Business continuity and disaster recovery in the hack economy

Read time 8min 50sec
Modeen Malick, Commvault.
Modeen Malick, Commvault.

They say that there are two types of organisations: those that know they've been hacked and those that have been hacked and don't know about it yet.

All too often, SMEs assume that because they're small, they're of little interest to cybercriminals. On the opposite end of the spectrum, larger enterprises believe that they have the necessary expertise and security procedures in place to safeguard their business against sinister characters.

This situation is made worse by the fact that cyber attacks are not only increasing in frequency,they are also maturing at an exceptionally rapid rate.

PwC's Global Economic Crime Survey revealed that close to a third of SA organisations have experienced cybercrime and, according to Michael Davies, CEO at ContinuitySA, this number is growing rapidly. And, to make matters worse, Davies notes that it takes an average of 205 days for a hack to be detected, according to Gartner research.

The conundrum many business leaders face is that they desperately want to increase efficiencies, but they need to do so without upping their risks, says Dax Data CEO, Jeremy Matthews. South Africans still underestimate the presence of advanced threats and the impact an attack can have on a business. He points out that the industry is increasingly seeing countries from Africa topping the list of most targeted regions. A recent cybersecurity report cited Algeria, Egypt and South Africa as some of the top ten most targeted regions.

Which is why business continuity and disaster recovery have become so important.

In today's information-driven world, uptime and having the ability to function as usual no matter what has become a non-negotiable, says Heino Gevers, a cyber resilience expert at Mimecast. Not only do employees have zero tolerance when it comes to downtime, customers are incredibly unforgiving when the services they want to access are unavailable.

Looking to the future

Expecting an enterprise to separate itself from the internet and any form of digital connectivity is simply unrealistic, notes Modeen Malick, a senior systems engineer for MESAT at Commvault for SA. An immediate, practical step to safeguard a business against future threats is to put in place better policies and processes. These procedures should be engrained in the business and must be flexible enough to handle a threat landscape that is constantly mutating.

Says Davies: "It is vital to bake resilience into the company's way of doing things; that way, it is better able to respond and, more importantly, recover from any disaster."

There is no such thing as 100% security, says Dragan Petkovic, Oracle's ECMEA security product leader. He believes that the most prudent measure businesses can take is to employ user and entity behaviour analytics, which are designed to pick up anomalies. Petkovic also cites automation as a significant business continuity and disaster recovery asset as it encrypts data, runs security updates and makes required changes with little to no downtime, providing seamless, fuss-free protection.

It is vital to bake resilience into the company's way of doing things.

Michael Davies, ContinuitySA

Improving an organisation's IT management, monitoring, and reporting let's business know what they don't know and enables them to get the basics right, notes AltoAfrica CTO, Oliver Potgieter. By asking questions about antivirus installations, patching and software updates, businesses will have a better handle on where they stand. "The downfall in security almost always comes at the user endpoint, when something you thought was in place wasn't done due to human error or oversight."

As organisations increasingly acknowledge the importance of putting preventative measures in place, Iniel Dreyer, MD at Gabsten Technologies, advises that they don't forget one, often overlooked, yet important, factor. It's a factor that is critical in the age of mobility. According to Gabsten, it may be important to focus on threats entering the business, but it is equally valuable for business and IT to take heed of what is leaving the organisation.

An emerging trend to circumvent cybersecurity measures is for syndicates to strategically place people within a business in order to access their data, Dreyer points out. This, coupled with the existing threat of disgruntled or uninformed employees intentionally or accidentally compromising a business' data, means that businesses must be proactive in monitoring data activity within the business, while also checking what data leaves, too.

"I think it's less about how bad the landscape is, and more about how quickly organisations can recover," says Malick. Modern organisations need to prepare for the worst and ensure they are protected by keeping apace with international cybercrime activities and then viewing these incidents as lessons they can use to prevent attacks before they even happen.

Some must-haves for BC&DR

What do you think should be included in any solid business continuity plan?

One of the simplest ways to create the right business continuity and disaster recover plan is to make a short list of the services your business needs to operate each day and then determine how long you can be without each, says Potgieter. As part of your plan, include a solid outline for what methods you will use to communicate issues with your customers and don't forget about what channels of communication must be open so that your customers have no trouble communicating with you.

There's no point in only bringing in a full team after an attack has already taken place. This is not only an issue for the IT team.

Heino Gevers, Mimecast

Any solid business continuity plan begins with a comprehensive business impact assessment - you have to understand the relative importance of each component of your business in order to allocate budget and resources effectively, notes Davies. In addition to this, it is a must to incorporate everything from protecting the perimeter to detecting intrusions as part of your strategy. Businesses must also have procedures in place to adequately respond once a breach has occurred and then follow the necessary processes to restore normal functioning as quickly and with as little disruption as possible.

What are some of the top challenges businesses face when it comes to business continuity and disaster recovery planning?

All of the respondents agree that getting top business decision-makers to champion business continuity and disaster recovery efforts is an absolute must. Generally, this lack of commitment stems from a limitation in understanding of the technology that enables business continuity and disaster recovery, Matthews states.

Often, technologies and associated back-up plans are still considered `grudge purchases' and aren't given enough budget until a disaster actually occurs, says Dreyer. But business leaders should consider their options. For example, cloud solutions and managed services offerings allow businesses to put the necessary contingency plans in place without having to make any massive capital investments.

Another issue for modern organisations is the fact that disaster recovery and business continuity have become so complex that these functions have actually become a separate discipline, with dedicated staff and specialised titles, Matthews continues. By making use of some of the advanced technologies we see today, organisations can eliminate the complexities around business continuity and disaster recovery. And these easy-to-use and easy-to-deploy disaster recovery solutions don't require specialised training or advanced technical expertise.

And it's all very well to have a strategy laid out, but if that strategy isn't updated as the business changes, and as technologies evolve, the company could be caught out in times of disaster, notes Malick. Maintaining these strategies and plans - and testing them regularly - may be a challenge, but it is one that needs to be constantly addressed.

Do businesses need a disaster recovery team and who should be part of this team?

Lines of business differ and so do the repercussions facing different stakeholders, says Petkovic. Every part of the organisation will be affected should an incident take place. This makes it crucial to have a business continuity and disaster recovery team with members from a range of departments. For example, a stakeholder from the finance team will understand the severity of cyber extortion and how detrimental it could be for the business' bottom line, whereas an HR stakeholder would be more concerned about the privacy of the information that was accessed and what sensitive information was lost.

Gevers shares this sentiment, stressing that different departments must be involved in the business' entire cyber resilience strategy from start to finish. "There's no point in only bringing in a full team after an attack has already taken place. This is not only an issue for the IT team."

Business continuity and disaster recovery - what's the difference?

Simply put - the one is proactive, the other reactive; as such, disaster recovery and business continuity are essentially two sides of the same coin.

Disaster recovery involves the process of resuming operations after an incident like a security breach or a natural event such as a fire or earthquake has occurred. Business continuity, on the other hand, is about being able to continue with business as usual when an attack or an event that causes downtime takes place. So, when an incident occurs, organisations need business continuity solutions to ensure they can continue to communicate and operate effectively and then they will implement their disaster recovery plans to come back from the attack.

"Although many businesses tend to label both under the same practice, a business continuity strategy allows people within an organisation to access all businesses applications, plans and processes, whereas the DR plan ensures that those applications are made available," says Gabsten Technologies' Iniel Dreyer.

Businesses need both, having one or the other is not enough.

This article was first published in the June 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.

Login with