Restart after cyberattack: saving what can be saved?

The success and future of a company depend on identifying new market opportunities at an early stage and having the right safeguards in place to ward off risks. Prerequisite: the present business is secured. Companies today rely heavily on systems and communications, making them especially vulnerable to cyberattacks that can threaten their very existence in the blink of an eye.

Be prepared! Prevention — the most effective means to stay safe?

The effects of digital attacks can be serious and widespread. There is a threat of damage to reputation among customers, partners, and authorities and violations of data protection regulations and legal statutes, not to mention substantial financial losses that, while possibly no more than a temporary decline in revenue, may also result from the discontinuation of a business relationship. The consequences of externally encrypted hard disks and similar cyberattacks quickly become evident: data and information are no longer available. If the objective is industrial espionage or active data manipulation, however, the impact of a cyberattack may become apparent only with the passage of time. In this sense, the threat is now, but the effects will not become apparent for quite some time.

Defend against or prevent attacks before they occur — for a long time, prevention was at the heart of any strategy for protection from cyberattacks. Yet the development in the sophistication of cybercriminals’ skill is simultaneously complicating to an ever greater degree the anticipation and prevention of security incidents and data breaches. Attackers can take advantage of two imbalances in their favor over the individual victims of their attacks. For one, there is the temporal asymmetry (the attack cannot be detected prior to its occurrence and there may possibly be a significant delay before effects appear); the other is the resource asymmetry (massive attack campaigns by government agencies or “on order” from the darknet may overwhelm the cybersecurity resources of any single victim). So attacks and their impact must be expected — but the nature, timing, and consequences cannot be anticipated.

The conclusion: it is important to know what must be done if it comes to the worst — to have a plan to mitigate the negative effects of the attack. Response plans must be carefully considered and established — there is no time to come up with ad hoc actions once the situation has become critical.

This is only part of the solution, however, because a comprehensive response to crises requires a holistic strategy that ensures the specific resilience of the company. So what form can this type of holistic strategy take?

The holistic answer is this: business continuity management (BCM). BCM incorporates into one single management system (BCMS) all the technical and organizational measures and processes that safeguard the company’s business operations even in a crisis as well as provide the means for its full restoration in a secure state.

The aim of BCM is to ensure the company’s existence by means of two components: preventive measures that minimize the effects of a damage incident (i.e., increase the reliability of business processes) and the preparation of specific measures to be initiated after occurrence of the incident. If multiple emergency response measures have previously been established “as a standard,” their status can change from reactive to preventive. One example might be a multi-vendor strategy that can be implemented if a service provider or data center is lost so that a “switch” can be realized without delay. If resilience has been adequately developed in regular operation, minimizing or even preventing any negative effects is possible. But: all measures must be implemented without hesitation and “according to plan,” i.e., they must be interlinked.

When every minute counts ...

One of the most important components of risk mitigation in the event of a cyberattack is the speed with which the organization can recover from the aftermath. One thing is clear: speed and quality of response to emergencies and crises are competitive factors and can be decisive for survival.

But if the response is delayed, the attackers gain valuable time to steal or manipulate data — and the damage becomes more severe with each passing moment. Litigation, regulatory penalties, and reputational damage can result in additional costs.

The horse has bolted the stable — and now?

Ensuring the continuity of business operations presumes the clear assignment of roles and responsibilities that have been set forth in a restoration plan, a so-called disaster recovery plan (DR). It is an element of BCM that provides to the organization the means of responding flexibly to various crisis scenarios.

As a rule, a successful DR solution addresses all types of operational disruptions and threatening situations ranging from IT system failures (due to a power outage, for example) to building losses, bomb threats, or major natural disasters. Obviously, the significance of a wide-scale malware attack for the data protection strategy differs from the scope of water damage or a fire at a single site.

In consequence, a DR plan must include a comprehensive risk analysis and be organized by type of disaster and site. In addition, it must contain scripts (instructions) that can be carried out by all responsible parties.

Successful restart thanks to standardized processes

Optimal emergency preparedness and response are not possible unless they have been carefully planned and organized. A standardized emergency management process reduces the impact of a crisis and secures the company’s operation and continued existence. The Federal Office for Information Security (BSI), Germany’s national cybersecurity authority, has established standards for the efficient realization of a restart that serve as orientation for companies.

In addition to the generally known standards of the International Organization for Standardization (ISO), a recognized and proven model, including a set of recommendations and standards, that aids organizations in honing their capabilities for the identification and detection of cyberattacks, is offered by the National Institute of Standards and Technology (NIST).

The framework classifies all cybersecurity capabilities, projects, processes, and daily activities into these five core functions:

  • Identify: Existence of an understanding of cyberrisk management that is specific to the organization
  • Protect: Implementation of appropriate protective measures
  • Detect: Implementation of the capabilities required for the detection of security incidents
  • Respond: Implementation of concepts and activities for responding to cybersecurity incidents
  • Recover: Implementation of concepts and activities to achieve adequate resilience and resistance to cyberattacks.

If the NIST model of capabilities is combined with ISO 22301 or BSI Standard 200-4 on business continuity, the capabilities must be expanded beyond the borders of IT components, networks, data, and information only to encompass as well all other “critical resources” on whose availability the performance of a process, procedure, or business model depends. Have possible losses of employees been carefully considered in scenarios? Are there any foreseeable bottlenecks (identified)? How quickly and from what indications do we recognize that a genuine bottleneck in personnel or a loss of service providers, physical infrastructure, or other operating resources is imminent?

If redundancies and plans have been developed, emergency situations (respond) and the necessity of a restart or replacement after losses (recover) may be avoided — if the response has simply been fast enough. This also distinguishes emergencies from crises and disasters. By definition, the latter can no longer be managed solely by the use of the company’s own resources. But reasonable and possible measures to become as resilient and quick to respond as possible have been initiated — the company has done what it can to the best of its knowledge and ability. One thing is clear: if no fire alarms have been installed, no one should be surprised if the house burns down before the fire department arrives.

Companies that succeed in deploying their resources so well and specifically that they can react flexibly to disruptive changes retain their capacity to act and their credibility; they are subsequently creditworthy and interesting for investors, employees, and partners even in a crisis. This is not only true in the specific case of a cyberattack or emergency; resilience serves as a signal to the marketplace. Like a rubber ball, these enterprises manage to compensate any deformations and quickly regain their original shape. And not only that: resilience is only achieved when companies learn from these incidents and grow from the challenges.