An expression commonly associated with the U.S. Navy is “every sailor is a firefighter.” This saying exemplifies the Navy’s policy of preparing every sailor for an emergency during basic training. Through experience, the “Navies” of the world have learned that there is no greater threat to a ship than lack of training and preparedness. By making emergency training part of the core culture of the U.S. Navy, the level of impact from a disaster is greatly mitigated.
Current events have warranted a second look at our own disaster recovery and business continuity plans within the IT and cybersecurity realm. Many of these same lessons hold true whether it be a ship or a business. Being prepared for the worst is not being pessimistic; it’s a means of survival in today’s unchartered waters. The longer a company is afloat, the more likely it is to experience a disaster. All businesses, large or small, can benefit from the Navy mindset.
IT disaster preparedness is no longer about simple onsite backups; it has become an evolving discipline based around executive planning, technical assets, and user awareness.
IT Disaster Types
Recovery from a disaster can feel like an endless money sink with moving goalposts. Until recently, the prevailing belief was that backups were enough to recuperate from almost any disaster. The unfortunate reality is that on-site backups are nowhere near enough to mend a vast majority of the threats facing a modern business. Natural disasters may ruin these backups entirely. Attackers know to look for these backups and specifically target them during their operation. Assuming these backups do make it through the incident, utilizing them can prove to be a slow and cumbersome task. Worse yet, if the incident is a cyberattack, then a simple backup cannot hope to resolve the issues present. The type of disaster will have a significant impact on the recovery plans that are needed.
Natural disasters are almost exclusively a threat to the physical infrastructure that supports business operation. In our experience, it is rare for hurricanes to launch ransomware attacks against a company’s network. They take the more direct approach of destroying the entire datacenter instead. Natural disasters can cause complete network failure and even destroy entire businesses if contingency plans are not in place.
User Mistakes/System Errors
The good news here is that you are not under attack. The bad news is that your entire ordering system is offline for the next few weeks and you are losing money by the minute. Human and system error is a huge cause of IT disaster. Having solutions in place that reduce the risk of human error or system failure is important. Having an answer when things go wrong is imperative. There is nothing worse than a bad patch pushed to production that takes down a business.
The “boogeyman” of IT disaster. Cyberattacks are usually defined as deliberate, intentional effort against a system in order to achieve some goal. Unfortunately, these goals are not written in stone. Sometimes, people just want to watch the world burn. Other times, a foreign government may be trying to perform espionage. One thing is certain: cyberattacks have the capability to cripple a business if left unchecked.
All too familiar today, global events can be a huge factor to consider when developing a DRBC plan. The COVID-19 pandemic has strained resources worldwide, and businesses have been caught without contingency plans for such events. A well-established DRBC plan will include elements accounting for possible ramifications resulting from a global incident. For example, a remote operations contingency could be established to prevent disruption when migrating all personnel to remote operations.
Sure, a global ransomware attack targeting your industry is not exactly comforting. But sometimes it’s the simpler things that really bring the pain. Not all disasters need to be categorized in order to cause harm. It is highly recommended that a business utilizes a continuity plan that is resilient in all scenarios. Alien attacks should only be a temporary setback for the properly prepared IT division.
Disaster Recovery & Incident Response
The odds look stacked when the threats are viewed one after the other. Sometimes it feels like everything is actively working against a stable IT infrastructure. Luckily, the good guys have a few tricks up their sleeves as well. This section will define some of the critical countermeasures to these disasters and why every company, no matter the size, can afford these solutions. A prepared company is a safe company.
Business Continuity Plan
What is a it?
A Business Continuity Plan is the first IT disaster plan that should be developed in any company. At its most basic level, the plan is a sort of “catch-all” for any disaster. Usually these do not include actual response plans but rather outline the people and systems needed to recover from a disaster. For example, a business continuity plan may account for all current assets and try to determine the roadmap to recovery based on several different scenarios. It is common for companies to begin the creation process for these plans by performing a third-party audit. After discovering their gaps and vulnerabilities, a plan can be formed on what resources are needed to ensure as much uptime as possible when disaster strikes.
Who implements it?
Usually developed by specialized experts, these plans incorporate all assets available to a business in order to define a rigid pathway to recovery. Well-defined roles are vital to smooth plan operations.
When should we get one?
