Why a disaster recovery plan alone can’t help you recover from a cyber attack

IT Governance: What does your organisation have in place for when a disaster strikes?

Organisation: Well, we have a disaster recovery plan which we created about 18 months ago. It’s quite robust and will be enough to help us recover, although we hope we will never have to put it into effect.

IT Governance: Well done. So if someone were to hack into one of your organisations PC’s leaving behind a Trojan with a key logger, enabling them to steal the organisation’s bank account information – would your disaster recovery plan be able to guide you along the route of recovery?

Organisation: Well, no. Our disaster recovery plan only covers disasters such as power failures, floods etc.

IT Governance: Your disaster recovery plan doesn’t sound as robust as you first thought. What you should be looking at is called cyber resilience.

Are cyber attacks really disasters?

Over the last several years the definition of ‘a disaster’ has evolved. No longer should disaster be associated with just natural disasters or acts of a physical nature, it’s time that cyber attacks are taken into the overall company’s business resilience strategy.

A hacker should no longer be seen as an individual operating in his parent’s basement because that’s no longer the reality. In fact the reality is that hackers act in professional groups, working 9-5 hours and operating from offices where they can get together and steal valuable data over the internet.

As technology evolves for a more accessible and seamless lifestyle, it also evolves for the opposite. Your new phone has contactless payment functionality? That’s hackable. Your fridge can now use twitter? That’s hackable. Even your toilet that has automatic flush capability, that’s hackable.  The best way to see it is that anything with an internet connection is hackable, making cyber attacks a much more attractive method for criminals.

Too small to be noticed

It’s uncommon knowledge that most hackers don’t target organisations by their size, net worth or popularity. In fact, they target them by using automated software which scans the internet for vulnerabilities. This means that you could potentially be the smallest business with the lowest income in the country, yet you’ll still be a hot target if your website is vulnerable.

It’s true that you only hear about the breaches at large organisations such as Target and Staysure but that’s only due to the amount of people it affects. Would you expect your local corner shop to be on national news because they have had 50 credit card details stolen?

Cyber Resilience

Cyber resilience is defined as “the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintaining continuous business operations”

This definition explains that Cyber Resilience represents a combination of both effective cyber security and robust business continuity. Internationally recognised standards such as ISO 27001 and ISO 22301 go hand in hand for preparing your organisation against cyber attacks and for when your defences fail and you have a crisis on your hands.

You can learn more about Cyber Resilience in Alan Calder’s upcoming webinar – Cyber resilience: the new normal. This webinar will be hosted on Wednesday, Feb 12, 2014 3:00 PM – 4:00 PM GMT