Business people discussing cyber recovery strategy

Why businesses must have a cyber recovery strategy

Explore how a robust cyber recovery strategy can help businesses bounce back quickly after an attack

June 19 2024Dheeraj Rawal

The backdrop

As attacks become commonplace, CISOs often have a tough job of keeping businesses away from the headlines. No solution offers 100% protection. So, they must focus on building cyber resilience and recovery to help businesses hit the ground running after an attack. Faster recovery minimizes disruptions, reduces financial losses, and ensures uptime. So, how can businesses recover faster? Find out.

The grim reality of cyber-attacks

Today’s businesses operate in high-risk scenarios. Multiple factors can affect a business — starting from a geo-political conflict to a security incident. Digital transformation initiatives have shot through the roof. More than 90% of organizations host some data in the cloud.1 The flip side of accelerated digitalization is the increase in the frequency and magnitude of attacks. Every day there are about 4000 attacks and every 14 seconds,2 there’s a ransomware attack striking an organization. Businesses need to top up their cyber security measures to fend off cyber threats.

Either hacked or unaware

It’s prudent for organizations to have a fatalistic attitude. Ex-Director of FBI, Robert Mueller once famously said, “There are only two types of companies: those that have been hacked and those that will be.”3 Unfortunately, this is a true statement today. With the threat landscape spreading like wildfire, the possibility of getting breached or hacked has become almost inevitable.

Businesses need cyber resilience

According to a Gartner report, by 2025 about 75% of organizations will have faced one or more attacks, leading to disruption and downtime.4 Preventive measures in security are important. But no solution guarantees 100% protection against the attacks, especially, when attack methods are getting sophisticated by the day. Businesses need to discover cyber threats quickly and recover sooner from attacks. Fighting advanced and unknown threats with limited tools isn’t realistic. They must build cyber resilience to keep disruptions limited and maintain business continuity. Building cyber resilience needs a strategic approach, and this blog covers how businesses can start.

Cyber recovery as the last line of defense

Software professional working on cyber security

A key piece of building cyber resilience is cyber recovery, which is a post-incident and reactive approach. Cyber recovery plans are like disaster recovery plans, which aim to restore IT infrastructure and data after disruptions due to any unexpected event (political event, natural disaster, wars, etc.). Cyber recovery solution on plan deals specifically with cyber incidents only.
Restoring systems, data, and operations after a cyber-attack or a data breach is critical for any business. Efficient recovery measures can reduce the impact of the attack by a large degree and save costs. The average recovery cost sustained by organizations in 2023 stood at USD 1.85 million.5 

Financial losses are rising

Financial losses are growing by the day due to attacks. In 2023 alone, the total ransomware payments surpassed USD 1 billion.6 Of all security incidents, 24% involved ransomware. But paying the ransom also doesn’t guarantee that you’ll get the full data back. A Gartner report says, on average, only 65% of data is returned after the payment.7 Also, ransomware attackers demand payment in bitcoins, and these transactions are stored on the Bitcoin network, which is public. Chances of more such attacks increase as criminals know that the organization is willing to pay the ransom. 

Need for a long-term strategy

Therefore, as a proactive strategy, organizations need to use a cyber recovery solution to their advantage. Companies that resorted to data backup practices spent about USD 375,000 for recovery after an attack. Companies that didn’t have any data backup paid a ransom of USD 750,000. 

Data backup alone can save about 50% of costs paid in ransom, and that’s a significant number.8 Reports also suggest that a response plan enables faster recovery and saves as much as USD 1 million.9 Organizations with backup and recovery plans experience about 96% less financial impact due to a ransomware attack.10 Let’s see how data backups are created as a part of the recovery approach.

Data backups are the cornerstone of recovery

Data backups offer a safety net to organizations in the event of an attack because they can go back to a pre-attack state after the data is restored. Therefore, creating backups is essential, but it needs a strategy. Attackers today know that organizations create backups as a contingency plan—therefore, they target the backup infrastructure first. For instance, modern ransomware attacks don’t just encrypt systems, but they have the potential to target backup storage as well. Almost 97% of the ransomware attacks target backup systems.11 The time taken to launch an attack and demand a ransom has gone from months to days, creating a pressing need for a secure backup infrastructure.

