Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

October 24, 2024

Mitigating Cyber Risks: Preparation Through Resiliency and Planning

The Growing Threat of Cybersecurity Attacks

Cybersecurity attacks are not only becoming more frequent, but more sophisticated each year. Hardly a week goes by without news of an organization falling victim to a new malware or ransomware cyber attack. Because of this, organizations must ask the question, “do we have the capabilities to withstand, recover from, and adapt to new threats of constantly evolving cyber attacks?” These attacks can plague organizations with financial loss, reputational damage and regulatory fines.

Verizon has released their 2024 data breach investigations report. There were several takeaways including 10,626 confirmed data breaches, nearly double the number from the previous year and ransomware or extortion was involved in 70% of financially motivated incidents and the median loss of an attack was found to be $46,000. It also found over 50% included a non-malicious human element, emphasizing the need for security awareness training. This article focuses on strategies at a high level to fight against these threats through effective cyber resilience.

Building a Cyber Resilience Strategy

The Importance of Cyber Resilience

Cyber resilience should be at the top of every information technology (IT) strategic plan for every organization. A cyber resilience strategy is a foundational building block of adopting a mindset of preparation instead of being forced to only respond. A strong strategy begins with an effective risk management process. 

Identify Key Business Processes and Data

An organization needs to first identify the key business processes, the systems supporting the business processes and what kind of sensitive data resides in their environment. Vulnerabilities and threats are then identified and the likelihood of each threat exploiting a vulnerability and the potential impact on the organization. The vulnerability assessment should consider leveraging tools offered by companies like Nessus and Qualys.

Ensuring Robust Backup and Recovery Procedures

Diversify Data Storage

The ability to quickly recover data and systems in the event of an attack should be part of the risk assessment process. Robust backup and recovery procedures should be implemented. Some strategies include:

  • Cloud adoption: A common strategy for protecting data through diversification of storage. Cloud computing allows for scalability and faster recovery with various recovery options.
  • Geographic redundancy: Cloud services often offer data storage in different geographic locations to mitigate the risk of primary backup or data source corruption.
  • Other storage options: Network-attached storage (NAS), block storage, and storage area networks (SAN).
  • Air-gapped backups: Refers to backups isolated from the network, ensuring data is not accessible by threat actors.

Align Business Continuity and IT Objectives

Successful resiliency not just through diversification of data storage but also through aligning the requirements in the business continuity plan (BCP) with the IT department objectives. In the event of a disruption, an organization needs to know how quickly critical systems can be brought back functionally based on importance and what the acceptable loss data is for each department and application. As such, a BCP and  incident response plan (IRP) should be developed, maintained, and tested annually to identify areas for improvement to minimize the impact of disruptions. Roles and responsibilities should be identified so personnel know their responsibilities during a disruption. There are several regulations and standards that require a BCP and IRP to be in place and to be tested regularly. For example, the November 2023 revision to 23 NYCRR Part 500 from the New York Department of Financial Services requires the development, maintenance, and testing of business continuity plans, disaster recovery plans, and incident response plans in part 500.16a and 500.16b.

Testing Business Continuity and Disaster Recovery Plans

Understanding RTOs and RPOs

Two crucial metrics used in disaster recovery plans (DRP) and BCPs follow:

  • Recovery time objective (RTO): The maximum acceptable time to restore a network or application.
  • Recovery point objective (RPO): The measured amount of time until the maximum tolerable data loss.

The RTO and RPO are communicated and decided upon by the business and IT based on business requirements and capability of the IT team. Using the RTO and RPO, organizations can prioritize systems for recovery and decide the different types of data storage solutions. Organizations can test the RTOs and RPOs in different disaster recovery tests to evaluate the recovery of backups and the integrity of that data in the event of downtime. 

Common Types of DRP and BCP Tests

As mentioned above, DRP and BCP should be tested annually. Six of the most common types of tests are as follows:

  • Plan review: This is the most basic type of test where gaps are identified through a thorough review of the documented plan. 
  • Tabletop exercise: A simulated exercise is held with key personnel to discuss and walkthrough a hypothetical scenario. 
  • Walkthrough test: A physical walkthrough is conducted including the steps taken to access backup systems and data. 
  • Simulation test: A specific disaster scenario is chosen to partially or fully activate the DRP to evaluate the effectiveness.
  • Parallel test: The recovery environment is brought online alongside the production environment to test the effectiveness of the DRP. 
  • Full interruption test: This is the most comprehensive and disruptive test. The production environment is fully shut down and all operations are failed over to the recovery environment. This provides the closest simulation to a disruption. 

