Disaster Recovery vs Cyber Recovery

We are witnessing firsthand the far-reaching impact of a single company’s cyber attack on an entire industry. The profound effects of the Change Healthcare breach on providers nationwide are exacerbating the financial strains with which these organizations are already grappling. While Change Healthcare bore the brunt of the attack, its repercussions extend across the country, affecting virtually every individual and partner that is reliant on these providers. Moreover, the aftermath persists. As Change Healthcare endeavors to recover and restore operations, its clients, and by extension, their patients, continue to grapple with the consequences of an assault that unfolded over two weeks ago.

As we see a significant increase in threats and attacks against the various players in the healthcare industry, organizations continue to respond by investing in new tools and strategies in an effort to thwart the actions of bad actors. While these efforts appear to be somewhat effective, attackers are getting smarter and it’s a continuous battle, one that will eventually be lost by some of these organizations – and with devastating effects.

Historically, organizations would have disaster recovery strategies that provide details on what steps need to be taken to restore systems and operations when there was some outage or disruption. Along with failover/active-active systems and infrastructure, and back-up/replicated data, IT operations would be quickly restored (in most cases within minutes or hours) and the long-term impact minimized.

So, what’s changed? Why are restoration efforts for cyber events measured in days, weeks, or even longer?

Cyber attacks differ significantly from physical disasters or outages, necessitating a specialized response strategy. Unfortunately, many organizations lack a dedicated cyber recovery plan, instead relying on their existing disaster recovery protocols. However, these plans can leave organizations vulnerable to prolonged downtime and data loss, as they differ from cyber recovery plans in a number of areas:

Location of Impact

With geographic diversity, a physical disaster will generally impact a single location or environment. An effective disaster recovery strategy plans for this and can scale to recover a single environment or an entire location if necessary. Cyber incidents can span across numerous applications and locations. There are an almost endless number and combination of areas and locations that can be impacted, requiring a different approach to planning a response to unplanned incident.

Recovery Target

When following best practices, a target or disaster recovery site is isolated from the production environment. Geographic distinct infrastructures with various levels of redundancy and supported by different utility companies, greatly minimizes the risk of the target site being impacted by the same physical disaster or outage that has impacted the production environment. Having that separation provides viable options as part of an organization’s planning. However, attacks using malware can easily span across environments making target environments equally vulnerable. Backup data and “active-active” environments that serve to greatly minimize risk of physical disasters often become the greatest target for cyber attacks.

Back-up Data

Regardless of the technology or platform, keeping back-up data protected and available at time of disaster has always been an important component in recovery strategies. Based on when the last back-up was completed, organizations know how much data they lost (RPO). With back-up infrastructure being a common and viable target for cyber attacks, a clean copy could be weeks or months old. In some cases, all the back-up data could be compromised resulting in an organization losing everything. Just trying to determine when the last clean copy of data was backed up can take a significant amount of time, adding to the recovery time (RTO) as well.

Procedures and Testing

Due to the complexity, permeation and variability that can occur with cyber attacks, testing programs become difficult to develop and execute. With physical disasters, a manageable number of likely scenarios can be considered and tested. In comparison, there are an endless number of possible scenarios when it comes to cyber attacks and therefore, organizations need to invest time and resources in developing recovery procedures and executing testing programs that will prepare them for a much wider range of situations and impacts.

While important, these are only a few of the differences between disaster recovery and cyber recovery. All organization’s environments and operations will differ. However, it’s important to recognize there are differences and to evaluate and assess your own organization, ensuring your different recovery programs and strategies were developed and are being managed to respond effectively to the various types of increasing threats we all face.