With the cost of a cyber incident continuing to climb¹, no company can afford to be without an incident response (IR) plan. And no IR plan should be without a data resiliency component.
At a high level, an IR plan is a set of procedures intended to help organizations respond to cyberattacks and reduce collateral damage — in short, damage that could extend anywhere from negative impact to a company’s brand reputation, stock price, or revenue stream to potential litigation and lawsuits.
By including data resiliency as part of a formal response procedure, organizations can help ensure a coordinated and comprehensive approach to withstanding or mitigating incidents that affect data systems and operations. Specifically, data resiliency can include measures to facilitate data recovery and system restoration in the event of a disruption as well as prevent data loss and disruptions altogether.
Data resiliency is a spectrum
Organizations can implement multiple levels of data resiliency according to their unique needs. At the lower end of the spectrum, there are basic data resiliency measures, such as creating regular backups and storing them in a single location. These can help protect against data loss or corruption, but in the event of a major disaster or attack, are often insufficient.
At the opposite end of the spectrum are more advanced data resiliency measures, such as replication of data across multiple servers or storage devices, implementation of redundancy and failover mechanisms, and development of robust disaster recovery plans. Not only do these measures provide greater protection against data loss and corruption, but more importantly, they can also help ensure access to accurate and up-to-date copies of data even in the face of significant challenges.
Ultimately, the level of data resiliency an organization needs will depend on its specific requirements, the criticality of its data, and the nature of its business and relevant risks. Organizations should assess their data resiliency needs and implement measures accordingly.
Look to established frameworks for more ideas
Institutes like SANS and NIST have developed IR frameworks that provide guidance and key steps for bolstering defenses and managing incidents. While similar, there are subtle nuances between the two frameworks, as detailed in this table. Choose the one that best suits your needs or create your own, unique framework for your business.
SANS Incident Response Steps
Step #1: Preparation: Organizations should identify critical data assets and develop a data backup and recovery plan to ensure data resiliency in case of an incident. This includes identifying backup strategies, backup frequency, data retention policies, and testing the effectiveness of the backup and recovery plan.
Step #2: Detection and Analysis: Data resiliency includes organizations having the necessary tools and data to detect and analyze an incident. For example, data backups that have the appropriate level of logging enabled can help organizations identify when an incident occurred, what data was affected, and how it was compromised. This information is invaluable when it comes to developing an effective response plan.
Step #3: Containment, Eradication and Recovery: Data resiliency helps ensure that the organization can restore systems and data to their pre-incident state. Data backups can help organizations recover critical data and systems quickly, minimizing the impact of the incident. Organizations must also test their backup and recovery plan to help ensure its efficacy.
Step #4: Post-Incident Activity: In this phase, data resiliency helps ensure that the organization understands and can put into action what they learned from the incident (e.g., root cause analysis, gaps that led to the incident, deficiency in controls, and other incident-contributing factors) to improve their IR process. Organizations should also review their backup and recovery process post-incident to identify any areas for improvement that were lacking prior to the incident, such as backup frequency, data retention policies, or testing procedures. They should also review any incident reports or data analysis to identify any gaps in their data resiliency strategy.
NIST Incident Response Steps
Step #1: Preparation: Organizations should identify critical data assets and develop a data backup and recovery plan to ensure data resiliency in case of an incident. This includes identifying backup strategies, backup frequency, data retention policies, and testing the effectiveness of the backup and recovery plan.
Step #2: Identification: In this phase, data resiliency is critical for understanding the extent and impact of the incident. Data backups can help identify the systems and data affected by the incident and assist in identifying its root cause.
Step #3: Containment: Data resiliency is necessary to help ensure the incident does not spread to other systems and data. Backups can provide a means of restoring critical systems and data to a pre-incident state while minimizing the impact on business operations.
Step #4: Eradication: Here, data resiliency can help ensure that the incident is completely eradicated from the organization’s systems and data. Backups can provide a means of restoring clean data to the organization’s systems, minimizing the risk of re-infection.
Step #5: Recovery: Data resiliency is key to restoring the organization’s systems and data to a pre-incident state. It’s important to have a comprehensive data recovery plan in place, which includes testing the effectiveness of backups and ensuring that backup data is readily available for recovery.
Step #6: Lessons Learned: In this phase, data resiliency is critical to identifying ways to improve the IR plan. Organizations should review their backup and recovery procedures, including testing procedures and backup frequency to improve effectiveness and efficiency.
¹ “Cost of a Data Breach Report 2023,” IBM Security.
