A curious article from February 1’s issue of the Borneo Post shone a light on the gap between expectation and reality when it comes to cyber recovery.
Professional services provider KPMG surveyed Asia-Pacific organisations and found almost three quarters (73%) of CISOs did not have the influence to protect their companies fully. Moreover, while progress has been made on prevention and response programmes, businesses are still underestimating impacts on operations and recovery times.
“Too many organisations wrongly assume that recovery will require several weeks to return to business as usual, when the reality is that it may take several months or more,” commented Ubaid Mustafa Qadiri, head of technology risk and cyber security at KPMG Malaysia.
There are, per the definition from SANS, six phases of a cyber incident response plan: preparation, identification, containment, eradication, recovery, and lessons learned. For affected companies however, it can often be panic stations as laptops are locked and files encrypted.
Enter the KPMG cyber defence and incident response services. Runita Virdee is director of KPMG’s technology transformation practice. Alongside helping clients with the tech side, from migration to landing zones, Virdee leads KPMG’s UK cyber recovery practice. With certain infrastructure projects, such as disaster recovery and business continuity, it makes sense that the two areas are linked.
If an attack occurs, the incident response team begins by looking at the forensic analysis of the event. This ranges from how the threat actor got in – potentially getting involved in negotiations – before moving on to where the threat came from and devices which have been infected. The next day, Virdee will get the call to go ahead with recovery.
“The first thing I do is send teams or get myself to understand what type of technology they’ve got,” says Virdee. “Then [the teams] need to understand how the network’s set up. Is it a segregated network, is it a flat network? That helps us understand the picture a little bit.”
Once the technology assessment is complete across all sites – what does the client have and what is down, in other words – a recovery plan can then be formulated. The two questions which need to be answered here are: what is the core infrastructure that needs to be brought back up, and in which order of priority? Regular contact with the client is imperative; several times a day at peak times.
“We’ll have teams of individuals at different sites, working alongside the client teams on the ground to start recovering,” notes Virdee. “It might be [for example] the network where we fly in a specialist, or it might be rebuilding laptops, physical devices.”
Recovery times naturally depend on the size of the organisation. For a small company with limited infrastructure and hardware, and a proactive approach to backups, some recoveries can happen within five days. At the other end of the scale however – think a global-sized firm with multi-million revenues and sites in remote parts of the world – Virdee has noted the longest recovery at 18 months.
Education has always been an important part of the cybersecurity puzzle. Employees are frequently a primary access point. KPMG regularly sends out phishing test emails to keep folk on their toes. In some cases, it starts with the IT department. “A lot of organisations really don’t have IT teams that are scaled,” notes Virdee. “They would have a team of five or six, or one or two individuals that know their estate really well. Then when an attack comes, it’s that one person that would have to [sort it] and it’s quite hard on them.”
Ultimately, the need for cyber response is one that will not go away. The European Central Bank is one recent example of a high-profile organisation looking to test resilience after a sharp rise in cyberattacks. Prevention is always better than cure, but sometimes, with intelligent threat actors lurking and complex supply chains in large organisations, you need the cure.
“Nobody is 100% safe, but having the best practices and investing in your cyber resilience is the highest thing I can recommend,” adds Virdee. “When things go downhill, they will cost a lot more [for] recovery. Don’t pinch pennies on your cyber resilience, because you’ll end up paying more in the long run.”
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.