- Properly developing and implementing recovery plans, processes, and procedures will help organizations fully restore a system weakened during a cybersecurity event, the National Institute of Standards and Technology (NIST) explained in a recent guide.
NIST recently released the Guide for Cybersecurity Event Recovery to help entities develop and implement a recovery plan should they become the victim of a cybersecurity attack.
“It’s no longer if you are going to have a cybersecurity event, it is when,” explained computer scientist Murugiah Souppaya, who is also one of the guide’s authors. “To be successful, each organization needs to develop its own plan and playbooks in advance. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.”
Organizations’ risk management processes need to include comprehensive recovery planning, the guide’s authors explained. Cybersecurity attacks are happening more often, and entities across sectors need to understand how they can make a proper recovery.
“There has been widespread recognition that some of these cybersecurity (cyber) events cannot be stopped and solely focusing on preventing cyber events from occurring is a flawed approach,” the executive summary reads. “Organizations should improve their prevention capabilities with modern technology and tools while augmenting their cyber event detection and response capabilities.”
It is also important for organizations to take lessons learned from past events, including those of other organizations, to help form stronger cybersecurity recovery measures.
“Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios,” NIST wrote. “This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents.”
NIST also recommended that organizations identify and document the key personnel who will be responsible for defining recovery criteria and associated plans. These individuals should also fully understand their roles and responsibilities.
Proper documentation will also be key, according to NIST. For example, entities should have a list of people, process, and technology assets that help the organization maintain daily operations.
Other key recommendations for preparing before a cybersecurity incident takes place included the following:
- Develop, implement, and practice the defined recovery processes
- Define key milestones for meeting intermediate recovery goals and terminating active recovery efforts
- Adjust detection and response policies, processes, and procedures ensuring recovery does not hinder effective response
- Fully integrate a communications plan into recovery policies, plans, processes, and procedures.
NIST also explained that organizations need to “validate recovery capabilities using a variety of techniques, including asking personnel for feedback on recovery plans, policies, and procedures, and periodically conducting exercises and tests that address real-world recovery.”
Finally, the guide provided an example of a data breach cybersecurity event and how an entity could recover, as well as a ransomware event recovery scenario.
Disaster recovery planning is especially critical for healthcare cybersecurity measures. An Office of Inspector General (OIG) report released earlier this year found that the majority of hospitals consider EHR security matters as they implement contingency planning.
Respondents also said that their planning addressed having a data backup plan, having a disaster recovery plan, having an emergency-mode operations plan, and having testing and revision procedures.
Specifically, 83 percent of surveyed hospitals said that they have a data backup plan, while 73 percent said they have testing and revision procedures in place. Almost all respondents - 95 percent - said they have a disaster recovery plan, and 95 percent added that they have an emergency mode operations plan.
“Unplanned disruptions result from natural disasters, power outages, technical malfunctions, or malicious actions, among other events,” OIG wrote. “Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption. They also outline processes to minimize EHR disruptions and ensure the continuity of care when disruptions occur.”