The year 2020 reinforced the saying “disasters happen.” It’s the busiest Atlantic hurricane season on record, and of course there’s the ongoing COVID-19 pandemic. There’s always potential for disruption, especially when it comes to corporate data. In 2020 or any year, to effectively protect from a disaster, a plan needs to be in place before the catastrophe strikes. Sounds exceedingly simple, but unfortunately some firms have to have a disaster in order to understand the importance of having a plan.
Creating a Dynamic Roadmap
Build a plan that functions as a detailed roadmap. And accept that the plan can (and should) change dynamically as you detail new threats and integrate new capabilities and data sets.
Mark all the data sources and designate the responsible parties for the collecting, storing, and management of that data. Performing this exercise offers its own benefits, as various departments can uncover gaps in data protection, or find data sets they didn’t know existed. Perhaps marketing finds some interesting survey data from a past year, or product development finds specs for a promising yet forgotten product. Finding all the data is a prerequisite for consolidating information, making it available and improving its security. It’s much easier to put safeguards in place when the data resides in uniform and regulated repositories.
- Inventory all the IT assets. Mark serial numbers and the availability requirements of the various assets.
- Set a priority list for the collected data. How critical is it to the business operations? How often does it change? Do you need to retain the data forever? Are there regulatory issues at play?
- Find better options for storing the data, for example… by choosing redundant cloud systems working in tandem.
Communicating the Plan
A disaster recovery plan that’s put into action by an event will only work if the proper people know about the plan, what it contains, and what they need to do. Here are some core elements needed to fully communicate a plan:
- Detail all the people who are responsible for the proper execution of the plan. Include any contractors and other third parties along with internal staff. Include step-by-step instructions so the plan is “evergreen” and functional for new hires. Ensure that everyone discussed in the plan understand their roles and responsibilities.
- Create a procedure for communicating with workers during and after the disaster. Consider what technology is in place to enable this communication if the network fails. If the phone lines and internet are down, what options do you have for immediate information dissemination?
- The plan should establish who on the team will work with various service providers during a disaster event. Is it clear how these providers will respond? How quickly will this happen? Talk through various scenarios to uncover glaring potential problems.
Stressing and Testing
A Spiceworks survey found nearly a quarter of companies were not testing their disaster recovery plans, despite nearly a third noting their companies lost revenue due to an interruption or outage. Testing is essential not only because of the pace of changing threats, but because it’s the only way to know if a plan works.
Test the disaster plan with stress testing and various “dry runs” to ensure its viable and agile. Pose various possible scenarios to see how systems (and people) handle the situation. Throw various disasters into the mix to see how your team manages. For example, how will they handle a ransomware attack, a denial of service attack, a failure with the cloud storage provider, or even a physical fire that strikes the office building. Conduct testing with multiple stages:
- A paper test where the team reads the various plan documents. Once formalized, ensure copies are saved in hard copy form and redundantly in the cloud.
- Conduct walkthrough tests to spot glaring issues that need to be fixed.
- Perform simulations to see how (and if) the test performs in the real world.
- Parallel testing to ensure that recovery systems can perform transactions and necessary applications.
- Use rollover testing to see if your recovery systems can handle full workloads after main systems are pulled offline. This is where you need to judge the importance of various systems. For example, a bank would consider online banking access higher on the priority list compared to the HR system that’s using bandwidth to track employees.
Creating Multi-Day Backups
If a company is hit by malware or ransomware, they need to determine when the intrusions happened. They need to ascertain the closest possible time of the event and then use the backups from the servers to salvage the data up to that point in time. Phishing schemes also exploded in 2020, with hackers seeing opportunity from COVID-19 related messages that played on fear and other human emotions. Morally bankrupt hackers are targeting hospitals and other healthcare facilities as virus cases continue to rise. Having the proper backups in place when they are needed is essential in operating any business.
In most of these attacks, the individual employee is typically the conduit. They clicked on an email or link that gave hackers administrative access to their organization’s network. Preventing (or mitigating) this potential disaster requires employee education. Make training a core part of a disaster recovery plan. Key parts of such training should include:
- Discussions about phishing, vishing (phone based) and smishing (text-based attacks) with examples.
- Recognizing the hallmarks of such attacks, including misspelled words, weird looking links, and urgent language that encourages “fast” decisions.
- Emphasize the importance of “hovering” over links and emails to see underneath the text.
- Direct employees to always err on the side of caution by reporting suspected emails and/or messages to IT or staff member.
- Remote work employees are much more likely to use their personal email accounts and to perform questionable internet searches while at home. Put in place technical safeguards to prevent network exposure, leverage ultra-secure communication platforms (such as GOFBA) and remind employees that working from home does not mean they can or should ignore best practices.
Throughout the disaster recovery planning process, think proactively. Understand that “when” it happens, the right training, the right tech and battle-tested processes, will turn the disaster into a bump in the road instead of the potentially devastating catastrophe it could be.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.