Insight

What’s the value in a cyber recovery plan?

Published

Written by

Read time

Written by Jack Durrant - Associate Director, BA (Hons) FCII

If you’re in the corporate world, you’ll have heard of disaster recovery plans, or business continuity plans. And as businesses become increasingly reliant upon tech, insurers are considering cyber recovery plans more than ever. As with most things ‘in the cloud’, it's difficult to articulate what a recovery plan would look like for the enormous amounts of intangible data we hold within our business, and upon which we are so utterly dependent.

What is a recovery plan?

Time and time again, businesses and people in management or director positions say that they will ‘just do this’ or ‘get another machine’ or ‘set up here/there’, but the reality is that things don’t tend to run that smoothly. Usually, this is where a recovery plan can make so much of a difference. I remember working in the building directly opposite the Manchester arena after the devastating attacks in 2017. I turned up for work the day after the attack and it was closed. The business I worked for had a plan in place and alternative offices within Manchester city centre were set up ready to go with computers and software to enable the business to keep trading. I was surprised at how seamless the whole move was, but that showcased the value of having a robust recovery plan in place. People were up and running in the new office only 20 minutes later than usual. It was astounding how much of an impact this made to continuity for clients and the workforce.

What is cyber recovery?

Cyber in essence isn’t too far different from a physical recovery plan but might come into play when there has been ransomware activity, or maybe DDOS attacks where you or your business has been targeted. Unlike the Manchester scenario we've already discussed, you turn up to the office and you’re met with a blue screen and a message that at best gives you a helpline number or generic description of what’s occurred. That’s most likely to be a cyber-attack that’s brought your IT system to a halt. 

Even the most technical businesses don’t always know what would be the best course of action in the event of an outage or attack without a recovery plan in place. Do you call your insurer or IT service provider first? Next, would you put a hold on your bank accounts and any software assets? Set up a new telephone number? Should you contact the ICO? And what do you tell your customers if anything at all? 

By developing a watertight, credible, and practised recovery plan you can remove the emotions or panic and focus on one step at a time.

During an incident, it will feel like 100 things need to be done all at once. Yet the threat actors lay their traps so astutely that often these kneejerk reactions would lead to yet further disarray and damage, which is why it is so critical not to make any unconsidered moves in the heat of the moment. A strong recovery plan also needs to address the individual needs of each client. In my experience, the most successful ones are bespoke to a business, depending on their set-up, contacts, customers, service providers, insurance arrangements, and even the time of year.
 

How might you develop a cyber security recovery plan?

Firstly, you should look to choose someone to lead the plan; someone competent in most of the business systems, who can direct a process to reinstate them, and who can also ensure the plan is maintained and developed according to the position of the business and its stakeholders. Within the leadership of the plan for larger organisations, it would be important to have the right person in place     to communicate the plan, someone managing the plan, and someone who manages the assets of the business. That ‘someone’ may take on more than one of these key responsibilities, or perhaps there is an action committee chosen to share the roles.
Next, the business must understand what its systems, data and digital assets look like – perhaps reviewing things like permissions and identifying key data that should be protected and backed up. It’s also important to understand and categorise digital assets by their importance as “essential, important, and unimportant”.  This indicates what is the most vital information and where resources should be focused. Usually essential and critical assets will include anything key to ensure that the business can continue operations should their systems be disrupted or deleted. It will also include making sure appropriate steps are taken to encrypt, password protect, back-up, and ensure multi-factor authentication (MFA) is set up.

Thirdly, the business should assess its major risks – for example looking at ransomware, internet or power outages, or internal threats from subcontractors or third parties. This will include understanding how the threats could be mitigated, transferred, or managed.

The business should then address each individual risk, what the circumstances might be, how they could recover and the processes for doing so. This might include communicating with internal and external stakeholders, third-party IT contractors, internal IT representatives, and informing insurers. The business should also map out what might go wrong, potential risks, and how the business might continue to operate or communicate with clients about issues. This might include, but is not limited to; recovery backups, intentional shutdown procedures, and disconnecting from the networks/internet. Ultimately, a small and temporary outage to regain control of systems is better than operating with a risk where the system might have a permanent and total loss of systems – businesses must understand what signs to look out for according to their risk profile.

The ongoing part of this is testing and practising, which should include all key stakeholders and most of the network users. These users should also be aware of the risk profile and what to look out for, which may be early warning signs of pending attacks or suspicious activity. Participants should also call out gaps in the plan and help to continually optimise to meet any potential threat. 
People and human error account for the most common downfall in system security and educating users is usually the best way a business can ensure they remain protected.

While it's critical to have this plan, no business nor plan is perfect, but the practice and methodology of dealing with cyber incidents is invaluable. Most businesses would see huge benefits from having a dynamic and planned response. It helps build resilience and ensures that cost less if they do occur, and the business recovers quickly without risking essential systems and data.

If you’d like to know more, speak to our team today on 0330 008 1334 to explore how we can protect your business from a cyber recovery plan.

Meet the author

Photo of Jack  Durrant

Jack Durrant

BA (Hons) FCII
Photo of Jack  Durrant

Jack Durrant

BA (Hons) FCII

Jack is Branch Director for Howden in Manchester and Bolton. He leads the Commercial teams and is a technical insurance expert focused on supporting manufacturing and technology-related businesses nationwide. In particular, he has extensive experience advising clients who import and export, have complex processes, high property and machinery exposures, and extensive supply chains.

CAPTCHA
4 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Contact us on 0330 008 1334