Cybersecurity recovery planning is essential for any organization anywhere if that organization expects to survive. But in Pennsylvania, the situation is different. Here, we labor under certain rules and restrictions that are not present everywhere else.
The good news is that we are not unique in this, we are not alone, and there’s high-level help available- help that has the power to elevate all of us. There are several reasons why PA small businesses (SMBs) are up against it when it comes to defending against cyber threats.
The first is difficult to explain briefly, but it has to do with unique circumstances in our local economy.
Next, we have a high rate of successful cyber attacks against small businesses. That alone is frightening enough.
Finally, we labor under regulatory burdens that simply are not present in every other state in the Union. To be blunt, if your customer’s data is compromised while they are interacting with your organization online, the chances of you being held responsible for it are high, and so are the penalties.
For this reason, more than any other, Pennsyvlvania SMBs need especially robust cyber security capabilities. Here, our topic is the capacity to recover from a hard-hitting cyberattack, and how the NIST Framework recover function can help.
Overview of NIST’s Cybersecurity Framework
The guidance we mentioned comes in many forms and from many sources, especially the experience and help of our peers in business. But our topic here is the NIST Cybersecurity Framework (CSF). This is a collection of guidelines, hammered out, revised, and refined over the last 15 to 20 years, to provide fulsome guidance for businesses of all kinds to take on a much more robust defense against digital bad actors.
It is produced by the National Institute of Standards and Technology, which is more than a century old and home to a wealth of experience in securing the business community, infrastructure, and government agencies against threats that emerge as new technologies come to prominence.
The CSF is only NIST’s latest effort and it is designed to help the business community form a united front against cyberattack by sharing knowledge, experience, and skill. But when it comes to cybersecurity, most people think only in terms of defense. This is fine, but after even an unsuccessful attack, recovery is key to regaining critical functions, restoring productivity, and protecting your reputation.
What’s more, having a robust disaster recovery plan is essential for maintaining good customer relations. The people you serve need and deserve to know that when a significant cyber event takes place, you have what it takes to protect them and make them whole after the fact. Having a good cyber recovery plan is also a best practice when it comes to regulatory compliance because it demonstrates good faith.
Unpacking The “Recover” Function In NIST’s Cybersecurity Framework
Like all of the functions described in the NIST Framework, the Recover Function is delicately interwoven with all the others. Its processes are active before Recover processes begin, and they continue even after recovery is complete.
NIST.gov describes the Recover Function in brief, as follows: “The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.”
Like the other functions, Recover comes with a series of expected outcomes. These describe results that organizations can expect to enjoy when they implement the functions. The outcomes also help us understand how each function interlocks with the others.
Let’s take a look at the expected Respond outcomes as described by the NIST Framework.
- Recovery Assurance – Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents
- Improvement Implementation – Implementing Improvements based on lessons learned and reviews of existing strategies
- Communications – Internal and external communications are coordinated during and following the recovery from a cybersecurity incident
Understanding that, we can see the specific objectives of the Restore Function, including but not limited to; restoring assets, resuming operations, minimizing impact, and ensuring appropriate communication.
The Interplay Between “Recover” And Other NIST Framework Functions
In its descriptions of the expected outcomes of each of the functions, NIST has been careful to illustrate how the functions are interconnected. This is equally clear under the Recover function. In the outcome we have labeled recovery assurance, NIST talks about recovery planning processes.
As we have seen with the other functions, this indicated recovery activity before the recovery process has been initiated in full. Of course, it stands to reason that recovery takes planning, but within the Framework, it is clear that we perform recovery processes in addition to and in support of the other functions.
In particular, we would highlight the Protect and Respond functions as working in tandem with ongoing recovery processes. To understand this, it might help to think of a boxer in the ring. A boxer keeps up his guard at all times, ideally. The purpose of this is not just to deflect the opponent’s strikes, but also to absorb those impacts so that he can maintain his balance.
In this way, Protect processes are also Recover processes because they set the stage for the Recovery phase to begin in earnest. Then, when a boxer is properly positioned to throw a return punch, he sets his back foot to create what is called a kinetic chain between his foot and his fist.
This creates a more solid structure for striking, but it also sets him up with better stability. This allows him to recover more fully and quickly. Then, of course, he is better positioned to endure the next series of exchanges. Thinking this way, we see that all the functions are recovery functions. This is because each function enables an organization to keep from being obliterated by an attack. And, of course, there is no hope of recovery if there is nothing left to recover.
