As attacks become commonplace, CISOs often have a tough job of keeping businesses away from the headlines. No solution offers 100% protection. So, they must focus on building cyber resilience and recovery to help businesses hit the ground running after an attack. Faster recovery minimizes disruptions, reduces financial losses, and ensures uptime. So, how can businesses recover faster? Find out.
Today’s businesses operate in high-risk scenarios. Multiple factors can affect a business — starting from a geo-political conflict to a security incident. Digital transformation initiatives have shot through the roof. More than 90% of organizations host some data in the cloud.1 The flip side of accelerated digitalization is the increase in the frequency and magnitude of attacks. Every day there are about 4000 attacks and every 14 seconds,2 there’s a ransomware attack striking an organization. Businesses need to top up their cyber security measures to fend off cyber threats.
It’s prudent for organizations to have a fatalistic attitude. Ex-Director of FBI, Robert Mueller once famously said, “There are only two types of companies: those that have been hacked and those that will be.”3 Unfortunately, this is a true statement today. With the threat landscape spreading like wildfire, the possibility of getting breached or hacked has become almost inevitable.
According to a Gartner report, by 2025 about 75% of organizations will have faced one or more attacks, leading to disruption and downtime.4 Preventive measures in security are important. But no solution guarantees 100% protection against the attacks, especially, when attack methods are getting sophisticated by the day. Businesses need to discover cyber threats quickly and recover sooner from attacks. Fighting advanced and unknown threats with limited tools isn’t realistic. They must build cyber resilience to keep disruptions limited and maintain business continuity. Building cyber resilience needs a strategic approach, and this blog covers how businesses can start.
A key piece of building cyber resilience is cyber recovery, which is a post-incident and reactive approach. Cyber recovery plans are like disaster recovery plans, which aim to restore IT infrastructure and data after disruptions due to any unexpected event (political event, natural disaster, wars, etc.). Cyber recovery solution on plan deals specifically with cyber incidents only.
Restoring systems, data, and operations after a cyber-attack or a data breach is critical for any business. Efficient recovery measures can reduce the impact of the attack by a large degree and save costs. The average recovery cost sustained by organizations in 2023 stood at USD 1.85 million.5
Financial losses are growing by the day due to attacks. In 2023 alone, the total ransomware payments surpassed USD 1 billion.6 Of all security incidents, 24% involved ransomware. But paying the ransom also doesn’t guarantee that you’ll get the full data back. A Gartner report says, on average, only 65% of data is returned after the payment.7 Also, ransomware attackers demand payment in bitcoins, and these transactions are stored on the Bitcoin network, which is public. Chances of more such attacks increase as criminals know that the organization is willing to pay the ransom.
Therefore, as a proactive strategy, organizations need to use a cyber recovery solution to their advantage. Companies that resorted to data backup practices spent about USD 375,000 for recovery after an attack. Companies that didn’t have any data backup paid a ransom of USD 750,000.
Data backup alone can save about 50% of costs paid in ransom, and that’s a significant number.8 Reports also suggest that a response plan enables faster recovery and saves as much as USD 1 million.9 Organizations with backup and recovery plans experience about 96% less financial impact due to a ransomware attack.10 Let’s see how data backups are created as a part of the recovery approach.
Data backups offer a safety net to organizations in the event of an attack because they can go back to a pre-attack state after the data is restored. Therefore, creating backups is essential, but it needs a strategy. Attackers today know that organizations create backups as a contingency plan—therefore, they target the backup infrastructure first. For instance, modern ransomware attacks don’t just encrypt systems, but they have the potential to target backup storage as well. Almost 97% of the ransomware attacks target backup systems.11 The time taken to launch an attack and demand a ransom has gone from months to days, creating a pressing need for a secure backup infrastructure.
Organizations must rethink their traditional backup methods to forge a fool-proof cyber recovery plan. Here’s how to go about it:
The backups need to be optimized for better utilization during any security incident. This is done through regular backup schedules, prioritizing critical data, and reducing backup storage requirements through deduplication and compression. Cyber security and infrastructure teams should also create an isolated recovery environment (IRE), which is a secure and separate environment used specifically for restoring and recovering critical systems, applications, and data. However, creating an IRE architecture could be a time-intensive and expensive project.
Before restoration, security teams should know the spread of the attack, the type of threat, and the compromised systems. After this assessment, the next objective is to contain the attack. In the case of ransomware, stopping further encryption is the key. Isolating affected resources or networks is crucial. Segmentation helps in isolating the affected networks from the rest and containing the further spread of the attack. Determining the recovery destination that is untouched by the attack is essential. Once the location is identified, the data should be moved and integrated with the production environment to restore the operations. Organizations must evaluate whether security tools will work smoothly with the integrated data, or they will require more outages before the final sync.
Organizations should evaluate the foundational services that are the lifeline of their businesses and must restore them first. The remaining services and applications can be prioritized based on business criticality. Automation templates should be used to restore data rebuilding servers quickly. The end goal is to minimize the recovery time because each hour is crucial during a security incident. These tools can streamline recovery tasks, such are a linchpin that aids in faster recovery.
