks are not as easily contained because they can spread rapidly and affect your data and operations globally. To address this kind of potentially crippling event, organizations can implement a cyber recovery solution and plan.
A cyber recovery plan goes above and beyond typical DR, but does not replace the DR plan. CR is a must-have to protect your most essential data, minimize the risk of service disruption, and improve business resiliency. Cyber recovery planning and solutions provide peace of mind, giving an organization a clean, protected copy of their data to fall back on when other copies have been locked or corrupted.
Most disaster recovery plans fail to account for the different motivations, techniques, and goals of various cyberattacks. Focusing on one kind of attack, cyber actor, or attack vector can leave your organization exposed.
When an attack occurs, organizations can usually respond in only one of two ways: pay the ransom or recover from a known, good backup copy. However, not all ransomware attacks end when the ransom is paid. There may not be an identified person or organization to pay, and there is certainly no guarantee that files will be unlocked even if you do pay. Colonial Pipeline paid the ransom within hours of the attack, but the decrypting tool provided by the hackers worked so slowly that Colonial Pipeline needed to use their backup copies to speed up recovery. This effort still took five days before pipeline service was restored.
Although Colonial Pipeline was able to use their backup copies, hackers are learning to attack or corrupt backup environments to reduce organizations' chances of sidestepping their demands.
|
Category
|
Disaster Recovery
|
Cyber Resilience
|
|
Recovery time
|
Close to instant
|
Reliable and fast
|
|
Recovery point
|
Ideally continuous
|
1-day average
|
|
Nature of disaster
|
Flood, power outage, weather
|
Cyber attack, targeted
|
|
Impact of disaster
|
Regional, typically contained
|
Global, spreads quickly
|
|
Topology
|
Connected, multiple targets
|
Isolated, in addition to DR
|
|
Data volume
|
Comprehensive, all data
|
Selected, includes foundational services
|
|
Recovery
|
Standard DR (e.g., failback)
|
Iterative, selective recovery, part of CR
|
Characteristics of DR and CR compared.
Ensure Cyber Resilience
Following an established framework for cybersecurity is the most reliable way of ensuring cyber resilience. The NIST Cybersecurity Framework provides in-depth advice for understanding, managing, and reducing cybersecurity risk:
Identify: Inventory all equipment, data, hardware (including laptops, point-of-sale devices, smartphones, and tablets) and software that you use. This can be compiled through data found in commercial enterprise software and hardware asset management (SAM/HAM) tools or, for smaller organizations, spreadsheets.
Protect: Make sure you control who accesses your network and devices. Offer proactive cybersecurity training for everyone who uses computers, devices, and networks.
Detect: Have an active plan of monitoring your computers for any unauthorized access, whether via personnel without the right credentials, software, or devices (such as USB drives). Investigate suspicious activity at once.
Respond: Have a plan for investigating and containing an attack, as well as notifying customers, employees, law enforcement, and others -- all while keeping business operational.
Recover: This is the time to fix anything (equipment, networks) that was impacted. Be sure to keep employees and customers informed about your response. Focus on recovering the most critical processes first, recovering or rebuilding end-user systems, and integrating lessons learned into their cybersecurity framework.
When creating a new CR initiative or updating an existing one, evaluate:
- What on-premises or cloud data do you need to protect with a second site, air-gapped vault, and how many primary sites are in scope? On-premises and cloud-native application data can be placed in a cyber recovery vault to isolate critical data from cyberattacks and validate data integrity.
- Do you need to recover to an on-premises environment or to public clouds? Consider the most efficient backup solution for your multicloud needs and the most efficient way to recover.
- Do you have an affinity for certain storage vendors? Investigate what they offer in terms of data integrity and data security services that could help you detect problems, such as signs of corruption due to ransomware.
Triage for Cyber Recovery
Cyber recovery is intended for the most critical data and workloads. Trying to protect all data this way wouldn't be economical -- replicating large amounts of data isn't feasible within reasonable time periods. With the most critical business functions protected in the vault, the secure environment provides a location from which to run analytics, forensics, and recovery initiatives. Analytics run in this environment can identify malware and which files have been compromised. This allows restoration to meet business-critical needs.
One common option is to replicate vault data back to your on-premises environment. This can get you back up and running but can also be time-consuming, leaving systems down longer. Alternatively, the fastest route is to restore to the cloud; a vault that is enabled for multicloud recovery would allow you to choose from infinite resources, from across public clouds, to restore immediately. Choose where an application runs most cost-effectively with the highest performance across commercial cloud platforms.
Cyber resilience comes, in large part, from confidence in your ability to bounce back from a cyberattack. Proactive implementation of protective technologies can reduce the risk that an attack becomes devastating. If you are a victim of a cyberattack, CR can help ensure that you maintain operations without facing lengthy recovery times. The faster you recover your data, the less revenue you lose.