Therefore, all processes are recovery functions, at least in part. But let’s look at the interconnection a little more closely.
- Identify: In the Identify function we begin to get an idea of what the threat or anomaly is. In so doing, we can begin to initiate processes designed to recover from it. In the same way that our boxer will instinctively consider the angle of an incoming strike and choose the best angle from which to deflect and recover his stance, we also respond and defend in a way that is designed to position us optimally for recovery.
- Protect: As we begin to raise our defenses unless we’re working in total darkness, we don’t just throw up every wall we have. We choose defenses that will work against the incoming threat. If the attack is coming through the HR dept, for example, we would not run into the dining office and unplug everything. That would be a waste of time and effort and it would slow our ability to initiate recovery.
- Detect: A lot of thought leaders feel the Detect Function is oddly placed, and for some organizations, it might need to be reassigned to a new place in the process. But for most businesses, it is generally well-placed. That’s because, given the reality of cybersecurity, detection should happen from a defensive position. That is to say, we are protecting before we are detecting. This is simply a posture of persistent vigilance. Many of us struggle to grasp this. But we can get our heads around the non-intuitive nature of this reality by simply realizing that if we wait to deploy defenses only after detection happens, it will be too late.
- Respond: Now, we come to the phase when we begin to take actions that we do not maintain in perpetuity. This means that we are no longer only performing general preparedness defensive actions. At this point, we are responding to a specific attack type in pennways that are tailored to the timing, mode, shape, and power of the attack itself.
- Recover: Now, in the actual Recover stage, we are resetting our assets and personnel. Further, we are refitting previous vulnerabilities, closing gaps, defending that which was previously undefended, and so on.
Key Milestones in the Recover Function Process
To measure the success of all this interactivity between the Recover and other functions, we have three key milestones. They are timely restoration, strategic communications, and assets and operations resetting.
Timely Restoration of Normal Operations
Perhaps the strongest indicator of a successful cybersecurity response, the timely restoration of normal productivity processes is crucial. In timing your company’s ability to recover fully from a cyber event, you can measure the overall strength of your defenses as described by the NIST Framework. Simulating attacks is an excellent way to obtain good data in this regard.
Strategic Communication During Recovery Efforts
The second metric looks at how effective and on-point communications were during the cyber event. Here, we can look at emails, texts, and any speech that may have been recorded. This metric can be tough to obtain since gathering and analyzing all communications can be quite painstaking. But once done, it is a very strong indicator of recovery process quality.
Assets And Operations Resetting
Similar to the timely restoration of normal processes, assets, and operations resetting is more about physical assets and how they look. In other words, this metric is about how quickly things feel normal on the most cursory level. It’s a bit like throwing a party at your parent’s house and then trying to get all the furniture put back just well enough for them to go to bed and not notice. You could think of it as restoring the feng shui of the workplace.
This might sound comical, but you’ll find that when you’re trying to isolate threats and wall off sensitive data, your equipment can get shuffled around pretty dramatically.
Affordable Cybersecurity Tools & Resources for Small Businesses in Pennsylvania
Because of the seriousness of the state of cybersecurity in Pennsylvania, special cybersecurity tools are required. Fortunately, there are affordable options available out there.
Here is a list of key assets and asset categories that you should be looking at:
- Antivirus Software
- Endpoint Detection & Response
- Next-Gen Firewalls
- Domain Name Protection
- Email Gateways
- Intrusion Detection & Prevention
- Log Monitoring
- Endpoint Protection
- Authentication Services
- Cloud-Based Security
- Web App Firewalls
- SD-WAN
Again, this list is not comprehensive. There is a long list of tools for this level of cybersecurity. Some of them are essential, and some are not, depending on the unique needs of your organization.
The Importance Of Being Prepared
The surprising thing we learn about the Recover function is that it is as much about preparation as it is about restoration. Being deeply integrated with the other functions, it gives organizations that implement it the ability to establish a persistent recovery-ready stance.
Like the boxer in our analogy, being prepared to survive an attack is as key to your ability to recover as your direct recovery processes themselves. The NIST functions all contain aspects of the others, making the Framework a robust end-to-end cybersecurity solution.
Get in touch today to learn more about the NIST Cybersecurity Framework. Our team is standing by to help Pennsylvania SMBs like yours endure the storm.