Enterprises can lose as much as USD 400,000 every hour to application outage; these numbers can reach as much as USD 1 million every hour.12 Some disasters can bring existential crises in small and medium-sized organizations that have limited resources to fight back and recover from a cyber- attack. For instance, Lincoln College, a US-based college, shut down after being hit by a ransomware attack during the already challenging COVID-19 pandemic.13 The college took down operations for three months. After paying the ransom of USD 100,000, the organization could not make up for the lost time and had to wind up due to losses.
Organizations need to look at ways to resume operations as soon as possible to minimize losses, but restoration can only be successful if the systems are clear of the security threat. Security experts need to examine the restored data and services in isolated environments to confirm the eradication of threats such as ransomware. This scanning may involve signature-based detection and advanced AI/ML tools to detect anomalous activity, providing comprehensive verification of the recovery success. At times, organizations face the risk of malware reattacking the restored systems. Therefore, they must think of using remediation software to remove threats from the systems completely. It’s also possible that outdated security systems led to the cyber-attack in the first place; this mandates the security teams to first patch and update the systems before beginning to restore them.
Once remediation and patching are carried out, the next step is to integrate the recovered systems into the production environment. After the integration, the validation process ensures that applications and data are in place and services are running as they should be. Once everything is up and running, teams should get back to addressing security issues and work towards fixes. Compromised servers and data need to be further analyzed to understand the root cause and attack method. Infrastructure needs to be assessed regularly and outdated systems flagged as potential pain points. Organizations should be aware of any applications that no longer receive support from the vendors.
In cyber recovery, building an incident response plan is as important as creating the backup infrastructure. Here are the phases of the incident response plan that organizations need to have:
Detection: The detection phase involves identifying the signs of a security incident or breach within the organization's systems or networks. This may include alerts from security tools, unusual system behavior, or reports from employees. The goal is to promptly identify the presence of an incident and initiate a response process. Ransomware attacks can also be detected by signature-matching. Machine learning-based algorithms are also a good way to flag abnormal behaviors. Security teams can rely on tools such as search email filters, weblogs, endpoints, antivirus products, and network gateways to detect compromised systems, data exfiltration, active directory breaches, etc.
Analysis: During this phase, the incident response team investigates the nature, scope, and impact of the security incident to determine the vulnerabilities that led to the attack, the attack methods, encrypted files, and exfiltrated data. This involves gathering evidence, conducting forensic analysis, and assessing the severity of the breach. The goal is to gain a comprehensive understanding of the incident and speed up containment and recovery efforts.
Containment: This phase focuses on limiting the spread and impact of the security incident. This may involve isolating the affected systems or networks, implementing access controls, and deploying temporary security measures to prevent further damage. The objective is to prevent the incident from spreading while recovery efforts are underway. Containment includes quarantining all compromised systems, locking infected user accounts, blocking network traffic, enforcing password changes, and continuous communication with stakeholders, including employees.
Eradication: During this phase, the incident response team works to remove the root cause of the security incident from the organization's systems and networks. This includes removing malware, patching vulnerabilities, and implementing security controls to prevent similar incidents in the future. The aim is to eliminate any lingering threats and restore affected systems to a secure state.
Recovery: This phase focuses on restoring affected systems and data to normal operations. This may involve restoring from backups, reinstalling software, and reconfiguring systems to ensure they are secure. The goal is to minimize downtime, restore business operations, and return to normalcy as quickly as possible. Some metrics that organizations should keep in mind are recovery point objective (RPO) and recovery time objective (RTO). RPO is the amount of maximum data an organization can afford to lose. RTO is the maximum amount of time an organization takes to restore normal operations after the incident.
Organizations that have the right security tools, incident response plans, and recovery strategies do not panic during security incidents. Some of the security solutions that businesses need to consider for improving preparedness, detection, and recovery against cyber threats, are:
It’s often difficult for any business to have a 360-degree view of its security tool stack, security posture, weaknesses in its systems, and external threat environment. T-Systems helps businesses to assess their security posture and fix the gaps. We empower businesses to build resilient systems through stronger security measures, coupled with equally efficient recovery strategies. Get in touch with us to chalk out a security strategy for your business.
1 Cloud Computing Study, 2023, Foundry
2 Attack Per Day Article, 2024, Astra
3 Types of Companies Article, 2018, Dynamic Business
4 Detect, Protect, Recover, 2021, Gartner
5 Ransomware Article, 2023, Security Intelligence
6 Total Ransomware Payments, 2024, SC Magazine
7 Ransomware Payment Article, 2021, Gartner
8 Cybercriminals and Ransomware Article, 2024, Firstpost
9 Guide to Ransomware, 2023, IBM
10 Disaster Recovery Statistics, 2024, Webinar Care
11 2022 Ransomware Trends Report, 2022, Veeam
12 Downtime Costs Article, 2023, Medium
13 Press Release, 2022, NPR
14 Impact of Cyber Recovery, 2023, Dell Technologies
