How to meaningfully measure the effectiveness of cyber resilience

Cyberattacks in the UK and around the world are rampant and rapidly evolving in sophistication. In fact, the National Cyber Security Centre in the UK deals with at least one incident per day. These days, the ‘when, not if’ mantra is said so often that it almost sounds cliche.

Given that attacks are almost inevitable for so many organizations, the focus is rapidly and justifiably moving to ‘how quickly can we restore and recover?’

For organizations, cyber criminals pose a very real threat. As we have seen across the UK, if you are not prepared, you can pay a massive price.

Major UK retailers and brands have recently fallen victim to ransomware that ultimately resulted in lengthy delays for customers, downtime, and reputational damage, despite the companies reacting relatively quickly.

In many cases, it takes businesses a long time to recover from these attacks. Recent statistics have suggested that business leaders expect five days of operational downtime before their organization is back up and running, when in reality the effects often last between three and four weeks.

This could ultimately result in business leaders questioning the tools and capabilities at their disposal; is the software ineffective or have the IT and security teams lost their skills? The answer to both of these questions is frequently no: the real issue at hand is that the task of achieving clean recovery is changing.

Traditional practices are failing

While tried and tested recovery methods may have worked consistently a few years ago, with the risk and threat landscape steadily evolving, a new approach is needed.

Disaster recovery tools and protocols previously solved a lot of problems, offering respite and support if data or systems were corrupted or destroyed due to physical disasters such as flooding, fires, or other damage – the biggest risk to data 10 years ago.

Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) were often used to measure efficiency, capabilities, and recovery time goals.

However, recent statistics suggest that hackers stay in their targeted networks for over 200 days on average. Bad actors will take their time, creating a way to enter the environment that goes unnoticed while corrupting and manipulating dozens of systems in their wake.

This means that when they eventually press the button to execute an attack, the breadth of damage can be quite extensive and there can be considerable confusion over what data and backups can be trusted.

Simply restoring the data, without knowing the status of the backups, may achieve desired RTO and RPO, but it won’t guarantee a clean recovery. IT and security teams need to analyze the backups to make sure they are clean and can be trusted.

This is a time and resource-intensive procedure that could result in weeks of downtime, rather than days.

This is why new methods and measurements are needed to provide a realistic and logical view on the whole process. Organizations must accept that there are likely to be multiple hidden entry points and that backup copies include compromised or corrupted data.

Only then can they understand the gaps in their defense systems, something known as the ‘preparedness gap’.

For senior executives, business leaders and boards, this understanding can provide an opportunity to reshape how recovery is understood, managed, and planned for – in good times versus in bad times.

Notably, it can challenge leaders to push their IT and security teams to work even more collaboratively and move beyond “restore speed” and start thinking in terms of data trust, system integrity, and clean recovery timelines.

How to accelerate

Achieving adequate preparedness starts by keeping the business running in the event of a cyberattack and being well positioned to recover these systems quickly afterwards.

This is a concept known as Minimum Viability; the practice of identifying which systems, identity services, networks and people are critical to business operation. These make up the company’s Minimum Viable Company (MVC).

Another factor to consider: what does their Mean Time to Clean Recovery (MTCR) looks like? In essence, MTCR defines the average time required to restore previously defined critical business applications which are part of their MVC, as well as their foundational systems, infrastructures and associated clean, validated data following a cyber event.

To help achieve clean restoration of critical business systems, aspects of recovery that are often missed as part of traditional disaster recovery techniques must be considered.

This includes performing forensic analysis and integrity checks on applications and data, validating the infrastructure components, isolating clean versions from infected data sets, and identifying if data can safely be restored.

However, old and new concepts can combine here to form a new era of modern clean recovery assurances, with MTCR complimenting RTO and RPO. This is because, once combined, MTCR will shift focus to a more mature and secure approach to recovery.

By making clean data verification part of the recovery metric, organizations can build repeatable, auditable processes that can contribute to more steadfast and reliable RTO and RPO measures.

Implementing new procedures that take all aspects of recovery into account can help increase the speed of recoveries, reduce the risk of failed restoration and re-infiltration of bad actors, and also potentially reduce financial losses and reputational damage.

Regardless of an organization's size, maturity level, or security posture, every day matters when it comes to recovery.

While there is not a process that can guarantee full and fast recovery, adopting an approach that is both realistic and takes into account the differences between cyber recovery and disaster recovery is the best way to get affected businesses back up to full operation in a timely manner and limit the risk of business failure.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro