Analecta Cyber Company Blog: A Full Program Perspective on Developing Your Recovery Plan


A Full Program Perspective on Developing Your Recovery Plan

Recovery plan prioritizing fixes - Analecta LLC Graphic Developing your recovery plan - Analecta LLC Banner When a cyber incident strikes your company’s information systems, critical business functions become jeopardized. Depending on your services, clients or customers, losses can be suffered by the hour. The longer it takes to get back on track, the more devastating it can be to the organization.


Differentiating disaster recovery from security recovery 

Does it make sense to merge your company’s disaster recovery plan with your IT security recovery plan? If you take a look at how these two plans are carried out, and the motives for each, you’ll see what makes the difference. Let’s examine both.

A disaster recovery plan would be in response to a company-wide catastrophic event, such as a fire or flood damage. The characteristics of this type of incident include:
  • An implementation of immediate recovery actions
  • An immediate prioritization of business continuity
  • A concerted effort to get everyone involved and back to “business as usual”
  • A main objective of getting systems and operations back online

A security recovery plan revolves around infrastructure protection. A cyber attack may be  limited to only a few machines in a single department, or it can wreak havoc on your entire network. Based on the severity of the threat, cybersecurity experts investigate what flaws to address and explore preventative measures. Specific objectives of the plan include:
  • A prioritization of IT infrastructure defense
  • An after-incident coordinated collection and preservation of evidence
  • Determination of the event root causes
  • Identification of similar indicators of compromise elsewhere on the system
  • Continuous revision, review and update of the incident response plan as new threats are dynamically evolving
A recovery plan has implications to stop an active attack, learn from past mistakes and take corrective actions for potential future events.

Security recovery plans are a vital “must-have” for every business

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a comprehensive guide in responding to a cyber event, protecting key assets against cyber intrusion and developing recovery plans following an incident. With a recovery plan in place, your organization can mitigate the risk of incurring irreversible damage. This builds a stronger posture from new strains of attack that would further compromise vital components of business activity. 

Small and medium-sized businesses (SMBs) are an easy target for hackers. More often, these businesses invest less resources on IT security, thinking that hackers are only interested in large-scale corporate businesses. Cybercriminals are motivated to make a quick buck, regardless of how small an enterprise is.

The 2016 U.S. Security and Exchange Commission’s cybersecurity review states that “60% of small firms go out of business within six months of a data breach.”  No one is immune to a cyber attack, but you can create a deterrent against these threats by putting more emphasis on cybersecurity.

Deciding what can wait

It is not possible to ever stop ALL attacks nor build an impenetrable shield. It’s about failing well. It’s a hard concept to understand, but the idea is “as we’re failing, we know we’re failing and can choose how badly we fail.”

Think of it this way: You have a home emergency fund of X dollars. Your dishwasher breaks, your car’s AC is out and you have a plumbing leak. Now you get to prioritize how you spend X dollars with the knowledge that some things may not get repaired immediately. You also will have the knowledge of how long it will be before you have more money available for the emergency fund, and at a later time, you will re-prioritize how that money gets spent.

Recovery plan prioritizing fixes - Analecta LLC Graphic
A recovery plan is prioritizing the fixes, understanding what you need immediately and deciding what can wait.


Six key elements of a speedy recovery

Recovering from a breach is not an easy task, but with proper steps and procedures to follow, it can execute smoothly. Here are several guiding points to get your company on the road to recovery:

1. Cyber event recovery planning – preparing for a breach
  • Start your recovery plan by making an asset inventory.
  • Create a set of rules and procedures in responding to events.
  • Assign key personnel to specific roles and responsibilities.
  • Develop a recovery plan that defines priorities, objectives and processes to enable open communication in coordinating with the team performing restoration in a timely manner.
  • Re-adjust your detection platform and incident response plan to continue implementing recovery activities while ensuring quick response for new threats.

2. Stopping the attack – containing the breach
  • An unnoticed breach poses inconceivable risks to your data storage archive.
  • Recognize that a breach is occurring.
  • Early detection makes a huge difference in recovery.
  • Early warning systems allow rapid response implementation to contain the breach promptly.
  • Inhibit links between layered networks to limit the damage.

3. Identifying what caused the attack
  • Part of recovery process is knowing what could have been done to avoid the intrusive activity.
  • Examine entry points that cause vulnerability and fix or alleviate them.
  • Review lessons learned to apply concrete changes in improving mitigation in cybersecurity capabilities.

4. Continuous improvement
  • Security competencies are meant to be improved continuously as you obtain skills, knowledge and resources after a troublesome incident.
  • Learn from past mistakes.
  • Employ initiatives that focus on employee enhancement trainings. As a frontline defense, they carry out the responsibilities in maintaining security standards.
  • The best defense doesn’t need to be costly.

5. Recovery metrics 

Recovery metrics are assessing criteria that correspond to implementing efforts within the recovery period. It helps build guiding principles during a cyber incident hiatus. Here are some Key Performance Indicators (KPIs) that can be associated with recovery:
  • Number of days before discovery was made?
  • Number of days before recovery is “complete?”
  • Efficiency in recovery actions?
  • Number of employees impacted?
  • Number of systems impacted?
  • Total cost of the breach recovery?

6. Getting ready for next time

After dealing with tremendous pressure on your incident response and recovery processes, it would be advantageous to re-invent stiffer security policies. Restoring the integral assets anew requires testing and multiple dry runs to effectively evaluate the improvements made.

The new version of your security infrastructure and plan is now able to better address future incidents.

At a loss for what to do or where to start?  

Do you think you need someone helping you out on system recovery processes? Do you need assistance in developing your recovery plan? Our team of cyber experts is willing to impart skills and expertise in maintaining robust support. Email us at or visit our website.

Further Resources

1 comment :