“The vast majority of cyber attacks are happening at a small-to-medium sized business level. If you experience an attack, you need to turn it into an inconvenience that you can handle, instead of something that threatens your entire business.”
Mike DePalma, Sr. Channel Development Manager at Datto, joined us at Elevate to share his step-by-step process for formulating an IT disaster recovery plan that ensures business continuity in the event of a cyber attack.
He began by emphasizing that there is much more to disaster recovery than technology. “A lot of these tips don’t specifically have to do with the technology itself. It really comes down to people, processes, and then technology.”
Understanding the ‘why’ behind your IT disaster recovery plan is equally important. While many organizations view this type of planning as a box-checking exercise, or simply a requirement of applying for cybersecurity insurance, it deserves more time and investment than that. “Ultimately, this is what’s going to prevent you from having an attack that could put you out of business,” Mike says.
“The average length of downtime after a ransomware attack is 16.2 days, and companies aren’t always resilient enough to absorb something like that. Business disruption is the reason why people pay these ransoms. Downtime can be 50x more expensive than the ransom itself.”
So, here are the 10 steps to take when creating an IT disaster recovery plan.
1.Start a Disaster Diary
The first step to create an IT disaster recovery plan is to keep a log of disruptions to identify recurring patterns. Minor incidents from week to week are easily forgotten if not documented, and can leave you vulnerable. When incidents do occur, take note of whether the issue was the result of human error or technology to understand where gaps exist. Remember, your disaster diary needs to be an open dialogue. Avoid pointing fingers when someone clicks on a link in a phishing email, for example. Employees should feel comfortable alerting you to these mistakes so you can prevent them from happening again.
2. Identify Potential Threats
With your disaster diary in place, you should be positioned to identify common threats. For example, have you mitigated all of the potential threats associated with human error? Where do all of your physical devices live? Are they located in the office, remotely in people’s homes, or are they in transit from day to day? Who has access to your systems? Take an inventory, determine who needs access to what, and update your permissions accordingly to minimize your exposure.
3. Develop an Internal Communications Plan
In the event of an incident, employees should be familiar with who they should notify, when they should raise the alarm, and what they need to do to isolate their machine. This aspect of your disaster recovery plan needs to be accessible and constantly reviewed, and should take into account potential system failures, natural disasters, and emergency contact information. Again, it’s crucial that employees feel comfortable reaching out to IT, rather than attempting to fix the issue themselves. Every minute wasted can allow a virus to spread.
4. Preserve Employee Records
When assessing which data needs to be protected, organizations typically think about client data and their own personal business data. What often gets overlooked is the importance of protecting employee records, which includes personal information as well as business-related data. In simpler times, all of this data might have been stored on your office server. Now, your data lives in multiple places at once – you need to know exactly where it is, who has access to it, and whether it’s backed up and secure.
5. Plan for Customer Communications
If a breach occurs, your customers shouldn’t find out about it through the grapevine. Prepare statement templates that can be issued as a rapid response in the event of an attack, and plan for a series of updates to minimize frustration and panic. If and when the time comes, you’ll be too busy putting out fires to create a statement from scratch. Even if an attack takes place in your wider industry without directly affecting your organization, it’s worth releasing a statement to assure customers their data is secure and you are taking steps to avoid similar incidents.
6. Protect Customer Data
Every business will have a unique set of data protection considerations, there’s no cookie-cutter template for a customer data protection plan. This component of your disaster recovery plan needs to be specific to your business, your customer base, and it needs to be reviewed and updated regularly. Regulatory bodies and cybersecurity insurance providers will vigorously uphold and investigate compliance requirements, but they won’t protect your customer data for you. It’s your responsibility to do everything possible to protect your customers’ interests.
7. Account for Remote Work
Remote work offers a host of benefits, and is without a doubt here to stay. However, it’s important to be aware that cyber criminals see this as an opportunity. In 2020, when the mass shift to working from home happened very quickly, there was little opportunity for the appropriate security upgrades. As a result, Datto observed a significant uptick in attacks. Enabling remote access to shared systems is now a standard requirement for most organizations, but allowing access from unsecured devices in people’s homes leaves businesses exposed. Again, ensure employees only have access to what they need, and ensure devices are secure.
8. Conduct Periodic Tests
When it comes to disaster recovery of your technology, you need to be aware of your RPO and RTO. Your Recovery Point Objective (RPO) refers to the amount of data you are at risk of losing at any given time. Your Recovery Time Objective (RTO) is how much downtime you can incur before it seriously starts to impact your bottom line. In the event of an attack, how long will it take to get back to a full production environment where everyone has access to everything they need? Run the relevant tests, do the math, and set a goal for what these numbers should be for your business.
9. Review Your Business Insurance
In many ways, cyber insurance is much more complex than other types of insurance. As an industry, cyber insurance actually lost money in 2020 because of the volume and severity of attacks that took place. As a result, if an insurance provider sees your organization as high risk, it will have a huge impact on your premium. Worse still, your insurer might simply drop your business. As the insured party, you have a duty to understand your coverage and policy. If you have been keeping a log of issues, as per the disaster diary mentioned above, this will help you ensure that your potential risks are covered by your policy.
10. Ensure Information Access
If and when the time comes to file an insurance claim, will you have access to everything you need? Making a claim is not an easy process, and will place demands on your time and resources. Make it easier for your team by preparing in advance. Save multiple copies of your policy in different locations. As with your communications plan, you won’t have time to track this down or sift through reams of paperwork while an attack is happening. As part of this preparation, it’s also important to understand the timelines of making a claim and receiving a payout. Neither typically happen quickly, so as you look at your RTO and the associated costs, know that it might take 30 or 60 days for you to be reimbursed for your claim.
People and Processes are Key to an IT Disaster Recovery Plan
Mike concluded his session by reiterating the importance of people and processes in a successful disaster recovery plan. Even the best technology in the world can’t defend against a cyber attack unless you have the right processes in place and full buy-in from your employees. If even a single weak link exists in your organization’s cyber resilience, the criminals behind these cyber attacks will find it and exploit it. In a digital world where cyber attacks are becoming more commonplace every day, the only way to win this fight is with a culture of security.
Ready for more tips on building a resilient organization? Check out all of the Elevate event recordings on demand here.