A curious article from February 1’s issue of the Borneo Post shone a light on the gap between expectation and reality when it comes to cyber recovery.
Professional services provider KPMG surveyed Asia-Pacific organisations and found almost three quarters (73%) of CISOs did not have the influence to protect their companies fully. Moreover, while progress has been made on prevention and response programmes, businesses are still underestimating impacts on operations and recovery times.
“Too many organisations wrongly assume that recovery will require several weeks to return to business as usual, when the reality is that it may take several months or more,” commented Ubaid Mustafa Qadiri, head of technology risk and cyber security at KPMG Malaysia.
There are, per the definition from SANS, six phases of a cyber incident response plan: preparation, identification, containment, eradication, recovery, and lessons learned. For affected companies however, it can often be panic stations as laptops are locked and files encrypted.
Enter the KPMG cyber incident response and recovery services. Runita Virdee is director of KPMG’s technology advisory practice. Alongside helping clients with the technology and digital transformations, Virdee leads KPMG’s UK cyber recovery practice. With certain infrastructure projects, such as disaster recovery and business continuity, it makes sense that the two areas are linked.
If an attack occurs, the incident response team begins by looking at the forensic analysis of the event. This ranges from understanding where their threat originated from, to assessing and recovering the technology that has been infected.
“We are seeing increasingly complex cyber-attacks launched by malicious threat actors who are constantly evolving and looking to outpace our tools and techniques to deliver maximum damage. We’re fortunate enough to have the size and scale and a broad range of organisational capabilities to respond appropriately – from networking specialists, identity experts and crisis management personnel to support the arduous recovery process.”
Organisations today are, of course, critically reliant on complex interconnected and interdependent systems. Regulations are increasingly strict, and public expectation of transparency is high. Depending on circumstances, organisations may have to notify regulators within 72 hours of becoming aware. Co-operating, as appropriate, with the Information Commissioner as you recover is key.
“With that in mind, two questions that need very coherent answers are: what is the core infrastructure that needs to be brought back online, and in which order of priority?” explains Virdee. “Organisations will often have to balance the need to continue the most business-critical operations – despite the absence of IT – and recovering and rebuilding impacted networks. Regular contact with the client is imperative; several times a day at peak times.”
“We mobilise teams of specialists at different sites, working alongside the client teams on the ground to start recovering,” notes Virdee. “Activities could range from rebuilding 1000s of laptops and physical devices, or as complex as re-architecting and rebuilding the core network and infrastructure from the ground up, embedding security and tight controls to minimise the risk of re-entry.”
Containment of ransomware across large corporate can be incredibly challenging, as is understanding how to restrict and control access to only authorised personnel.
“Recovery times naturally depend on the size of the organisation. For a small company with limited infrastructure and hardware, and a proactive approach to backups, some recoveries can happen within five days. At the other end of the scale however – think a global-sized firm with multi-million revenues and sites in remote parts of the world” notes Virdee. “The longest recovery at 18 months which included recovery and improving their technology estate.”
Education has always been an important part of the cybersecurity puzzle. Employees are frequently a primary access point. KPMG regularly sends out phishing test emails to keep folk on their toes. In some cases, it starts with the IT department. “A lot of organisations really don’t have IT teams that are scaled,” notes Virdee. “And that’s a challenge that we often see. The most successful recoveries have been a whole company effort, aided by invaluable support and input from a wide range of partners and vendors.”
Ultimately, the need for cyber response is one that will not go away. Prevention is important – but equally important is a robust cyber recovery plan with clear set of response activities and identified owners. The European Central Bank is one recent example of a high-profile organisation looking to test resilience after a sharp rise in cyberattacks.
“No organisation can ever be 100% secure but focusing on standards, a robust resilience strategy, accountability at the right levels and fostering a security-focused culture will, in the long term, prove to be a powerful net benefit for any organisation,” says Virdee.
Note: A previous draft of this article was published in error.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.