A ransomware attack happens every 11 seconds. In 40% of companies that get hacked, the same organization is hit again within 9 months. I don’t share that to scare you (Although, it should get your attention.) It happens because companies think they have addressed and controlled a hack by isolating it in the Response step. Statistics show that most companies begin operating as if “We’re back to normal.” before they have fully identified the extent of a breach and closed the hole that allowed it. If you don’t want to be part of the 40% who did not fully recover from the cybersecurity incident and left themselves vulnerable to a second attack, recover from cyber risks using the NIST Framework.
SMBs can use the NIST Recover function to identify appropriate activities to maintain resilience and restore any capabilities that were impaired due to a cybersecurity incident.
1. Recovery Planning – Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents.
2. Forensics – Make sure the bad actors are definitely removed and blocked from your systems.
1. Recovery Planning
After a cybersecurity incident, it’s critical to know which systems to focus recovery efforts on and where to look for vulnerabilities. This requires software platforms that dig in and ferret out security risks and capable technicians to drill into the risks and lock them up. Having your cybersecurity team do this after-action review and cleanup puts you in a much better place. Sadly this step is often skipped which is why the hackers retain access and do their thing months later.
Post-security breach forensics ensures the damage has been stopped, locates its root cause in order to fix it, and provides the insights to learn from it. On the most basic level, after the security event has been recovered, you need to have a team review the logs and systems to ensure the breach has been cleared everywhere and there are no back doors for the hackers to use later. For example, after a user has their email breached and the hacker attempts to use the account to complete a wire transfer, changing the user’s password and calling it a day is not a sufficient response. IT must examine other email accounts to identify unusual activity. Were any new accounts, or worse, administrative users, created during that time? Were any new rules created in the Outlook account that need to be removed? Could multi-factor authentication prevented the breach, etc.? You can not determine the proper Recovery actions without a thorough assessment of the incident on all levels, including technology, security tools, procedures, and human error.
If your company or industry is regulated, you will probably be required to do a formal forensic procedure with certified results. If you are not regulated but want to invest to make sure the cybercriminals are not in your systems, you may want to consider this step.
Conclusion: Recover from Cyber Risks in SMBs Using the NIST Framework
No matter how much you protect yourself, you can still get hacked. It’s great to respond quickly and clean things up, but make sure that you do not celebrate and move on to soon.
Without the Recover step in the NIST process, you can never really know if you have addressed the cybersecurity incident or not. Everything may feel “back to normal” but that may very well be short-lived. After all of the angst, disruption, and business loss you had after a security breach, isn’t it well worth the effort to take the additional step and ensure your recovery is complete?
Answer these final questions before you celebrate and get back to business:
- Are you sure you’re IT is secure and there is no lingering threat?
- Has the breach’s damage been stopped?
- Have we located its root cause in order to fix it?
- Do you know what you don’t know?
- What insights have we gained to make our IT more resilient?t.
- Does some regulatory body require a compliance review of your breach to get you back to business?