It’s truly a nightmare situation: Your organization is hit by a ransomware attack, and bad actors are demanding a substantial sum to unlock your data and systems. Your team scrambles to recover backup files of that data, only to find it was corrupted by the same bad actors weeks ago. Your options are to pay the sum – if you can – or walk away and face the consequences.
While cybersecurity attacks can’t always be prevented, the damages from them could be mitigated. But to help protect your organization, you need to do more than just have a data backup plan – you need to prioritize exercising a contingency strategy and take measures designed to make your data more recoverable. Otherwise, you could face dire financial and operational consequences your organization might not survive.
Here’s what you need to know to help your organization develop and exercise a strong data recovery and protection plan to help minimize the damage of a cyberattack or breach.
Seven considerations for your data recovery and backup plan
Your data recovery plan should be one component of your organization’s IT resiliency plan, outlining how your business restores operations and technology following a crisis. Backing up and recovering data is part of this, and building a strong plan requires thoughtful conversations, extensive planning, and contingency plans for many different situations.
Though this is not an exhaustive list of considerations, these seven questions can help guide the foundational work of your organization’s plan.
1. Do you know where your equipment, data, and systems are?
Maintaining an accurate inventory of assets – IT equipment, data, and systems – is essential in building a strong data recovery plan. All parties responsible for executing your plan should know where equipment and data are located, how to access them, and their status.
2. What are your requirements for recovering and backing up data?
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two aspects of a data recovery and backup plan that speak to the frequency with which you back up data and how much downtime your systems can tolerate. RPO measures how frequently your organization will back up data and at what point you could cover data at any given time. RTO on the other hand, measures the amount of time your systems can be down before adversely affecting business operations.
Each of these measurements require careful consideration based on what your organization can execute. Simply backing up data isn’t enough – you need to know how much data you could recover and how much will be lost, and you need to know how long each of your systems can be down without significant consequences.
3. What data will you recover first? What can you afford to lose?
Your organization might not be able to recover all lost or stolen data. Bad actors can gain access to networks well in advance of the event, sometimes roaming undetected for weeks or months before launching a cyberattack. During that time, they could corrupt backups or otherwise make them unavailable.
“You need to have honest conversations about your data. If you were hit with a ransomware attack today and only had funds to recover only a small portion of your data, what would that be? What do you need to ‘keep the lights on’?”
Prepare to have difficult conversations about which data is most critical for your operations and in what order data will be recovered.
4. Are you able to recover your data backup files?
Even though your organization backs up data, it doesn’t always mean you’ll be able to recover it. You don’t want to find that out during a crisis.
A 2022 NetDiligence study of 1,400 ransomware events from 2017-2022 found just 170 events in which the victims were able to recover data from their own backups†. Costs associated with recovering this data were, on average, $78,000. Additionally, data was found to be encrypted in 123 incidents, meaning the organization was unable to recover using its own backups‡.
“Organizations often say they back up their data, but in a ransomware situation, those data recoveries might be corrupted and have been for a long time,” says Ashley Bauer, Executive Risk Practice Leader with Huntington Insurance. “Backing up data just to find out it isn’t viable does no good. Test your back up procedures to make sure you can actually recover the data if you’re hit with a cyberattack.
Practice retrieving your backup files to ensure it is possible before an attack occurs.
5. Who are you relying on to recover data?
You need people to recover data, which presents a problem during the holidays or vacations. Determine a contingency plan if the person you need to recover data is out of the office or otherwise unable to assist. This business continuity planning should be part of your company’s overall IT-specific resiliency plan and outline IT service backups or contingencies.
6. What are your third-party dependencies?
If a vendor, software, or partner your organization relies on is threatened, your connection to them might put you at risk. For example, if you rely heavily on Microsoft, how would an outage for them affect your organization?
This concern is highlighted by a finding from a ThoughtLab landmark cybersecurity benchmarking study from 2022 that found 44% of executives surveyed felt their organization’s use of partners and suppliers presented a major cybersecurity risk‡.
“Relationships matter,” explains Buening. “What is your agreement with the third party vendor? Do you have service level agreements that state when you’ll be notified if they’re hit by a cyberattack or how long they have to resolve the threat?”
