By Michael Lay, Senior Consultant
Traditional disaster recovery and business continuity planning methodologies are quickly becoming outdated due to modern threats, like ransomware, which increased nearly 170% globally in 2015 alone. Can your business continuity and data protection strategies withstand the inevitable cyberattack?
The foundation of the traditional Business Continuity Planning (BCP) model, espoused by the industry-standard setting Disaster Recovery Institute International (DRII), is the Risk Assessment. The first step is to identify the risks – typically, natural disasters, power failures, supply chain issues, even terrorism – and their likelihood to occur. The next step is to conduct the Business Impact Analysis (BIA), which identifies business processes, staffing requirements, Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO). A thorough BIA provides the business requirements essential to effective Business Continuity and Disaster Recovery planning.
The traditional model has worked well in the past, but the threat landscape is constantly changing. What will you do if compromised data has already been replicated to your disaster recovery site? What if some of the data was compromised days or weeks ago? Can your local backups recover the data fast enough to meet your defined RTOs? We have found that most companies that can meet their RTOs after a disaster like the loss of a data center, may not be able to recover fast enough from ransomware.
Accudata believes cyberattacks and ransomware should be considered a type of disaster and that Incident Response Plans (IRP) should be integrated into the BCP to better address these types of threats. An IRP integrated with the BCP leverages what has been developed for the BCP, including communications processes, corporate policies, and guidelines for team interactions. The IRP helps businesses manage the aftermath of an attack while reducing recovery time and costs. The more specialized Cyber Incident Response Plan (CIRP) brings in cybersecurity personnel and other third parties to manage forensics, impacted regulatory compliance, and breach notification.
In addition to an integrated IRP, our experts believe that a clearly-defined data protection program is essential to recovering from a disaster like ransomware. The first step is to classify your data: 1) public, 2) sensitive, 3) confidential, or 4) data protected by regulatory controls. Then, determine RTOs for each data class, how long you need to keep the data, and where the data should live. Once you’ve determined the business requirements around your data, then you can implement an appropriate backup and recovery solution.
We’ve found that most companies are following the 3-2-1 rule when protecting data: 3 copies, 2 different locations, 1 offsite. Most organizations also perform some type of weekly or monthly full backup and incremental backups during the week. This strategy has worked well in the past, but today’s threats require a higher level of data protection.
In the past, most companies backed up their data and kept the tapes offsite. If there was a disaster, the strategy was to restore the data in another location. As the amount of data continues to grow, though, most companies have not been able to recover fast enough to meet their RTOs since most traditional backup solutions typically see a 24 hour critical data recovery time.
So, how can IT help the business return to “normal” more quickly and with as little data loss as possible after a security incident? Traditional Disaster Recovery is typically an all or nothing failover scenario, which is fine for a natural disaster, but cyberattacks usually focus on a segment of the business. What happens if the event is replicated to the DR site and failover is not possible? You may have to revert back to the latest backups, which could be hours if not days old. Also, in Disaster Recovery scenarios we often focus on applications and then user data is treated as a best-effort to restore. However, business units are now using all types of data, and unstructured data is becoming just as important as critical applications.
Accudata recommends a defense-in-depth strategy. We need to protect applications and data using a variety of approaches attuned to the type of data, its criticality, and the type of disaster event. A ransomware incident will likely include a three-pronged approach of backup, restore, and snapshot to fully recover the business.
So, where do you start? With what you have. Take time to assess, either through internal reviews or a third party, like Accudata, to understand the state of your organization’s BCP/DR strategy and whether it includes an integrated IRP. Accudata can perform a Business Continuity Health Check and a Backup and Recovery Health Check to discover what you have in place already, identify gaps, and make best-practice recommendations. We also offer a Business Continuity and Disaster Recovery Workshop and a Full Data Center Assessment to ensure your organization is prepared for the inevitable attack.