Ransomware. Massive DDoS attacks. Coordinated data breaches. Cybercrime is booming, criminals are steadily growing craftier, and their attacks are becoming increasingly complex.
When it comes to recovering from such attacks, many businesses have the tendency to simply approach them as they would hardware failure or a natural disaster. Unfortunately, this is a mistake. Although disaster recovery does share commonalities with security recovery in some capacity, those similarities are ultimately superficial.
With disaster recovery, business continuity is your primary goal. You want to mitigate the downtime your organization experiences,
With disaster recovery, your sole goal is business continuity. You’re responding to an incident that you have little chance of stopping, You’re looking to eliminate downtime, maximize recovery speed, and keep both your people and your information safe.
Security recovery is a little more complex. Your goal is to detect an emerging incident and stop it as quickly as possible, minimizing both infrastructural damage and data loss. Your focus is on gathering evidence and analyzing data; on figuring out how to prevent the attack from happening again.
Disasters and cyber attacks also require a different recovery approach.
“Security and disaster plans are related, but not always the same thing,” explains Booz Allen Emergency Management Lead Marko Bourne. “The most obvious difference is that disaster recovery is about business continuity, whereas information security is about information asset protection. The less evident aspect is that security incident response often requires detailed root cause analysis, evidence collection, preservation and a coordinated and–often–stealthy response.”
Disasters are often highly-public, highly-publicized events. The root cause of these incidents, though unpredictable, are generally easy to understand. A fire may have been caused by faulty electrical work, for example, or a hardware failure by an electrical storm.
With a cyber attack, the cause is generally less evident, as is the progression of events. A DDoS attack might be used to mask data exfiltration, or a ransomware threat may have infected a company’s systems through either a phishing attempt or by exploiting a security flaw. Moreover, publicizing an incident while it’s still being investigated can, in many cases, result in the destruction of key forensic evidence.
“[Disaster] recovery plans are focused on recovering IT operations, whereas security plans are focused on preventing or limiting IT interruptions and maintaining IT operations,” explains Steven Wiedner, Senior Manager at management consulting firm Navigate. “The key to having successful security and disaster recovery plans is to document, manage, test plans and develop a common governance, communication and escalation methodology. This unified approach will minimize confusion and decrease the time to recover from events.”
Although cyber attacks and real-world disasters can both cause extensive damage, your approach to each needs to be different. You need to tailor your recovery plan to both the type of incident and to your own distinct needs as a business. That way, when a crisis hits, you’ll never be without a process to follow.