Disaster recovery: What's missing in your cyber emergency response?
Most cybersecurity initiatives center around defending against ransomware, preventing phishing-related breaches and adding multiple layers of security. These are vital areas. But there’s another area that could prove just as effective but isn’t getting the attention it deserves — disaster recovery.
According to Christopher Tarantino, CEO of Epicenter Innovation, disaster recovery preparation, remediation, and post-event rebuilding and improvement are great opportunities to strengthen your overall security posture.
He has a background in emergency response and has worked closely with organizations like FEMA, Cisco and Google. But he believes the emergency response mindset easily carries over into the security arena.
“No matter if it’s a natural disaster, a terrorist attack or something happening in the cybersecurity realm, we use a very similar set of tools and frameworks to resolve the situation,” Tarantino said on the Cyber Work Podcast.
What is cyber resilience?
Tarantino said that resilience is a vital concept to grasp. Most people think reliance is bouncing back after a disaster, but it should also incorporate bouncing forward regardless of the incident. That means finding ways to innovate with technology or processes to prevent repeat occurrences — and encompassing human-centered resilience. After all, human error is involved in nearly three out of four data breaches.
Take the case of emergency management in a university in upstate New York that involved the IT and systems engineering realm. As Tarantino explained, the institution had no emergency manager and a cybersecurity emergency response plan that was likely copied from another college.
Learn Incident Response
A threatened hazard identification risk assessment was done to examine natural disasters, past frequency, historical data, campus safety and security-related incidents over the last few years.
Missing elements came up immediately. On the cybersecurity front, it became clear:
- The university’s state and DoD contract work needed improved cybersecurity defenses and sandboxes for new contractors
- Servers needed better physical security
- Stronger communication channels were needed between the IT department and the emergency management folks
“It is best to focus on culture change as a foundational element,” Tarantino said. “The IT folks can learn from emergency managers, and the emergency managers can learn from IT. By putting them together and bringing them through a training and exercise plan, we can build connectivity and make sure that everyone’s on the same page.”
Barriers to cybersecurity resilience
One of the biggest barriers to resiliency is an idea common to many people — it won’t happen to me. Even in cybersecurity, people look at statistics of rampant ransomware, billions paid in business email compromise (BEC) scams and the rise in data breaches and still believe it will happen to the other guy, but not them.
“If we don’t address the human propensity to not believe that it could happen to them, it doesn’t matter what systems we put in place,” Tarantino said. “It doesn’t matter how prepared the entity may be, or how much of an investment the organization makes in their level of preparedness or resilience, because the people aren’t going to be ready, and they’re not going to believe that they can be a victim.”
This is an important task for cybersecurity personnel. They need to improve their level of communication to build that understanding and buy-in throughout the organization. That means informing them about what’s happening and other efforts to humanize the cybersecurity “brand.”
“You have to sell the idea of being prepared or building resilience or securing your laptop — whatever it may be. You have to find ways to sell that concept to the individual so they will decide to follow your directions or policies,” Tarantino said.
Importance of selling your security policy
Tarantino encourages cybersecurity professionals to expand their skillsets, particularly their cybersecurity soft skills. These are vital for selling the value to following security policy and building a culture of security.
“It is important to understand people and their habits, what motivates them and how they think so you can figure out why a 50-something admin in your office refuses to use a password manager, even though you know it will be easier on them,” Tarantino said. “You must be able to empathize with that person and know what communications methodology and approach is going to work best for specific individuals.”
Instead of simply trying to enforce compliance in areas like password managers, there may be more effective approaches. Perhaps showing the person your password manager, how it’s set up and how easy it is. Or engaging a coworker in their department whom they respect and who is a security champion.
Those little things can go a long way toward growing your security culture.
Learn Incident Response
For more, listen to the full episode of the Cyber Work Podcast with Christopher Tarantino.