Cyber defense vs cyber resilience: why it's time to prioritize recovery
In an era when successful hacks are now an inevitability, too many organizations have a false sense of security when it comes to their data. Unfortunately, cyber criminals are ready and willing to take advantage of this complacency.
Gone are the days when CISOs could simply focus on building up frontline cyber defenses alone. Today’s cyber adversaries are using AI technologies like ChatGPT to augment and elevate the sophistication and effectiveness of their attacks on an industrial scale. Whether that’s automating how they scan for vulnerabilities or initiating highly adaptive attacks that can evade traditional perimeter security measures.
The rising frequency and success rate of AI-powered cyberattacks means that organizations need to go beyond simply attempting to deflect cyberattacks. The inevitability of a breach means a new approach to cybersecurity is needed -- one where the emphasis is on resilience and recovery.
In other words, they need to elevate their cyber resilience capabilities so they can withstand and recover from cyber incidents that will put business-as-usual operations at risk.
Cyber resilience in a changing world
In the past, organizations running on-premises infrastructures could keep their data safe by restricting the number of access points and making sure these were appropriately protected. This, coupled with a robust backup system to counter disruptions caused by natural disasters and other events, was enough to get them back up and running again. Fast forward to today and the rapid evolution of the IT landscape means that securing the enterprise is no longer such a straightforward proposition.
The adoption of cloud computing has almost eradicated the concept of perimeter security. Meanwhile, the increased utilization of digital applications, combined with the shift to remote working, means that organizations face securing a much bigger attack surface; one where assets and critical data extend across multiple IT environments and beyond the traditional network perimeter.
With today’s employees typically using more than 35 different software tools to undertake their day-to-day tasks, tracking and protecting sensitive data and IP as it passes in and out of the cloud, via multiple apps, has become a top challenge.
In this brave new world, where post-breach scenarios are no longer a matter of ‘if’ but ‘when’, organizations will need to enable a robust and proactive cyber resilience strategy so they can detect, respond, and recover from cyber incidents more effectively. To achieve this, they will need to focus on four key areas.
1) Ensure data backups are comprehensive
Being prepared for anything that could happen is a must have. That means organizations need to safeguard and backup their data so it’s ready and available at a moment’s notice. In this day and age that means being able to identify all the business-critical data sources that ideally need to be backed up, from file servers and data centers through to SaaS apps and email and CRM platforms.
Meanwhile, standard backups and procedures may have sufficed in the past but that’s no longer the case. To enhance their data protection, organizations should have at least one other copy that is ideally held at a secondary site. While this replication enhances the likelihood of a rapid recovery, it won’t deliver the belt and braces resilience that is needed to recover from a cyberattack that impacts both sites.
To maximize their cyber readiness organizations should look to hold three copies of their data. Two of these repositories should be kept in separate locations with a third copy ‘air gapped’ and securely held in the cloud. This air-gapping protection takes data offline for standard access and preserves its integrity -- key for protecting against malware.
By adopting this 3-2-1 backup strategy, organizations will be able to recover from unplanned disruptions faster and maintain compliance with data protection regulations.
2) Actively monitor the backup environment
In the past, data recovery following a network outage or other event could be undertaken in a relatively straightforward way. Organizations simply located their latest backup and initiated recovery procedures.
Today, however, chances are that cyber intruders will have already infiltrated that backup data. According to a recent study by IBM, bad actors can sit undetected in systems for up to 277 days on average. With 93 percent of ransomware attacks now actively targeting backup repositories, organizations need to be confident that when they attempt to recover data they don’t unwittingly unleash ransomware into production environments.
By proactively monitoring their live and backup data environments, organizations will be able to limit potential windows of exposure and detect attempts to infect critical data assets.
3) Initiate an isolated recovery environment
With cyber threats on the rise, organizations should establish an isolated recovery environment (IRE) or cleanroom where they can test the integrity of their data recovery processes. Providing an isolated recovery environment, cleanrooms enable organizations to undertake the frequent and on-demand testing that is needed to ensure data cleanliness and readiness for recovery.
When a CISO determines that a cyber event is underway, teams responsible for recovery will be able to back up to this independent and secure environment where they can conduct a forensic analysis and assure the secure retrieval of critical information.
Alongside helping organizations reduce data loss and minimize downtime by restoring the production environment to a safe environment where data can be rapidly recovered and validated, cleanrooms also enable organizations to regularly test their recovery plans in advance without disrupting production systems.
4) Enable cross functional collaboration
Organizations must confront the disconnects that get in the way of enabling the resilience needed to withstand today’s elevated threat landscape. That means building synergies between IT and information security teams that will facilitate a more united approach to data security and recovery.
All too often organizations are constrained by functional silos that undermine cyber resilience efforts. For example, security is typically viewed as coming under the purview of the CISO while data and backup responsibilities lie with IT teams that report into the CIO. As a consequence, personnel responsible for recovery often aren’t informed until well after a breach is uncovered.
By employing modern recovery tools that integrate with Security Information Management (SIM) and Security Orchestration, Automation, and Response (SOAR) systems, organizations can ensure that the moment suspicious activity is detected in the production environment, recovery teams get immediate alerts and can work in concert with security teams. With better connection between IT and security teams, organizations can flag latent threats earlier and respond faster in a way that minimizes the impact of cyber events. All of which adds up to reduced risk, fewer recoveries, and less downtime.
Building a cyber-resilient organization
Today’s organizations need to do more than just deflect cyberattacks. They also need to bolster and evolve their recovery capabilities, so they can restore business operations in a timely way and with zero loss.
To achieve all this, they’ll need a comprehensive data backup strategy that is purpose built for today’s challenging times. This will ensure they can protect more data, ensure it is actively monitored, and has been tested in a controlled environment. Only then can they be certain that when a cyberattack strikes, they will be poised to respond with a rapid, complete, and clean data recovery.
Photo Credit: Olivier Le Moal/Shutterstock
Darren Thomson is Field CTO EMEAI at Commvault.