Chris Smith of Marsh Commercial wrote a piece in the December edition of Executive that offered 6 controls that businesses should implement to improve their cyber hygiene. David Massey, Managing Director of The Apprentice Store focuses on one of those recommendations, ‘Incident response plan’, as they typically find many businesses do not address this.
Security means different things to different people but most people think about hackers when they think of cybersecurity. The cyber event could be a hacker but equally it could be loss of power, hardware failure, a software update that went wrong, good old flood/fire/theft or an employee that has maliciously or accidentally corrupted your data. We were all impacted by a forced change in our working practices in 2020 due to a global pandemic, incident response plans help address the impact to your business should an incident happen.
Regardless of the cause, a cyber event results in the loss of access to your data with each type bringing its own challenge with respect to mitigation and recover strategy. There is no magic wand that can be waived as whilst many businesses align to certain recovery plans due to common systems, their incident plan will need to meet their own unique business and technology requirements. Having a response plan written down helps you stay focused on the task of running your business should an event happen. Testing the response plan for different scenarios gives you confidence that your plan works and helps remove pressures on the many decisions that might need to be made should an event happen.
I would suggest that having a proven backup strategy that meets your own business recovery objectives is critical to a successful recovery. There are two Key Performance Indicators (KPI) for defining recovery with them being the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These KPIs should be business rather than technology defined to meet your own processes:
A Recovery Time Objective defines how quickly you need the business process to be working following an incident. You may also what to consider what recovered actually means as the whole process may not need to be fully operational to recover under certain conditions. Your incident response plan needs to be capable of meeting the RTO but do think about different RTOs for different systems, data and scenarios. Testing your RTOs can be met under different event conditions is really important as you can confirm and remove assumptions.
A Recovery Point Objective defines the point in time that you want to recover to, it basically defines how often you backup and so how much data you can afford to lose. This KPI is a balance between the cost of backing up your data and the cost of losing data. The method by which you backup your systems data will heavily influence how quick you can recover and is dependent upon system and process capabilities. Testing your RPOs can be met under different event conditions allows you to have confidence that your business can recover.
When working with clients we are regularly asked to provide no downtime RTOs and not data loss RPOs for all business systems and associated data. Whilst these KPIs are achievable, this comes at a cost and highlights the need to balance the cost and risk when specifying your RTO and RPO for each system.
Final Thoughts
- Plan to fail rather than fail to plan when it comes to your security resilience.
- Having an untested plan is not much better than having no plan at all.
- Test under different scenarios with different people to build confidence that your RTOs and RPOs can be achieved.
- Please backup your data and regularly check that it works as you don’t want to find that it does not when you need it.
If you would like to learn more about how The Apprentice Store can help ensure you have a robust and tested incident response plan please get in touch.