Analecta Cyber Company Blog: Improving Your Recovery Process After a Cyber Incident


Improving Your Recovery Process After a Cyber Incident

Improving Your Recovery Process After a Cyber Incident - Computer keyboard graphic Improving your recovery process after a cyber incident - Analecta LLC graphic After you encounter your first cyber incident and realize within minutes that you didn’t create a recovery plan, PANIC!!!

Blame yourself for not having the foresight, time or resources to give this any pre-thought.
Curse the hackers and/or start feeling paranoid that it might have been an inside job.
Be angry at yourself or even that sweet person in accounting who opened the bogus email attachment that gave access to company assets and client personal information on the dark web.
Fear telling your boss, their boss and the owner of the company.
Become anxious at the thought of the stockholders and the government regulators, to whom you now need to report this breach... the customers... the loss of revenue…

But wait, it was all a bad dream, it didn’t really happen!
Well, the breach happened, but you were ready for it. Let’s try again...

Crisis contained, now what?

After you encounter your first cyber incident and have implemented your pre-existing recovery plan, it’s important to take a step back and see what happened. 
  • Breach - check...
  • Response - check...
  • Isolation - check…
  • Recovery - check...
Now that the immediate danger is contained and you are back online, you probably are beginning to realize that you didn’t think it completely through. This is normal and something that should not be embarrassing. Fresh on the completed execution of the plan, you need to sit down with the Incident Response (IR) or recovery team members as well as stakeholders and figure out how to do it better next time (because more likely than not, there will be a “next” time). Or maybe you are even accumulating a small list of improvements that just seem obvious now that you’ve had an actual incident with actual repercussions.  

Several of our previously discussed topics include ideas related what to do before, during and after an incident. It’s not a bad idea to review these actionable articles to see where you can improve your security posture.
  • Creating an incident response plan: Response leads to recovery. If your response plan consists of a single task - “Respond to an incident” - you will want to revisit ways to make your response plan more effective, including preparing the depth of your response, getting input from key stakeholders and learning from a practice run.
  • Understanding your company’s network traffic flow: One of the goals in recovery is to get back to a baseline, or create a new and improved baseline if the old one wasn’t sufficient. Understanding how monitoring your network traffic improves your security posture, observing your internal network and determining your network’s cyclical patterns are just a few examples of understanding your baseline so you know when it’s way off.
  • Holding a lessons learned after recovery: This is an important step in improving your recovery process. The lessons learned identifies parts of your recovery that you should continue doing as well as those that need improvement. 
Improving Your Recovery Process After a Cyber Incident - Computer keyboard graphic

Key performance indicators

NIST’s Guide for Cybersecurity Event Recovery points out that recovery planning is not a one-time activity. The plans, policies and procedures should be continually improved by incorporating lessons learned. To make informed business and security decisions, you need accurate data. Key performance indicators (KPI) should cover components of the entire recovery process. They also need to be measurable in order to compare incidents and see if you are making progress on improvements. Examples of KPIs for a single cybersecurity incident include the following important information:
  • Number of days before discovery was made
  • Number of days before recovery is “complete”
  • Efficiency in recovery actions
  • Number of employees and systems impacted  
  • Cost of the breach recovery: revenue lost, legal/reparation fees, incident response costs
In between incidents, continue collecting information about your recovery process. Some additional things to consider are:
  • Number of recovery exercises and tests per year
  • Number of cybersecurity incidents that were not identified in the initial risk assessment
  • Number of business disruptions due to cybersecurity incidents
  • Number of recovery events that achieved your recovery objectives
Is your organization collecting enough information to figure these out? Have your IT team log activities. These can be used as a source for piecing the work processes back together.

Also, KPIs are often common among similar businesses or members of the same information sharing and analysis organization (ISAO). Data pertaining to common KPIs can be shared to better protect the industry as a whole. Being a member of one of these groups will also give you valuable insight into other company’s security tools, tricks, resources, threats and solutions.

Business protection opportunities

While you are taking the time to review recovery processes, this is also a great opportunity for you to incorporate additional methods of protecting your business and streamlining your recovery process. Consider some of the following areas to see if these tweaks can further hone your best practices and security processes:
  • Shift resources. Did you wait too long to bring out the heavy guns - the heftier or more expensive incident-response resources? Can you reduce any of your KPIs by shifting where in the recovery timeline you activate a particular resource? 
  • Penny-wise, pound foolish. Did you consider delaying these incident-response resources until they were "really needed" to save money? What did those extra days cost the company in terms of the breach not being isolated? How many hours was your sales site offline? Can you put a dollar figure on that? 
  • Change your KPIs. Are you measuring the right things? KPIs should align well with the business needs and have a big “So what?” value to your stakeholders. Keep them involved when adjusting KPIs.
  • Reassign tasks. Some folks are just naturally better at certain tasks. Maybe the right people are assigned to the wrong tasks. The process may run more smoothly with some reassignments. At the same time, challenging a team member to rise to the occasion can be a great learning tool. Just make sure they have a safety net for questions that will inevitably arise.
  • Strive for optimal communication. Streamline incident communication but don’t restrict it. Both too little or too much back-and-forth among team members can reduce performance and ultimately, response time. Seek the right blend. Stovepiping, where all information comes to one central authority for decisions, can severely restrict team performance. Empower team members to make decisions and take initiative at their level, and then report back through their chain of command.

Keep moving forward

We encourage you to find ways to improve your security posture, as well as identify new or more efficient ways of dealing with steps in the recovery process. When you think you have all the bases covered, bring in some experts to augment your recovery exercises and planning.

Analecta team members would be glad to help you out with a fresh perspective on your recovery plan or even a “That’s great that you considered that. Did you also consider this?” If you are not quite at that point and need help getting started or taking the next step, we can help with that as well. Send us an email at or visit our Cybersecurity website. We want to help businesses like yours succeed.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

Further Resources

No comments :

Post a Comment