Understanding those service level agreements (SLAs), recovery point objectives (RPOs), and recovery time objectives (RTOs) in your contracts with third-party entities can help protect your organization and improve your data recovery plan.
7. How will your organization communicate during a crisis or attack?
Communication is immensely important during a crisis. How do you plan to communicate if your organization is hit with a cyberattack that severs access to Teams, Zoom, Slack, and your email server? Sharing cell phone numbers in an area that can be accessed offline is one possible solution.
Practice your crisis response plan again and again (and again)
No matter how much time and energy your organization has put into developing a crisis response and data recovery plan, the process can fall apart in the face of a crisis. Groups across the organization might prioritize different tasks, some individuals might not be aware of recent changes to the plan, and communication can break down.
When you regularly exercise your plan, your organization will likely have better outcomes.
A 2021 CISCO Security Outcomes Study of more than 5,000 cybersecurity professionals showed that the more frequently organizations conducted threat detection and response program activities, the stronger their capabilities were in detecting threats. Those that conducted these activities weekly saw an approximately 30% increase in their threat detection performance§.
Commit to exercising your crisis response and data recovery plan. This should include ensuring you can retrieve the data you’ve backed up and that all responsible parties understand your data priority.
Be on high alert during vulnerable times of the year as well. For example, tax season is rife with attempts to steal confidential or financial data. Bad actors also take advantage of the end of the year through business gift card scams and social engineering attacks. Practice your crisis response and data recovery plan especially during these times to keep your organization vigilant.
Investing in cyber liability insurance
When that bad day comes, having a plan to recover your data and a solid cyber liability insurance policy to shoulder the financial burden can help immensely.
Cyber liability insurance policies can provide first- and third-party coverage for damages when private, personal, and financial information is compromised due to a data breach or network intrusion. In the case of a ransomware attack, cyber liability policies can also provide funds for extortion payments.
If you don’t already have a policy or are looking to upgrade yours, one place to start would be your existing contracts. Some partner or vendor contracts require the other party to hold certain cyber liability limits. Understanding what your organization’s contracts dictate may help you determine when you’ll need to carry.
Preparing your organization for an updated cyber liability insurance policy
Unfortunately, the rise of cyber threats has tightened the cyber liability insurance market. Providers offering this type of insurance today often have stringent rules for the organizations they cover, explains Bauer. Knowing what you might need to upgrade or implement ahead of time can help make the process of applying for coverage easier.
Below are three of the top requirements from cyber liability insurance providers today:
- Implement multi-factor authentication for email, remote access to networks, and anyone with administrative privileges in your organization.
- Use end-point detection and response to prevent bad actors from roaming your network before an attack. This capability helps your organization to identify bad actors accessing your network and shut them down quickly.
- Build a strong data backup and recovery plan, including detailed explanations of how your organization will respond to a threat and retrieve data.
Not every organization can implement these quickly if needed to confirm a cyber liability policy. Outdated equipment might not support multi-factor authentication, and existing infrastructure might not be compliant. Additionally, not every organization has an in-house team dedicated to this work, so upgrades could take months – or longer.
In these situations, Bauer warns not to be tempted by policies with unfavorable terms in a “something is better than nothing” approach.
“Sometimes, it’s better to invest your money not in policies with high deductibles or minimal loss coverage, but instead on improving infrastructure,” says Bauer. “Then, you can meet the requirements needed for a better policy. There’s risk involved with this but taking on that risk to invest in security may be worth it.”
Protect your data and minimize risk
Huntington can support you with the insights, resources, and expertise you need to grow and strengthen your organization. Read our commercial cyber liability insight article to learn more about cyber liability insurance planning. Then, contact your relationship manager to start the conversation.
† NetDiligence. 2022. “NetDiligence Cyber Claims Study 2022 Report.” Accessed October 28, 2022.
‡ NetDiligence. 2022. "NetDiligence Cyber Claims Study 2022 Spotlight on Ransomware." Accessed October 28, 2022.
§ ThoughtLab. 2022. “Cybersecurity Solutions for a Riskier World.” Accessed October 28, 2022.
¶ Cisco. 2021. “2021 Cisco Security Outcomes Study, Vol. 2.” P.27. Accessed October 28, 2022.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Lending and leasing products and services, as well as certain other banking products and services, may require credit approval.
Third-party product, service and business names are trademarks/service marks of their respective owners.