Recovering from a ransomware attack: Why a combined security and disaster recovery plan is key for speed

The new data breach legislation which came into effect in Australia recently means that every ‘sizeable’ organisation must comply or risk crippling fines of up to $2.1 million With cybercrime and ransomware attacks on the rise, it’s not a question of ‘if’ a data breach is going to happen, it’s ‘when’ and how quickly your organisation can get back up and running following the event.

Previously, organisations have considered it acceptable to plan and execute their security and disaster recovery programmes as two separate operations, working side by side but never crossing over or collaborating. Now – in the midst of the cloud era – this approach is likely to cause headaches for IT teams who still operate this way.   

The pitfalls of running plans in parallel

Organisations, no matter how big or small, are frequently exposed to cyber attacks or breaches when they rely solely on security measures. The WannaCry and Petya ransomware outbreaks impacted many organisations around the globe and brought organisations to a standstill.

Truly resilient IT plans include a “keep-out” security strategy and a recovery plan that guarantees it will take minimal time to return to normal operations. In other words, the first line of defence should always be a modern security technology that works to keep attacks from penetrating vital systems and data. But in the event an attack does infiltrate the firewall, it is critical that organisations have a plan that allows for rapid recovery and business operations as usual as quickly as possible.   

How to consolidate for a solid IT resilience plan

Any organisation that wants to combine security and recovery should consider these three basic steps to prevent intrusions and be ready to respond quickly if a breach occurs.  

Firstly, organisations should plan and maintain a consistent update schedule. It is essential to update and upgrade frequently. Issuing updates once a month will no longer suffice. Addressing the threat landscape as categories instead of individual threats can help focus a schedule on what updates are done on what systems and when these happen. This requires constant vigilance across the organisation.

With ransomware, a prevent strategy is now simply a failure to prepare, as it straddles the fence of security and disaster recovery. Having “DVR-like” capabilities to “rewind” to the seconds before the encryption occurred and address the specific flaw is a key enabler to a recovery plan.

Secondly, testing and supervision should be coordinated to reduce recovery times. Modern disaster recovery plan testing can no longer be an annual or even quarterly drill. Frequent and continuous testing must be conducted to guarantee that the disaster recovery plan enables organisations to recover quickly and resume business as usual.

As security and disaster recovery plans converge into a single IT resilience strategy, they should be governed by a single team and staffed by individuals with specific expertise. As both plans are combined into one with a goal of ensuring uninterrupted IT, it is only logical to merge the teams supervising them.

The combined team should create and manage a consolidated security and disaster recovery plan to produce a recovery time objective (RTO) of just a few minutes.

And lastly, organisations should create an alignment to include a three-prong approach. Security and disaster recovery strategies should align with a trusted three-prong approach to IT resiliency – protect, detect and respond. This method covers all the bases to neutralise cyber-attacks and other business disruptions quickly after the infrastructure has been infiltrated.

Reliance on data and applications is only set to increase as organisations continue to strive for an advantage in tightly competitive markets. As the number of high profile cyber-security attacks over the last year have shown, organisations leave themselves exposed if integration between disaster recovery and security isn't implemented.