These plans should be implemented early-on in a business’ operational life. The urgency of having this plan changes based on several factors, but generally these should be developed ASAP and updated at least annually.
Where does this fit in?
Both Physical and Technological domains. Accounts for users, software, hardware, location, assets, finances, and other critical components that make up a business.
How is it created?
Development of a solid Business Continuity Plan can be a daunting task. Often, companies will hire external consultation that specializes in auditing sensitive systems and providing a roadmap based on observed risks and assets. Consultants will work with internal staff to determine the most efficient approach to developing the business continuity plan. After initial scoping and roadmapping, implementation takes place in the form of more specialized planning and technology.
Modern Disaster Recovery Software/ DRaaS
What is it?
As we mentioned earlier, it is vital that companies have more than simple backups. A key factor in modern disaster recovery is proper software and services. It’s not enough to have a tool; you also need people that know how to use it. Disaster Recovery as a Service (DRaaS) ensures a continuously monitored and updated DR plan that allows for quick rollout from a secure offsite location. While generic backups are slow to deploy, DRaaS emphasizes speed and redundancy.
Who manages it?
Internal or Third-Party disaster recovery teams manage this technology. Usually, it falls under the umbrella of IT unless the budget specifies disaster recovery as an individual entity. It requires constant verification, management, and testing.
When should we consider this?
DRaaS solutions are more specialized than a general Business Continuity Plan. Whereas a Business Continuity Plan is critical early-on, DRaaS can sometimes be “replaced” by simple backups for small businesses with a minor infrastructure footprint. While this solution is recommended (and usually affordable) for everyone, the real measurement to whether this technology is needed should be based on the “uptime” requirements of an operation. For example, if a business is unable to handle a loss of data and infrastructure for more than one day, DRaaS would be the optimal solution.
Where does this fit in?
Purely technological and operational, this solution generally falls under the IT umbrella. This technology is a core asset to any serious business continuity plan.
How does it work?
DRaaS solutions differ by vendor, but generally the process looks familiar no matter the solution. First, servers or virtual machines are deployed (either on-prem or in the cloud) to run the backup and mirroring operations. These tools then send snapshots of the environment and data to geographically separate sites in order to prevent data loss during a disaster. When disaster recovery is initiated, the entire infrastructure can be hosted via these offsite solutions with the flip of a switch.
Incident Response Plan
What is it?
This is often an overlooked component of a proper disaster recovery plan. Our quick overview of an IR plan was outlined in last month’s post. These plans incorporate a huge array of security concepts in order to consolidate a solid plan should the company be attacked. Initial triage is massively important. Without proper scoping, a company could miss a threat or greatly overspend on their response. These plans contain the contacts and systems necessary to respond effectively to a cybersecurity threat. There is simply no substitute for properly training associates on what to do when an attack happens.
Who implements it?
These plans are generally part of a highly specialized subdomain of Cybersecurity. As such, Incident Response specialists are usually required to create a properly configured Incident Response plan. Generally internal or external IR specialists or CISOs will work with the staff to evaluate capabilities and procedures necessary to scope, contain, eradicate, and recover from a cybersecurity incident.
When should we get one?
Cyberattacks are possible regardless of business size and can prove fatal for many businesses. These Incident Response plans should be considered a core part of business continuity planning and implemented ASAP.
Where does it fit in?
Technological domain only. Incident Response plans are generally scoped to specifically target cyberattack response. While some cyberattacks may come from physical sources such as social engineering, overall this plan is scoped for technological responses.
How does it work?
Creation of an Incident Response plan can vary greatly depending on the assets within a business. For most companies, the two greatest threats are ransomware attacks and data breaches. Responding to these sorts of incidents requires knowledge of attackers and their techniques, tactics, and procedures. Deep technical knowledge and forensic techniques are usually needed to determine root cause of cyber incidents. Responding appropriately via a strict incident response procedure can help a business recover quickly and prevent future incidents.
It might be a cliché, but the only constant in the world is change. Entropy runs the universe, but Business Continuity Plans can help provide some peace of mind. Be sure to filter through the noise and evaluate what really matters in your business. If you feel overwhelmed or lack the expertise, look for experienced auditors and consultants to evaluate the risks and vulnerabilities you face.
For more details on current contingency planning standards, be sure to check out the NIST Contingency Planning Guide for Federal Information Systems: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.