How to create an infrastructure backup strategy

Organizations must rethink their traditional backup methods to forge a fool-proof cyber recovery plan. Here’s how to go about it:

  1. Create an infrastructure for storing backups, ideally layered up with security to withstand severe attacks.
  2. Ensure multiple copies of backups are placed at different locations, ideally following the 3:2:1 data backup rule. One of them should be a primary on the premise, the second one on a different location such as the cloud, and then the last one should be an offline copy in an external media. Multiple backups act as a contingency plan and ensure the availability of data during the restoration phase.
  3. Backups should also have Artificial Intelligence (AI) capabilities to detect abnormal patterns and notify the admin or security teams.
  4. Organizations must also think about creating immutable backups, which cannot be altered or deleted by anyone. Immutable backups can help restore pre-attack data, which is untouched by any infection or malware. Air gap architecture networks can be created to isolate critical infrastructure from unsecured or risky networks. 

Optimize the backups further

The backups need to be optimized for better utilization during any security incident. This is done through regular backup schedules, prioritizing critical data, and reducing backup storage requirements through deduplication and compression. Cyber security and infrastructure teams should also create an isolated recovery environment (IRE), which is a secure and separate environment used specifically for restoring and recovering critical systems, applications, and data. However, creating an IRE architecture could be a time-intensive and expensive project.

Things to remember before restoration

Security team working on cyber attacks on laptop

Before restoration, security teams should know the spread of the attack, the type of threat, and the compromised systems. After this assessment, the next objective is to contain the attack. In the case of ransomware, stopping further encryption is the key. Isolating affected resources or networks is crucial. Segmentation helps in isolating the affected networks from the rest and containing the further spread of the attack. Determining the recovery destination that is untouched by the attack is essential. Once the location is identified, the data should be moved and integrated with the production environment to restore the operations. Organizations must evaluate whether security tools will work smoothly with the integrated data, or they will require more outages before the final sync.

Every hour is important

Organizations should evaluate the foundational services that are the lifeline of their businesses and must restore them first. The remaining services and applications can be prioritized based on business criticality. Automation templates should be used to restore data rebuilding servers quickly. The end goal is to minimize the recovery time because each hour is crucial during a security incident. These tools can streamline recovery tasks, such are a linchpin that aids in faster recovery.

Attacks can bring existential crisis

Enterprises can lose as much as USD 400,000 every hour to application outage; these numbers can reach as much as USD 1 million every hour.12 Some disasters can bring existential crises in small and medium-sized organizations that have limited resources to fight back and recover from a cyber- attack. For instance, Lincoln College, a US-based college, shut down after being hit by a ransomware attack during the already challenging COVID-19 pandemic.13 The college took down operations for three months. After paying the ransom of USD 100,000, the organization could not make up for the lost time and had to wind up due to losses. 

Remediation before restoration

Organizations need to look at ways to resume operations as soon as possible to minimize losses, but restoration can only be successful if the systems are clear of the security threat. Security experts need to examine the restored data and services in isolated environments to confirm the eradication of threats such as ransomware. This scanning may involve signature-based detection and advanced AI/ML tools to detect anomalous activity, providing comprehensive verification of the recovery success. At times, organizations face the risk of malware reattacking the restored systems. Therefore, they must think of using remediation software to remove threats from the systems completely. It’s also possible that outdated security systems led to the cyber-attack in the first place; this mandates the security teams to first patch and update the systems before beginning to restore them.

Restoration of systems

Once remediation and patching are carried out, the next step is to integrate the recovered systems into the production environment. After the integration, the validation process ensures that applications and data are in place and services are running as they should be. Once everything is up and running, teams should get back to addressing security issues and work towards fixes. Compromised servers and data need to be further analyzed to understand the root cause and attack method. Infrastructure needs to be assessed regularly and outdated systems flagged as potential pain points. Organizations should be aware of any applications that no longer receive support from the vendors.

A cyber recovery strategy for your business

We’ve strong experience in helping businesses implement strong security measures. We can enable you to create an effective cyber recovery and resilience strategy.

Build an incident response plan

In cyber recovery, building an incident response plan is as important as creating the backup infrastructure. Here are the phases of the incident response plan that organizations need to have:

Detection: The detection phase involves identifying the signs of a security incident or breach within the organization's systems or networks. This may include alerts from security tools, unusual system behavior, or reports from employees. The goal is to promptly identify the presence of an incident and initiate a response process. Ransomware attacks can also be detected by signature-matching. Machine learning-based algorithms are also a good way to flag abnormal behaviors. Security teams can rely on tools such as search email filters, weblogs, endpoints, antivirus products, and network gateways to detect compromised systems, data exfiltration, active directory breaches, etc.

Analysis: During this phase, the incident response team investigates the nature, scope, and impact of the security incident to determine the vulnerabilities that led to the attack, the attack methods, encrypted files, and exfiltrated data. This involves gathering evidence, conducting forensic analysis, and assessing the severity of the breach. The goal is to gain a comprehensive understanding of the incident and speed up containment and recovery efforts.