By regularly testing DRP and BCP, organizations can ensure they are well-prepared to handle any disruption, minimize downtime, protect critical assets, and maintain business continuity.

The Role of Security Awareness Training

Addressing the Human Element

Learning from past incidents and adapting security measures to address new and evolving threats is a component for an effective cyber resilience strategy. This involves security awareness training.  Employees are an organization’s greatest asset and often the weakest link in cybersecurity. Without proper training, they are more likely to fall victim to phishing scams, click on malicious links, or use weak passwords, making the organization vulnerable to attacks. Having a well developed cybersecurity training program as part of the cyber resiliency strategy can help mitigate those risks. Consistent training that adapts to the current threat landscape should be pushed out to all employees, temps, and contractors. 

Building a Strong Foundation for Cyber Resilience

Cyber resilience in any industry is of critical importance in a world where cybersecurity attacks are becoming more and more common. By taking a proactive and comprehensive approach rather than a reactive approach, organizations can build a strong foundation for cyber resilience and ensure business continuity in the face of evolving cyber threats and strong cyber resilience are more likely to attract customers and partners.

Johnson Lambert’s Expertise in Cyber Resilience

Organizations may not have the resources or time to effectively implement a comprehensive cyber resilience strategy. At Johnson Lambert, our business advisory services team has years of experience working with organizations to develop policies and procedures, business continuity plans, disaster recovery plans, and evaluating the effectiveness of their cyber resilience posture. Our team has worked with different states’ departments of insurance on regulatory exams. Additionally, we evaluate the cyber resilience strategies in accordance with frameworks such as NIST Cybersecurity Framework 2.0 and 23 NYCRR 500. Do you have questions about your cyber resilience plan? Contact us today.

Matt Flynn

Matt Flynn

Senior Manager

View Bio

Related Resources

Mitigating Cyber Risks: Preparation Through Resiliency and Planning

The Growing Threat of Cybersecurity Attacks

Cybersecurity attacks are not only becoming more frequent, but more sophisticated each year. Hardly a week goes by without news of an organization falling victim to a new malware or ransomware cyber attack. Because of this, organizations must ask the question, “do we have the capabilities to withstand, recover from, and adapt to new threats of constantly evolving cyber attacks?” These attacks can plague organizations with financial loss, reputational damage and regulatory fines.

Verizon has released their 2024 data breach investigations report. There were several takeaways including 10,626 confirmed data breaches, nearly double the number from the previous year and ransomware or extortion was involved in 70% of financially motivated incidents and the median loss of an attack was found to be $46,000. It also found over 50% included a non-malicious human element, emphasizing the need for security awareness training. This article focuses on strategies at a high level to fight against these threats through effective cyber resilience.

Building a Cyber Resilience Strategy

The Importance of Cyber Resilience

Cyber resilience should be at the top of every information technology (IT) strategic plan for every organization. A cyber resilience strategy is a foundational building block of adopting a mindset of preparation instead of being forced to only respond. A strong strategy begins with an effective risk management process. 

Identify Key Business Processes and Data

An organization needs to first identify the key business processes, the systems supporting the business processes and what kind of sensitive data resides in their environment. Vulnerabilities and threats are then identified and the likelihood of each threat exploiting a vulnerability and the potential impact on the organization. The vulnerability assessment should consider leveraging tools offered by companies like Nessus and Qualys.

Ensuring Robust Backup and Recovery Procedures

Diversify Data Storage

The ability to quickly recover data and systems in the event of an attack should be part of the risk assessment process. Robust backup and recovery procedures should be implemented. Some strategies include:

  • Cloud adoption: A common strategy for protecting data through diversification of storage. Cloud computing allows for scalability and faster recovery with various recovery options.
  • Geographic redundancy: Cloud services often offer data storage in different geographic locations to mitigate the risk of primary backup or data source corruption.
  • Other storage options: Network-attached storage (NAS), block storage, and storage area networks (SAN).
  • Air-gapped backups: Refers to backups isolated from the network, ensuring data is not accessible by threat actors.

