Transcript
We're now going to turn a page and kind of wrap up the show with a playbook of some best practices. And again, if you download the full report, you'll see a lot more of these insights, but just to give you a little teaser, again, what we were trying to do is balance organizations that successfully recovered versus those that struggled and what did the successful ones do differently. So, on the recovery side, they verified and checked regularly. Earlier somebody mentioned consistency is key. That is proved positive in this set of stats. Ensure backup copies are clean prior to restore. That part of it is huge. The only way you can successfully recover is if you're not going to reinfect the whole environment after you have contained. Alternate, have alternate infrastructure arrangements, so said differently, that 32110 rule. Have something off-site, have it in a different media. And you need to have some sort of containment or isolation plan in place. Edwin, any kind of color commentary you want to add here on the recovery side? Yeah, if you look through all those numbers on the screen, it's about, it's highlighting our 32110 rule because there's three copies of data, two different media, one is off-site, one is offline immutable or air-gapped, or better said, all three all together. And the last one, that's the most important one, it's the zero, it's the testing. So having that backup on immutable storage, somewhere stored, give someone else the keys, pay them for it, make sure it's safe, but also test your backups. And by testing your backups, that means that you know, okay, I have a copy where we can go from. And then the next step will be, okay, hold on, we have a copy, we can go, but hey, just thinking about going to the cloud without a contract, without any skeleton network infrastructure will open you up within 10 minutes for another attack. So think up ahead, okay, design for recovery, what are you going to do to deploy? Because if it's in your data center, you ask law enforcement, they will come in and they will put a ribbon around it, hey, police line, do not cross because this is a crime scene, you're not allowed to touch your own hardware anymore in your own data center. Think about that strategy. And that's about planning ahead. That's all about the proactive strategies, but also have an incident response plan. And make sure that it's not on your infrastructure, because I've seen too many times that people call me like, hey, you do a review of our incident response plan, can you please ship that copy back? Yeah, but I just started. Yeah, but you have the only living copy, because the rest is all encrypted, because they're all on the same infrastructure. So make sure that somewhere else even print it out. That's the whole point. And that's why I see all those numbers on the screen. Yeah, that's why people are successful in recovering, just follow best practices. Follow the best practices. And again, we have a lot of really great content and frameworks to help you with those best practices. I think also taking a look at the other side of the house is key. So what does, you know, within the CISO organization, what do some of these best practices look like? Again, we talked a lot about that accountability piece. We also talked a bit about training and awareness, or specifically, as Courtney mentioned, what that culture change can look like. Not just awareness or enablement, but changing the culture. Something else we thought was really interesting, only 26% of organizations have a determined plan for whether or not they'll pay the ransom, notify law enforcement, etc. We spent a lot of time with the COVR team, they have some very strong feelings on this. If you want to learn more about how to have a predefined strategy, take a look back at some of our older Industry Insights episodes, we had a whole cyber incident response series where we went step by step through that process and talked a bit about some of those best practices. And Courtney, I think one that I wanted to call you in on specifically is the chain of command piece of this. So an in-plan place that ensures proper authorization ladders and approvals for critical decisions. How important is that piece of it, right? Especially when you're in an active incident response, how important is it to have that chain of command? It's critical. And, you know, we've been working a lot internally about refining our crisis management approach and ensuring, back to the comments that Edwin made earlier around legal involvement and things of that nature, it's a broader team than just security. So ensuring that we have the right escalation paths, the right crisis management team in place, and we have these right monitoring, back to the GRC concept, so that we know what controls are the most secure and we can react effectively to the ones that are most at risk. And so, again, it goes to prioritization. It's having the right people at the table, but also prioritizing according to what we know from our own self-monitoring. And I think that those, they can't work without each other.
