Recovering from a data breach requires an effective cyber resilience strategy
The exposure of an organization's sensitive data or personal customer records can be detrimental to a company’s reputation. It may also result in severe financial implications due to regulatory fines and associated legal fees. Therefore, organizations must enhance their cybersecurity landscape as cybercrime and ransomware attacks increase exponentially.
This is supported by findings from the recent UK Cyber Security Breach Survey 2024, which states that 50 percent of UK businesses reported to have suffered a cyber-attack or breach in the last 12 months. Equally concerning is the global average cost of a breach which reached up to $4.45 million in 2023 according to Statista.
Building a Security Defense
It is important to identify the common sources of a potential data breach and assess the organization's internal and external vulnerabilities to effectively mitigate the risks and strengthen the counter resilience strategy. This requires a multi-faceted approach that considers the various ways a breach could occur.
External threats, which refer to social engineering attacks such as phishing or malware aimed at compromising an organization's system or data, often result from an internal vulnerability or human error causing a software failure or gap that results in a breach. According to Verizon's 2024 data breach report, this was the cause of 68 percent of all breaches. Companies must therefore strengthen the first line of defense.
Employee training and awareness programs are essential to improving the security posture of an organization, particularly as AI advances and social engineering attacks become more realistic and difficult to distinguish. Methods such as gamification and simulation improve readiness by replicating realistic phishing emails in work environments and provide tailored training that is specific and updated with the latest threats, to equip employees.
Preventive Risk Control measures should also be implemented with endpoint security measures such as detection and response, continuous risk scanning, network integrity and cloud environment protections. In addition, companies should segment networks and security measures such as encryption, managed access controls and multi-factor authentication.
Identify Vital Data Assets
Organizations must determine their Vital Data Assets (VDA) which differ from their Business Impact Analysis (BIA) standpoint to justify the investment in modern data protection strategies and cyber recovery readiness. Data protection strategies such as the 3-2-1 rule, which recommends having multiple backups for data, can exceed cyber security budgets if every data set is replicated.
Vital Data Assets (VDA) are sensitive, regulated, revenue or mission-enabling data which can threaten business viability if exposed, compromised or made unavailable. This data is likely to be held hostage in exchange for a ransom fee. While this may vary depending on what system or data sets are vital to an organization's functionality in a data breach, the organization must identify and secure this data as a key component of its cyber resilience strategy.
Reactive vs Preventive Risk Control
For most organizations, preventive risk controls are integrated into their cybersecurity strategy. These measures focus on the detection and prevention of cybersecurity threats to reduce the risk and impact of bad actors. While these measures are integral to a holistic approach to reducing the risk of a data breach, in an ever-changing threat landscape it is no longer sufficient for organizations to solely depend on preventive measures. Organizations must strike a balance between preventive and reactive risk controls.
Reactive risk control measures employ pre-built recovery plans in response to when (rather than if) data is compromised so that businesses are prepared for a data breach and can recover their data and systems securely and effectively.
Reactive Risk Control measures combine modern data protection strategies which recognize that when a data breach occurs, the data compromised may be missing or displaced and not neatly synchronized in one place. Implementing measures such as immutable backups, pre-established off-network cleanrooms and point-in-time rehydration and decryption, can minimize the impact of a data breach while making sure that an organization's vital data assets are secure.
Being Disaster Ready
In a non-physical cyber event such as a data breach, the most recent backup or replica of data may not be the right point in time to recover to. It is rather the last clean replica of data which must be recovered. This is dependent on when the compromise or infection took place for each system or application, as well as finding a clean copy of the data to restore back to.
In 2023, Statista identified the global average mean time to identify and contain a data breach was 73 days. Malware could be lying dormant in an organization's system for up to 90 days if not detected, setting an organization back three months to recover clean data.
Ready for Recovery
Recovery strategies are driven based on an organization's key recovery objectives, this will include the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). RTOs relate to the targeted duration of time it should take to restore operations following a data breach while RPOs are the maximum amount of data loss an organization can withstand while remaining functional.
In a data breach RPOs are rarely met as data loss can vary between days, weeks or more depending on the backup compromising actions of perpetrators. Therefore, the recovery of this data must be conducted in a staged manner, employing multiple Isolated cleanrooms to ensure that the environment is safe and uncompromised.
However, if the right preventative and reactive measures are put in place, dwell time and data loss can be significantly minimized if the attack is detected quickly so that businesses can recover proficiently.
Lastly, conduct regular audit checks to establish a comprehensive data breach prevention strategy, ensuring assessment of security controls and compliance with laws such as HIPAA and PCI. Organisations must also adapt and innovate their cyber security provisions as threat vectors evolve. It is necessary to consistently test, prove recoverability and practice recovery response to maintain the lifecycle of recoverability.
Image credit: photonphoto/depositphotos.com
Sam Woodcock is senior director of cloud strategy and enablement at 11:11 Systems.