Align Business Continuity and IT Objectives

Successful resiliency not just through diversification of data storage but also through aligning the requirements in the business continuity plan (BCP) with the IT department objectives. In the event of a disruption, an organization needs to know how quickly critical systems can be brought back functionally based on importance and what the acceptable loss data is for each department and application. As such, a BCP and  incident response plan (IRP) should be developed, maintained, and tested annually to identify areas for improvement to minimize the impact of disruptions. Roles and responsibilities should be identified so personnel know their responsibilities during a disruption. There are several regulations and standards that require a BCP and IRP to be in place and to be tested regularly. For example, the November 2023 revision to 23 NYCRR Part 500 from the New York Department of Financial Services requires the development, maintenance, and testing of business continuity plans, disaster recovery plans, and incident response plans in part 500.16a and 500.16b.

Testing Business Continuity and Disaster Recovery Plans

Understanding RTOs and RPOs

Two crucial metrics used in disaster recovery plans (DRP) and BCPs follow:

  • Recovery time objective (RTO): The maximum acceptable time to restore a network or application.
  • Recovery point objective (RPO): The measured amount of time until the maximum tolerable data loss.

The RTO and RPO are communicated and decided upon by the business and IT based on business requirements and capability of the IT team. Using the RTO and RPO, organizations can prioritize systems for recovery and decide the different types of data storage solutions. Organizations can test the RTOs and RPOs in different disaster recovery tests to evaluate the recovery of backups and the integrity of that data in the event of downtime. 

Common Types of DRP and BCP Tests

As mentioned above, DRP and BCP should be tested annually. Six of the most common types of tests are as follows:

  • Plan review: This is the most basic type of test where gaps are identified through a thorough review of the documented plan. 
  • Tabletop exercise: A simulated exercise is held with key personnel to discuss and walkthrough a hypothetical scenario. 
  • Walkthrough test: A physical walkthrough is conducted including the steps taken to access backup systems and data. 
  • Simulation test: A specific disaster scenario is chosen to partially or fully activate the DRP to evaluate the effectiveness.
  • Parallel test: The recovery environment is brought online alongside the production environment to test the effectiveness of the DRP. 
  • Full interruption test: This is the most comprehensive and disruptive test. The production environment is fully shut down and all operations are failed over to the recovery environment. This provides the closest simulation to a disruption. 

By regularly testing DRP and BCP, organizations can ensure they are well-prepared to handle any disruption, minimize downtime, protect critical assets, and maintain business continuity.

The Role of Security Awareness Training

Addressing the Human Element

Learning from past incidents and adapting security measures to address new and evolving threats is a component for an effective cyber resilience strategy. This involves security awareness training.  Employees are an organization’s greatest asset and often the weakest link in cybersecurity. Without proper training, they are more likely to fall victim to phishing scams, click on malicious links, or use weak passwords, making the organization vulnerable to attacks. Having a well developed cybersecurity training program as part of the cyber resiliency strategy can help mitigate those risks. Consistent training that adapts to the current threat landscape should be pushed out to all employees, temps, and contractors. 

Building a Strong Foundation for Cyber Resilience

Cyber resilience in any industry is of critical importance in a world where cybersecurity attacks are becoming more and more common. By taking a proactive and comprehensive approach rather than a reactive approach, organizations can build a strong foundation for cyber resilience and ensure business continuity in the face of evolving cyber threats and strong cyber resilience are more likely to attract customers and partners.

Johnson Lambert’s Expertise in Cyber Resilience

Organizations may not have the resources or time to effectively implement a comprehensive cyber resilience strategy. At Johnson Lambert, our business advisory services team has years of experience working with organizations to develop policies and procedures, business continuity plans, disaster recovery plans, and evaluating the effectiveness of their cyber resilience posture. Our team has worked with different states’ departments of insurance on regulatory exams. Additionally, we evaluate the cyber resilience strategies in accordance with frameworks such as NIST Cybersecurity Framework 2.0 and 23 NYCRR 500. Do you have questions about your cyber resilience plan? Contact us today.

Matt Flynn

Matt Flynn

Senior Manager