When it comes to cyberattacks, it is no longer a matter of “if”, but a matter of “when”. Any business of any size is bound to experience some sort of cyber crisis at some point in its lifespan. How severe this crisis will be and the impact it will have depends entirely on the strength of your cybersecurity program. One crucial aspect of a cybersecurity program that is often missing from small businesses is a comprehensive Disaster Recovery Plan. Businesses may have Disaster Recovery Plans for other areas of risk, but cyber crises are often left out.
Like most plans, the Disaster Recovery Plan should start by defining the scope covered by the policy. Since most small businesses will use a decentralized environment consisting of both on-premises and cloud platforms, the policy needs to denote which platforms need to adhere to the policy. In addition to specific platforms and technologies, the plan should clearly define the people to whom the policy applies. This is generally all employees who will be using the network and would be affected by a cyber crisis. However, suppose your organization uses a substantial number of remote workers. In that case, the plan should include them in the scope, as certain cyber attacks could result in their productivity being hindered or compromised.
Next, the policy should outline the roles, responsibilities, and communication channels for responding to the incident. Early documentation directed you to identify your cybersecurity roles and responsibilities, as well as the communication channels in your organization. One of the roles highlighted was a designated Incident Response person. The policy should give a run-down of how the Incident Response person will communicate and work with other roles to quickly recover affected assets. The burden is not going to fall on the IR role; all roles will need to work together to recover assets from a disaster. For example, the IR person may need to work with the Data Owner to identify specific data compromised during a breach. Or the IR person may need to sit down with individuals in each department to get their computers functioning again after a network outage. The policy should clearly delineate how everybody should contact each other during the disaster recovery process, including the appropriate channels. In addition to employees, the policy should include a process for contacting external stakeholders if they are involved in the crisis in some way.
The policy should then include a detailed breakdown of the critical assets that power the organization’s digital infrastructure. These should have been identified in the Business Impact Analysis (BIA) and Dependency Mapping tasks. The DRP should include a description of each critical asset and its responsibilities for the organization. They should be ranked according to their priority in the recovery process. Doing this will help staff easily identify and prioritize specific assets when a crisis occurs, instead of scrambling around with no idea what to restore.
After critical assets, the DRP should list out the top cyber threats and risks that are posed to the organization, as identified in the Risk Assessment from Stage 1. The most critical threats and risks will differ for each business, based on factors such as industry, technology surface, and location. By identifying those specifics in the Risk Assessment, you can gain an understanding of what types of cyber incidents to expect and plan for how to respond to each of them specifically.
At this point, you should also have a strategy for Backup and Restore operations. You should ensure that you have a combination of on-premises and cloud backups for flexibility and fault tolerance. Different incidents may require different restore options. For example, a hard drive failure in an employee workstation would likely require restoration operations from an on-site file server, while a breach of a cloud database would need restoration from a cloud storage location. This section of the policy should give clear descriptions of where backups are located, as well as specific guidelines for accessing and restoring each of them.
The next section ties in with the Incident Response Plan created earlier. The documentation on Incident Response directed you to create both a general IR plan as well as individual playbooks for responding to specific incidents. This section of the DRP should be similar, outlining both a general plan for best practices when recovering from any disaster, as well as more specific instructions for recovering from specific incidents. A good best practice is to have a comprehensive recovery plan for each of the top threats and risks identified in the Risk Assessment. There is always a chance that you will experience a crisis not caused by any of the threats identified previously, which is why it is important to have a good general plan to build off. General threat neutral recovery tasks include verifying system and network integrity, reimaging devices, running malware scans, validating restore operations, and creating incident reports.
Finally, the DRP should give clear instructions on the final steps for winding down from a crisis after the critical assets and operations have been restored. This may involve doing a forensic analysis on endpoints and networks, writing and publishing statements if the crisis involved significant public or stakeholder damage, and recommending changes to the company infrastructure to avoid similar incidents. Every single cyber crisis will have a lesson, and it is imperative that a business studies the lesson and learns from it. This may involve gathering the cybersecurity team and creating plans for changing specific company systems, processes, or practices.
Once the DRP is finalized, it should be shared with every individual who is in its scope. A DRP is a policy that requires frequent tailoring and practice. Its contents should be regularly discussed at meetings of the cybersecurity team, and it should be used as a guideline for simulations and tabletop exercises performed organization-wide. All employees should get to know key disaster recovery steps like the back of their hand, so that the next cyber crisis that occurs can be tackled efficiently and calmly.