Containment: This phase focuses on limiting the spread and impact of the security incident. This may involve isolating the affected systems or networks, implementing access controls, and deploying temporary security measures to prevent further damage. The objective is to prevent the incident from spreading while recovery efforts are underway. Containment includes quarantining all compromised systems, locking infected user accounts, blocking network traffic, enforcing password changes, and continuous communication with stakeholders, including employees. 

Eradication: During this phase, the incident response team works to remove the root cause of the security incident from the organization's systems and networks. This includes removing malware, patching vulnerabilities, and implementing security controls to prevent similar incidents in the future. The aim is to eliminate any lingering threats and restore affected systems to a secure state.

Recovery: This phase focuses on restoring affected systems and data to normal operations. This may involve restoring from backups, reinstalling software, and reconfiguring systems to ensure they are secure. The goal is to minimize downtime, restore business operations, and return to normalcy as quickly as possible. Some metrics that organizations should keep in mind are recovery point objective (RPO) and recovery time objective (RTO). RPO is the amount of maximum data an organization can afford to lose. RTO is the maximum amount of time an organization takes to restore normal operations after the incident.

Benefits of having a cyber recovery strategy

  1. Ensure business continuity: A resilient organization with a recovery plan ensures lower downtimes and uninterrupted business operations. Organizations with a data recovery solution in place reduce downtime by 75%.14 
  2. Reduce financial impact: With low downtimes and data loss, financial costs associated with the cyber-attack, productivity costs, regulatory fines, and reputational damage also go down.
  3. Improve compliance levels: Organizations can meet regulatory requirements and industry standards with recovery measures set in place.
  4. Enhance customer trust: Demonstrating recovery and resilience measures to protect data is one of the noble ways to win customer trust and maintain a competitive advantage in the market.
  5. Strengthen incident response: Regular finetuning of security policies and controls leads to a swift and coordinated response that minimizes the impact of a cyber-attack.
  6. Boost recovery times: Streamlining the recovery process with automation technology also contributes to faster recovery and reduces revenue losses.

How to strengthen Resilience and Recovery

Organizations that have the right security tools, incident response plans, and recovery strategies do not panic during security incidents. Some of the security solutions that businesses need to consider for improving preparedness, detection, and recovery against cyber threats, are:

  • Secure email gateways: Filter out malicious emails and reduce phishing attacks.
  • Endpoint detection and response: Continuously monitor endpoints for suspicious activities, and respond to threats in real-time. 
  • Deception security solution: Deploy decoy assets to lure attackers and identify unauthorized access in the early stages.
  • Network threat detection: Analyze traffic to detect malicious activity and potential threats.
  • Network segmentation: Microsegmentation divides networks into smaller segments with different security controls applied. Limit the movement of the attacker and control the damage.
  • Secure Access Service Edge (SASE): SASE reduces the attack surface by providing secure access to corporate resources.
  • Security penetration testing: Test your infrastructure by simulating real-world attacks and finding vulnerabilities before attackers do.
  • Vulnerability management: Find out vulnerabilities, prioritize them, and fix them to reduce the attack surface.
  • Centralized log management: Aggregate and analyze logs from multiple sources to detect security incidents and support forensic investigations. 
  • Identity and access management: Manage user identities and control access to sensitive resources to reduce unauthorized access.
  • Multi-factor authentication: Add an extra layer of security to user authentication processes, reducing the risk of unauthorized access.

We can help your business with a resilience strategy

It’s often difficult for any business to have a 360-degree view of its security tool stack, security posture, weaknesses in its systems, and external threat environment. T-Systems helps businesses to assess their security posture and fix the gaps. We empower businesses to build resilient systems through stronger security measures, coupled with equally efficient recovery strategies. Get in touch with us to chalk out a security strategy for your business.  

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

You might also be interested in

Get in touch for a cyber recovery strategy

We can help you chalk a cyber security, resilience, and recovery strategy. Contact us today.

1 Cloud Computing Study, 2023, Foundry
2 Attack Per Day Article, 2024, Astra
3 Types of Companies Article, 2018, Dynamic Business
4 Detect, Protect, Recover, 2021, Gartner
5 Ransomware Article, 2023, Security Intelligence
6 Total Ransomware Payments, 2024, SC Magazine
7 Ransomware Payment Article, 2021, Gartner
8 Cybercriminals and Ransomware Article, 2024, Firstpost
9 Guide to Ransomware, 2023, IBM
10 Disaster Recovery Statistics, 2024, Webinar Care
11 2022 Ransomware Trends Report, 2022, Veeam
12 Downtime Costs Article, 2023, Medium
13 Press Release, 2022, NPR
14 Impact of Cyber Recovery, 2023, Dell Technologies

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.