Why Preparation is Key for Recovering from a Security Breach

A while back, I wrote a blog post about how to recover from a security breach. In that post, I detailed the main phases of security compromise recovery:

  • Stopping the attack,
  • Investigating the attack,
  • Notifying the affected parties and authorities,
  • Restoring the assets on your network, and
  • Preparing for the next attack.

However, one of the most critical aspects of recovering from a cybersecurity incident is preparing for a breach well before it occurs. I touched on this briefly in the aforementioned post, but this is a point that really deserves a more in-depth look to explain both the “how” and the “why?”

Top Reasons to Prepare for a Security Breach

There are many reasons why you should do everything you feasibly can to prepare for a cybersecurity breach to occur, including:

Sooner or Later, You WILL Be Attacked

Many business owners think that their business is too small to be a worthwhile target for thieves, or that their defenses are too good—but they’re only kidding themselves. According to data cited by TechRepublic.com, “Cyberattacks targeting businesses nearly doubled in the past year, from 82,000 in 2016 to 159,700 in 2017… since the majority of cyberattacks are never reported, the actual number of incidents could in fact be over 350,000.” Note that these numbers only reflect successful attacks—there are many, many more attempts that fail because of sensible cybersecurity measures.

No Defense is Perfect

If there is a legitimate way to access your data, then there’s a way for a malicious actor to get their hands on it. Even if you have a perfectly isolated network with the strictest security ever conceived, all it takes is one disgruntled or dishonest employee with legitimate access to compromise your security. With so many attacks succeeding each year, and the number of incidents continuing to grow year over year, it’s only a matter of time until an attacker is skilled enough, determined enough, or just plain lucky enough to find and exploit a gap in your cybersecurity architecture.

The Preparations You Make Can Have an Enormous Impact on Recovery Metrics

Making some basic preparations for what to do in the event of a cybersecurity compromise can dramatically alter your recovery point objectives (RPOs, which affect how much data is lost) and recovery time objectives (RTOs, which affect how long it takes to recover). The better these metrics are, the less disruption your company will suffer following a security incident.

Being Prepared Can Help Save You Money

As the old saying goes, “an ounce of prevention is worth a pound of cure.” Preventative measures that you take before a security incident, such as remote data backup, security information and event management (SIEM) systems, and even data breach insurance may not be free; but, they can pay for themselves and then some following a data security breach.

Being Prepared Can Save Your Business

According to data from the U.S. Securities and Exchange Commission (SEC), “60 percent of small firms go out of business within six months of a data breach.” While the reasons for this may vary, a large part of it is the high costs of a breach combined with the downtime a breach causes. As the SEC states, “The number of firms reporting that it took them at least three days to recover from an attack rose to 33 percent last year, up from only 20 percent the year before.” Three days is a lot time to be down in a business world that moves at the speed of the internet. How much business could you lose in that 72 hours? By having measures such as remote data backups in place, you can minimize the time it takes to recover from a breach—which also minimizes the disruptions your business would otherwise suffer.

These are just a few of the reasons why you should prepare for a data breach before one actually occurs. But, what steps can you take to prepare for a cybersecurity breach before it happens? Here are a few suggestions:

Ways to Prepare for a Cybersecurity Compromise

  1. Run an IT Security Policy/Architecture Audit. Security audits and assessments play a crucial role in cybersecurity incident prevention. By identifying all of the assets on your network as well as learning what operating systems and apps they run, you can identify key vulnerabilities in your network to reduce the risk of a breach happening in the first place. This is also a necessary step for making sure that you’re able to replicate all of your most important data later.

  2. Add IDS/IPS to Your Network. Intrusion detection systems (IDS), intrusion prevention systems (IPS), and SIEM programs can all provide a vital “early warning” of intrusion attempts into your network that allow your IT/cybersecurity team to react quickly to a breach in progress. This can do wonders to minimize the scope of a breach as well as speed up the recovery process. Additionally, if your solution keeps track of incidents in an event log, it can help you with the post-attack investigation and let you know how the attacker got in so you’re able to close that vulnerability.

  3. Create an Incident Response Plan (IRP). What should Bob from accounting do if he thinks that a security breach is in progress? Who should he reach out to? How can he limit the risk of a breach if he accidentally downloads malware? These are some of the questions that you can answer by creating an incident response plan and drilling it into the minds of every employee in the company—from the CEO down to the people working the front lines of the company. This way, everyone knows what they should do in the event of a breach.

  4. Add Data Backup. At a minimum, you should have some form of backup for all of your company’s most critical data. If it’s information you cannot do business without, you need to have it backed up in case your computers get encrypted with ransomware, accidentally deleted by human error, or destroyed by a disaster (fire, flood, earthquake, etc.). An ideal data backup solution would be a cloud-based one that updates frequently to ensure a relatively recent RPO (under 12 hours) and a fast RTO that runs on servers far away from your offices (so a natural disaster that hits your offices doesn’t get your data backup too).

  5. TEST YOUR IRP! Every business owner should strenuously test their incident response plans and recovery toolkits each quarter. Doing so has a few benefits:
    1. It helps you identify single points of failure in your recovery solution, so you can fix them.
    2. It helps keep the IRP “top of mind” for employees who are supposed to follow it. This makes it easier for them to remember when an actual breach occurs.
    3. It can make your time-to-recovery faster by making use of the recovery tools and following the IRP second nature for your employees.
    4. It lets you know your recovery tools will actually work when you need them to.

  6. Consider Acquiring Data Breach Insurance. Data breach insurance is a relatively new form of business insurance that has arisen in response to the massive numbers of data breaches that happen each year. This insurance is meant to cover the costs associated with a data breach, such as legal fees, providing identity protection, repairing/replacing compromised IT assets, and more. The exact nature of the coverage will, of course, vary from one insurance provider to the next, so it’s important to make sure that you know exactly what the insurance plan covers before settling on one.

  7. Create (or Acquire) a Dedicated Incident Response Team (IRT). Having a dedicated cybersecurity staff on-hand to specifically deal with security incidents can make an enormous difference in your ability to identify, contain, eliminate, recover from, and investigate cyberattacks. Dedicated incident response teams can help you manage your IRP as well as implement the security measures needed to prevent future attacks. While you can build an internal team of security experts to do this, it’s often easier and less costly to use a managed security provider to hire a full team of cybersecurity experts.

Want more information about how to protect your business from a cybersecurity compromise? Check out the Back to Cybersecurity Basics guide at the link below, or contact us directly!

reducing with risk Rapid7 and Compuquip