Sign In
Upcoming Event
Free Newsletter
Companies should have a cyber resilience plan ready
Companies should have a cyber resilience plan ready
Listen to this articleThere’s a popular adage in the cybersecurity industry that goes: “It’s not if, but when,” meaning the probability that a business will fall victim to a cyberattack.
A significant 2021 study by the software company Positive Technologies showed that 93% of businesses and organizations from a wide range of industries failed a penetration test that, in real life, would have led to a breach of their network perimeters and access to their local network resources. Disturbingly, 100% of these same companies failed an internal test attack.
“From small to large companies, the risk of a cyberattack is bigger than everyone thinks,” said Fred Brumm, co-owner with Sue Brumm of Computer Equipment & Technologies Inc. (CETech), a Rochester-based IT services and consulting firm established in 1998.
If the odds are good that a company will ultimately get hit by a cybersecurity attack internally or externally, it’s imperative to have a plan for when that time comes.
Just like most people keep a bottle of acetaminophen in their bathrooms for that unexpected headache, local cybersecurity experts interviewed for this piece all agreed that having a cybersecurity resilience plan on hand for when that breakthrough intrusion at work or home happens is paramount.
A cyber resilience plan — also known as a cyber response or cyber recovery plan — is a disaster plan for today’s modern, cyber world. It contains the details and addresses the ability of an organization to respond to and recover from the effects of a cyberattack as quickly as possible with the least amount of damage.
“It’s a document that spells out how you’re going to handle a cybersecurity breach and minimize the impact on your business,” said David Wolf, vice president of Just Solutions, Inc., a provider of managed IT services with offices in Rochester and Buffalo. “The most important aspect of the plan is that there’s a hard copy because if you can’t get into your system or emails to access it because of an attack the plan won’t be any good.”
The plan, which should consist of two hard copies — one on-site and one off-site — should start with the basic contact information for key players. These are people who will be part of the response in the event of a breach, like the company’s attorney and cyber insurance carrier (along with the policy number). These essential pieces of information may seem unnecessary, but there are times when even a business’s phones are breached and accessing contact information is challenging.
Each piece of information needed to recover from an attack that is not part of the cyber resiliency plan can delay the time it takes to get over the attack. In 2021, the average length of interruption after a ransomware attack on businesses in the United States was 20 days: up from 15 days in 2020, according to market and consumer data company Statista.
The plan itself will vary according to the size of a company, the company’s greatest risks (and risk appetite), and the regulatory requirements of their particular industry, Brumm said. For example, a dentist’s cyber resilience plan will look different than a manufacturing company’s plan due to different compliance regulations like HIPPA.
“I have companies with plans that are five pages long and I have others with plans that are sixty to seventy pages long,” said Carl Cadregari, CISA, executive vice president, FoxPointe Solutions, which is the information risk management division of The Bonadio Group, located in Pittsford. “The size all depends on the complexities of an organization.”
While the plan will vary from company to company, some key things Cadregari recommends companies ask themselves when writing it are: What are our assets? What are we trying to protect? What is our threshold for what will trigger the plan? Who will be part of the response once it’s triggered? Who will we need to contact to report it? How will it get recorded?
“Companies shouldn’t have to reinvent the wheel,” when it comes to creating a cyber resiliency plan, said Cadregari, who pointed out there are some excellent templates and document draft plans online through places like the nonprofit Center for Internet Security, which helps safeguard public and private organizations against cyber threats.
It’s also very important for companies to test their plans once they are written. Cadregari recommends testing two times a year for organizations with a large consumer or client presence and once a year for B2B organizations. After testing, an organization should document the lessons learned and re-integrate them into the plan.
IBM Security’s sixth annual Cyber Resilient Organization Study, released in July 2021, showed that only about 21% of companies worldwide have “mature” plans in place, a number in line with what Cadregari has seen locally. He says most organizations with regulatory requirements have plans, but only about 25%-30% of those outside regulatory requirements do.
Wolf encourages companies without a plan to start the process by looking for material online about creating one. NIST.gov and CISA.gov are also good places to start, but for those without the time or inclination to create their own, he recommends hiring a cybersecurity professional.
Don’t necessarily rely on your IT employees to write a plan since they’re typically busy fixing acute issues throughout the day, Brumm advises. He also notes that a second set of eyes from a trusted professional outside the company can ensure accuracy.
Ultimately, writing a cyber resiliency plan means preparing for the worst-case scenario before it happens so that when it does, the recovery can be as painless as possible.
“Planning is really about running scenarios, looking at what-ifs and the doom and gloom side of things,” Wolf said. “Most people don’t think deviously like cyber criminals so it’s challenging to come up with these scenarios.”
From internal crypto-locker viruses to malware attacks and cybercrime as a service, cybersecurity professionals, though, have seen it all.
“Businesses locally get attacked daily,” Wolf said. “It’s become very prevalent over the past three to four years. A cyber resiliency plan is even more important than a business plan in some cases; it’s a survival plan.”
Caurie Putnam is a Rochester-area freelance writer.
a
