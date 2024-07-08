Disaster recovery and business continuity (DR/BC) planning is essential for business longevity in a milieu of threats. DR/BC plans are a must not only for risk mitigation, but they are also often required to meet regulatory requirements and cyberinsurance coverage terms. If we explore the history of DR/BC as a discipline, we see that it evolved along with both the technological landscape of the day and the threats organizations were most likely to face. Yet, more recently, DR/BC practices have stalled in their evolution–most plans no longer meet their intended purpose of risk mitigation, because they are not addressing the real risk environment as it has changed. To be relevant and protect the business, DR/BC plans must address the most pressing risk organizational data faces today: threat actor-caused mass destruction events.

Let’s take a brief look at the history of DR/BC evolution and then explore why these practices today are failing to evolve to the true threat environment of the 2020s. The 1970s: disaster recovery In the late 1970s, businesses began moving en masse to integrated single information management systems (mainframes). It quickly became clear these technologies provided a single point of failure for employee data access as well as for the company itself, which was trusting all their corporate information to one piece of hardware. The primary concerns then were hardware failure and natural disaster–fire, flood, hurricane, etc. Early disaster recovery initiatives were largely driven by the financial services sector, with a focus on building redundancy to ensure data survival, versus preventing catastrophe.

The 1980s and 1990s: Business continuity enters the scene As computing expanded dramatically to interconnected PCs and more complex infrastructure/data sharing, it became clear that a simple focus on reactive catastrophe planning for the data center was insufficient. Greater focus on preventing issues and continuing operations in the face of adverse events was essential. Importantly, regulations were also being introduced, adding impetus for continuity plan development. Many of these plans expanded their scope to include a broader range of potential risks beyond natural disasters to include human errors, terrorism, malicious sabotage, and cybersecurity concerns (as one consideration in the mix). This lower-level emphasis on cyberattacks makes sense: Cyberthreats were not clocking in at the high volumes we are seeing today. 2000s to today: DC/BC neglects high risk of threat actor-caused mass destruction events

In our assessments of organizations across industries, we see that DR/BC plans are still typically calibrated to safeguard businesses against past threat focuses, such as natural disasters and hardware failure. However, mass destruction-level cyberattacks that result in the complete deletion of all data copies have not only been steadily increasing, but the past two years have shown a dramatic acceleration of these attacks. A Malwarebytes study released last year indicated that there have been 48 separate ransomware groups attacking the United States, five of which recorded more than 100 attacks. Another study conducted last year showed that 66 percent of organizations surveyed suffered a ransomware attack within the preceding year, and separate report indicated that 25 percent of ransomware victim organizations were forced to close their doors. Further, in our ransomware restoration business, our own data shows that 80 percent of critical systems do not survive an attack; of the 20 percent that do, only 50 percent will be usable within a realistic timeframe. Even when a ransom is paid, only 68 percent of the data will survive the decryption process. Ransomware actors almost always target backups as a fundamental key to their success, so any planning must focus on these critical security controls. While it is often true that processes are slow to change, the threat landscape is not. It is time for DR/BC plans, processes, and tabletop exercises to change, and they must change with mass destruction events in mind. When carefully planning for recoverability for cybersecurity events, the business will automatically build in resilience for all other types of DR/BC issues.

Backups are key to recoverability Backups are one of an organization’s most important security controls. Breaches always end with data exfiltration, backup/mass destruction, or both. To ensure that a true DR/BC plan has evolved to today’s threat climate, organizations must first assume it is impossible to prevent all breaches and focus on secure, redundant, and recoverable backups. It’s essential to ensure you can recover without resorting to paying ransoms (because even ransom payments don’t guarantee recovery). Prioritizing stringent backup controls within, around, and to your backups, taking great care that these safeguards are well-orchestrated, secure, resilient, and complete, protects against the risk of total loss. Backups must also be “immutable:” incapable of being changed, deleted, or moved outside of set retention policies or strict access procedures. Tabletop exercises–the testing of the DR/BC and incident response plans positing numerous real-life scenarios–must also include ransomware and other breach events. They should rigorously test against restoration scenarios with backups and backup copies and assume the possibility that the threat actor may gain control of many internal controls to determine whether your data will be safe and/or recoverable in the face of a determined threat actor.