An expression commonly associated with the US Navy is “every sailor is a firefighter.” This saying exemplifies the Navy’s policy of preparing every sailor for an emergency during basic training. Through experience, the “Navies” of the world have learned that there is no greater threat to a ship than lack of training and preparedness. By making emergency training part of the core culture of the US Navy, the level of impact from a disaster is greatly mitigated.
Within the IT and cybersecurity realm, many of these same lessons hold true. Being prepared for the worst is not being pessimistic; it’s a means of survival in today’s unchartered waters. The longer a company is afloat, the more likely it is to experience a disaster. All businesses, large or small, can benefit from the Navy mindset. IT disaster preparedness is no longer about simple onsite backups; it has become an evolving discipline based around executive planning, technical assets, and user awareness.
IT Disaster Types
Recovery from a disaster can feel like an endless money sink with moving goalposts. Until fairly recently, the prevailing belief was that backups were enough to recuperate from almost any disaster. The unfortunate reality is that on-site backups are nowhere near enough to mend a vast majority of the threats facing a modern business.
Natural disasters may ruin these backups entirely. Attackers know to look for these backups and specifically target them during their operation. Assuming these backups do make it through the incident, utilizing them can prove to be a slow and cumbersome task. Worse yet, if the incident is a cyberattack, then a simple backup cannot hope to resolve the issues present. The type of disaster will have a significant impact on the recovery plans that are needed.
Natural Disasters
Natural disasters are almost exclusively a threat to the physical infrastructure that supports business operation. In our experience, it is rare for hurricanes to launch ransomware attacks against a company’s network. They take the more direct approach of destroying the entire datacenter instead. Natural disasters can cause complete network failure and even destroy entire businesses if contingency plans are not in place.
User Mistakes/System Errors
The good news is that you are not under attack. The bad news is that your entire ordering system is offline for the next few weeks and you are losing money by the minute. Human and system error is a huge cause of IT disaster. Having solutions in place that reduce the risk of human error or system failure is important. Having an answer when things go wrong is imperative. There is nothing worse than a bad patch pushed to production that takes down a business.
Cyberattacks
The “boogeyman” of IT disaster. Cyberattacks are usually defined as deliberate, intentional effort against a system in order to achieve some goal. Unfortunately, these goals are not written in stone. Sometimes, people just want to watch the world burn. Other times, a foreign government may be trying to perform espionage. One thing is certain: cyberattacks have the capability to cripple a business if left unchecked.
Other Disasters
Sure, a global ransomware attack targeting your industry is not exactly comforting. But sometimes it’s the simpler things that really bring the pain. Not all disasters need to be categorized in order to cause harm. It is highly recommended that a business utilizes a continuity plan that is resilient in all scenarios. Alien attacks should only be a temporary setback for a prepared IT division.
Disaster Recovery & Incident Response
The odds look stacked when the threats are viewed one after the other. Sometimes it feels like everything is actively working against a stable IT infrastructure. Luckily, the good guys have a few tricks up their sleeves as well. This section will define some of the more common counters to these disasters and why every company, no matter the size, can afford these solutions. A prepared company is a safe company.
Business Continuity Plan
This is the first IT disaster plan that should be developed in any company. At its most basic level, the plan is a sort of “catchall” for any disaster. Usually these do not include actual incident response plans but rather outline the people and systems needed to recover from a disaster.
For example, a business continuity plan may account for all current assets and try to determine the roadmap to recovery based on several different scenarios. It is common for companies to begin the creation process for these plans by performing a third-party audit. After discovering their gaps and vulnerabilities, a plan can be formed on what resources are needed to ensure as much uptime as possible when disaster strikes.
Modern Disaster Recovery Software/ DRaaS
As we mentioned earlier, it is vital that companies have more than simple backups. A key factor in modern disaster recovery is proper software and services. It’s not enough to have a tool; you also need people that know how to use it. Disaster Recovery as a Service (DRaaS) ensures a continuously monitored and updated DR plan that allows for quick rollout from a secure offsite location.
Incident Response Plan
This is often an overlooked component of a proper disaster recovery plan. Our quick overview of an IR plan was outlined in last month’s post. These plans incorporate a huge array of security concepts in order to have a solid plan should the company be attacked. Initial triage is massively important. Without proper scoping, a company could miss a threat or greatly overspend on their response. These plans contain the contacts and systems necessary to respond effectively to a cybersecurity threat. There is simply no substitute for properly training associates on what to do when an attack happens.
What’s Next?
Now that we’ve covered what you need, we’ll be delving into much more detail about individual disaster recovery vehicles. Next month, we will finish our Defense in Depth series by covering the final two control types and providing examples regarding their implementation.
After that, expect a new series on disaster recovery and incident response planning. This will be a bit more technical, providing real-world resources and examples for assistance with developing IT disaster recovery plans. For more details on current contingency planning standards, be sure to check out the NIST Contingency Planning Guide for Federal Information Systems: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.