Stephen Scharf, DTCC Managing Director and Chief Security Officer
Cyber security concerns, while not new, have grown exponentially to the point where they are considered by many as the single most important near term systemic risk, according to DTCC’s latest systemic risk barometer survey. It is in this context, combined with increases in the sophistication and number of attacks, that most large firms now acknowledge that a successful broad-scale cyber attack is not a question of if, but when.
As a result, firms have placed great emphasis not only on preventing attacks but on enhancing their recovery and resiliency plans to more effectively respond to potential attacks.
Traditionally, prevention has been the main focus of firms’ cyber security strategies, and so this is where the most resources have been allocated. But with the acceptance that attackers may eventually break through, recovery plans have leapfrogged the agenda in recent years to a point where there is equal focus being placed on both aspects.
Increased Focus on Recovery Plans
This change in priorities can not only be attributed to evolving risk management practices but also in part to the increased levels of regulatory oversight of cyber risk that has become more rigorous in recent years, particularly with regards to recovery plans and objectives. In fact, some regulators now require that firms implement a “two-hour recovery” window, in which they would enact the core elements of their plans within the first two hours of the cyber attack disrupting critical systems.
In addition, this issue is becoming increasingly important given that many firms have recovery plans that were developed to focus more on natural and unintended physical threats, rather than malicious and disruptive cyber-related risks. Today’s threats are often fundamentally different in motive and intent than what we prepared for even a decade ago. As such an increasing number of firms are looking across the enterprise to ensure architectures and networks can be leveraged to appropriately respond to intentional and targeted attacks – for example, where data is changed and deleted, potentially from within the organization itself.
Defining Approach and Response
However, defining adequate response and recovery strategies can be challenging, given the broad scope of potential impacts of cyber attacks and the complexity and size of organizations, ranging from the compromise of backups to coordinated attacks on multiple departments within one organization. Hence, for firms that are looking to rebalance the emphasis of their cyber strategies, there are some core points that should be considered when evaluating recovery plans.
"Today’s threats are often fundamentally different in motive and intent than what we prepared for even a decade ago."
The first step is to ensure the resumption of critical operations by developing a safe-mode or alternative processes. Not all operations need to be resumed immediately; rather, firms should establish what their priorities are before an attack occurs, so that they know what to focus on should it happen.
Once the priority systems are operational, it is then important to remediate the rest of the impacted areas. Any thorough recovery plan should begin this process by eliminating the root causes of the cyber attack, addressing compromised accounts, computers and networks, and strengthening security and protocols accordingly. Further, before normal operations can begin again, it is essential that cyber specialists verify that the cyber attackers have been fully eliminated from the system. When this has been confirmed, only then can organizations complete the resumption of normal operations.
Information Sharing is Key
After a firm has fully recovered from an attack, there is an opportunity for them to help other firms by sharing intelligence related to the nature of the cyber attack, as well as the effective and ineffective elements of their defense and recovery plans.
In fact, information sharing has become a critical factor in helping to mitigate the effect of cyber attacks and to prevent further attacks from occurring. This kind of information sharing is critical to the safety of the industry and, as a result, should be a far-reaching effort across critical infrastructures, financial institutions, governing bodies, and cyber-threat investigative agencies. This engagement can help others to put in place appropriate measures to prevent similar attacks from occurring within their own organizations.
Importantly, this collaboration can be crucial for firms that may be struggling to define adequate response and recovery strategies due to the size of some potential cyber attacks. Through information sharing, firms can adopt best practices from across the industry which would otherwise be unknown to them, thus enabling the development of more effective response and recovery approaches.
Today’s cyber threat landscape and regulatory obligations demand that we continue to assess and evolve our risk management approaches to ensure optimal defense and resiliency. By working together across the industry, sharing threat and attack information, and implementing best practices, we can ensure we have robust measures in place both to defend against threats as well as to enhance the resiliency of critical operations.
This article first appeared in Computer Business Review on November 14, 2018.