Prevention, detection, and response receive a lot of attention in cybersecurity, but the importance of recovery is still underestimated. Often, things go wrong due to unclear responsibilities.
Prevention is better than cure. The age-old saying is not only the golden rule in healthcare, but the security world has fully embraced it as well. Security vendors compete with each other on prevention rates, and if someone does get in, an arsenal of detection and response tools is ready to kick intruders out.
Despite all the tools and technologies available to companies, an incident lurks behind every click. According to Darren Thomson, Field CTO EMEAI at Commvault, the “fifth” aspect of security still receives too little attention: recovery. “A breach is inevitable sooner or later. Companies are slowly beginning to realize that it can happen to them. But the security market has historically focused little on recovery.”
Who is Responsible?
The reason is more cultural than technological, says Thomson. “Security solutions are aimed at CISOs. In the event of a cyberattack, they are primarily looked at, but their focus is mainly on preventing and responding to attacks. The responsibility for managing backups and restoring data lies with the infrastructure team, which in many organizations operates separately from the security team.”
“In a good security plan, it should be clear who has which responsibility. You also need to bring the teams together to develop processes for restoring clean data. We as vendors should also do more to strengthen each other’s technologies. Prevention players are very good at what they do, while parties like Commvault can add expertise from infrastructure management.”
Eighty Days
In practice, things often go wrong, Thomson observes. “”What constitutes a good recovery standard depends on the organization. But aiming for about ten days for full recovery is a good target. Your most critical data and apps should ideally be operational again within two days after the attack. There are companies that can recover in one day, but they are rather exceptional.””.
“Sometimes it takes sixty to eighty days, or even longer, for a company to recover from an attack. That is really far too long,” Thomson points out the sore spot. “The average recovery time for large companies is around 24 days, which is still more than a full business month.”
It sometimes takes up to eighty days for a company to recover from an attack. That is far too long.
Darren Thomson, Field CTO EMEAI Commvault
Clean Recovery
Thomson makes an important distinction: clean recovery does not necessarily mean good recovery. “Criminals often target backups first because they know they are a crucial part of the recovery plan. Restoring bad data is counterproductive. If your backups are compromised, you replicate malware throughout your entire IT environment.”
Another mistake companies make is not knowing what to restore first. “It is important to set priorities. Start with what we call minimum viable company: which apps and data do you need to continue your daily operations? What you need first, you should also be able to restore first and must not be compromised.”
“There is still too much thinking that disaster recovery is the same as cyber recovery. Regulations like DORA and NIS-2 should make that distinction even clearer. The guidelines on making backups are already a step in the right direction, but there is too little emphasis on the importance of clean data,” says Thomson.
Test, Test, and Test Again
With backups that follow the rules of the art, you build insurance against attacks as a company. But how do you know if those backups are reliable? “”The maturity in backups is increasing, but often something is still missing in the strategy. Companies do not know enough whether their backups are clean because infrastructure teams rarely have that knowledge. Therefore, security and infrastructure must work together.””.
Thomson also recommends using technological tools for this. Not coincidentally, his employer Commvault focuses on cleanrooms. “With a cleanroom, you create a secure and air-gapped environment. This way, you can isolate and regularly test backups without affecting the production environment.”
The importance of testing cannot be emphasized enough. “Depending on the complexity of your environment, you should test at least monthly, but more often is better. This still happens too little because people do not know when tests can be performed. Bringing in experts outside office hours is expensive. But if you do not know if your plan works, you have no plan.”
read also
Prevention is Important in Security, but so is Recovery
Finally, we ask Thomson to give one last piece of golden advice. “The megatrends like AI are a double-edged sword. Types of attacks do not change, but they have more impact. You need to understand the trends to defend yourself. Once you realize that an attack is inevitable, you will understand that you also need to invest in recovery.”