Last week Cutover CEO Ky Nichol spoke to Global Architect and Process Quality Leader at Shell, Srividhya Vaidyanathan and Senior VP & Global Head of Operational Resilience at Wells Fargo, David LaFalce, about overcoming the complexity and unpredictability of recovering from cyber attacks. In this post, we share some of the key takeaways from that session. You can watch the full video here.
Why is recovering from a cyber attack harder than recovering from a regular IT disaster?
Identifying “boom” - the exact time, size, and nature of the attack, adds complexity. With other availability events such as a regular data center outage, boom is known, but if no bad actor is coming forward with specific demands, e.g. in the case of a ransomware attack, this is harder to determine. A good nefarious actor will put blockades along the recovery path to make understanding this even harder.
Once you’ve identified “boom,” recovery proceeds as normal following the NIST framework, but you still might not know exactly what you’re contending with, so recovery becomes a bit cloudy.
With regular availability events, recovery is relatively well rehearsed in the financial sector, with playbooks immediately available. With a cyber event, there are more unknowns, such as the vector the malware took into the system, which makes preparedness more difficult.
Other factors you will need to think about during and after recovery include:
a) Protecting audit trails - showing that the method of recovery you chose was correct. You may be asked to protect evidence by regulators or law enforcement if it’s a sizable breach.
b) Understanding what’s been altered - you may have to go through a forensic process to find out what code has been altered to go back to a clean version of that code and then recover to move forward.
c) Stemming the flow - you need to ensure that more data isn’t leaking out by ensuring that you’ve patched every hole and undergone analysis to figure out what’s been exfiltrated.
There’s also added pressure when it comes to a cyber attack. You know that a malicious bad actor has found their way into your system and your company is going to be in the papers. Your customers, and the whole ecosystem you’re a part of, will be worried about the exposure and a million eyes will be on you. That creates a level of pressure that something like a flooded data center doesn’t have.
What sort of mandate is there at board level to prioritize cyber?
Cyber security is a board-level mandate. Organizations are more connected than ever, with their suppliers, customers, and more. Cyber attacks can cause huge financial and reputational harm and be extremely difficult to recover from. There’s also a huge compliance element and organizations can be held liable if not done properly.
Clear and constant communication is very important. It’s easy to fall into a sense of complacency when there has been a long time with no breaches. Safety is a hearts and minds thing and cyber security is the same - there needs to be awareness at every level and this can be brought about through campaigns to keep it top of mind across the organization and leadership from the board down needs to be communicating the importance of this.
In the financial sector, cyber is understood to be a priority both by regulators and internally within organizations. The makeup of boards will start changing, if they haven’t already, to ensure they have some cyber expertise to put appropriate pressure on the CISO.
In terms of the communication piece, end users as well as employees need to have awareness of cyber risks. The financial sector was one of the early adopters of cross-firm information sharing and there’s been a concerted effort to push information and advice down to smaller firms. The supply chain is the weakest link and as financial firms have so many suppliers now, there’s a vested interest in ensuring that everyone is working from the best information.
What are the most common challenges that organizations face when recovering from a cyber attack?
Complex ecosystems - supply chains are connected and a malicious actor can get into one part and quickly spread their way across. Cyber reports in 2023 call out cyber attacks as the biggest threat to supply chains.
Another factor that makes cyber recovery so difficult is that malicious actors don’t want to be detected, so it’s often hard to know the extent of their penetration into your system. Finding out the impact and quickly putting things in place that work across the ecosystems comes with huge challenges and can be a CISO’s nightmare.
Speed of recovery is very important but it can be hard to determine whether you’ve actually solved the problem. The most important thing is fixing and getting your network back up for business but when you’re restored the unknown factor creates much more unease - have you actually plugged all the leaks and removed the bad actor’s malware or access from your system?
For a cyber recovery, you have to revert back to an older version of your code, data, operating system or firmware that’s not diseased, but you can only go back so far and it’s hard to know how the system will react - functionality may be lost and you could open up new vulnerabilities. Going backward also has a knock-on effect as you’ve then not only lost the data that was already there but the world continues to move on as you’re going backward, potentially creating even more issues and inconsistencies. Backing up to clean versions of business data (if you can even tell what those are) is not necessarily feasible in the financial sector.
The recovery, especially in the integrity threat vector, is problematic because of this. In terms of paths forward, rebaselining and failing forward could be a better solution but is not currently a common way of working.
How should organizations think about cyber recovery in terms of people, customers and other non-technology aspects?
I’m not sure you can separate these from the technology side. It depends what layer the attack happens on. How would customers go about their day if something major happened to the technology?
For both consumers and internal stakeholders, the keyboard, screen, etc. is now part of them and there’s always going to be a strong negative impact if that technology is compromised. Getting people to understand the risks and potential impacts of a cyber attack and how to work around it is important.
People are your best defense, so building heightened awareness, for example about phishing, reduces the organization’s threat of exposure. Most attacks come through people not having that heightened awareness and clicking that malicious link or downloading a suspicious file.
These are just some of the insights shared during the session. To hear the panelists’ full answers to these questions and more, watch the full recorded webinar.
Cutover’s Collaborative Automation SaaS platform enables enterprises to simplify complexity, streamline work, and increase visibility. Cutover’s automated runbooks connect teams, technology, and systems, increasing efficiency and reducing risk in IT disaster and cyber recovery, cloud migration, release management, and technology implementation. Cutover is trusted by world-leading institutions, including the three largest US banks and three of the world’s five largest investment banks.