The final step of making your business more cybersecure is the recovery efforts that follow response to a cyber incident. Like the response step, recovery requires planning. The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations and the ongoing efforts at mitigation and continuous improvement over time.
Some examples of how recovery might work:
- You had a ransomware infection. You discover the cause was the system running an older, unpatched version of an operating system and you bring that system up to date in response and get the system working again. During the recovery step you would implement more defined procedures for ensuring that all systems are updated in a timely fashion and tracking the current software state in each critical system.
- Your system was compromised and customer data was lost when an employee lost their password. You respond to your customers following any state laws and with the advice of communications and legal counsel. Moving forward, you look to implement stronger authentication or better password practices. You start an employee training program on phishing and protecting credentials. Furthermore, you establish and train on policies about what websites and apps employees are allowed to use at work.
- Your business falls victim to the business email compromise and a payment was made to a cybercriminal through the scam (usually a request for immediate payment on invoice). You respond by working with your bank to see if the payment can be returned or stopped. During recovery, work with your bank to see what other controls might be available on accounts before payments are made, train employees on phishing and email security and subscribe to information feed on threat information appropriate to the your sector to increase awareness of the threat environment and share with appropriate staff.
Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization, including increasing the focus on planning for future events such as:
- Holding an cyber exercise (a simulated attack to evolve your response).
- Reviewing staff’s capabilities and investing in staff development in cybersecurity including additional training, education or certifications.
- Having a new staff onboarding process that includes cybersecurity training and demonstrated knowledge of key network and other workplace policies.
- Developing regular metrics and communications of metrics to key staff about the status of your businesses cybersecurity.
- Continuously monitor the cyber health of your organization.
- Implementing a risk review of new technologies you may incorporate into your business and plans for maintaining the cybersecurity of the new technology over time.
Taking these steps will help you with the other steps in the cybersecurity framework going forward and may help mitigate the losses during a future incident.
NIST Cybersecurity Framework Steps