Cyber Attack Disaster Recovery: How Much Time Can Your Small Business Afford To Lose?
Small Business
Owning and operating a small business is one of the quintessential elements of the American Dream for so many driven individuals. It starts with an idea and is made a reality through hard work and dedication to said idea. There are so many things to take into consideration when it comes to owning a small business, and one that is often an afterthought is cybersecurity.
While some small business owners understand the need for cyber defenses, many are not adequately prepared, even if they are aware of its necessity. On top of this, many who do take the time to protect their precious digital data falsely believe that they have the capability to swiftly recover from a cyber attack, should one hit their business. 92% of small businesses believe they are equipped to handle a cyber attack and recover from it quickly, and yet do not have a plan in place to do so. Not only is a cyber attack itself an exhausting and draining thing to deal with, but the time it takes a business to recover from said attack is a crucial consideration often not taken into account. The downtime following an attack can mean significant losses in ability to serve customers, and ultimately a loss in business - how much time can your small business afford to lose following a cyber attack?
Creating a Disaster Recovery Plan For Your Business
Much of the false hope that small business owners have regarding recovering from a cyber attack is due to a lack of awareness of all that goes into this process. According to the CEO of Infrascale, Russell P. Reeder, the definition of what it means to be able to recover from a disaster is not consistent across the board and many businesses don't have a realistic grasp on how long it would take them to be back up and running as fully functional as they were prior to the attack. Reeder elaborates,"Make no mistake, if a business does not have a disaster recovery solution in place, or at the very least a solution to back up its data, there is no way it can get the data back from a data loss event." This is the most crucial step for protecting your business' data in the event of a cyber attack.
1) Ensure your business is equipped to identify a "disaster" - You cannot respond to a cyber attack if you don't recognize that one has hit your business. Before we can even begin to detail the creation of a disaster recovery plan, identifying a disaster is the first step. The average number of days for a business within a specific industry ranges from 287 days before realizing a breach has occurred in the entertainment industry versus the quickest industry to respond: the Research sect of the business world with 53 days to notice across the board. It has been found by this same study that those businesses with dedicated cyber teams are the fastest to identify a threat. Identification is the first step, next is responding as quickly as possible to the discovered threat.
2) Create and understand your business' Recovery Time Objectives (RTOs) - Sixteen percent of small businesses which were surveyed admitted to not knowing their business' Recovery Time Objectives, or RTOs. An RTO is the time period between the discovery of a cyber attack - the point in time when the business begins its recovery process - and the time when the business is back to normal, pre-attack operations. Small businesses are overly, even dangerously, optimistic about how long their RTOs will take; twenty-four percent of businesses expect to recover their data in less than 10 minutes after a cyber attack, with another 29% anticipating that a security incident can be handled fully within an hour. To better understand the significance of RTOs, it is important to understand the varying times that it takes small-to-medium sized businesses to recover from a cyber attack.
According to Cisco’s 2018 Security Capabilities Benchmark Study, 40% of medium-sized businesses (those with 250-499 employees) “experienced eight hours or more of system downtime due to a severe security breach in the past year.” For the average business, this is a full work day of missed business and operations. As of March of 2020, guidelines from the Federal Financial Institutions Examination Council (FFIEC) stated that firms impacted by cyber attack must come back from a disruptive cyber attack "within its maximum tolerable downtime." The FFIEC continues to say, "whether driven by customer expectations or technological advancement, previously established RTOs that were a few hours in duration may now require near real-time recovery. Therefore, it may be appropriate for management to reevaluate currently acceptable RTOs."
3) Use redundancy to reduce RTO for your businesss - While the goal for a company is to have low RTO - so as to get back to business as usual as quickly as possible - this requires action, time, and some money in order to get the business adequately prepared for such an event. This can be achieved in one of two ways, according to Reeder; either a company implements an infrastructure which is highly automated with many backups and redundancies, or the company invests in a pricey disaster recovery plan. Reeder says, "If you’re willing to trade just a little amount of time for cost, you can achieve a reasonable RTO with an affordable disaster recovery solution." This is the obvious choice for small businesses which usually do not have the excess funds available to throw at cybersecurity what ifs. This is the first of Reeder's options, with an emphasis on redundancy - implementing layers upon layers of protection for your company which serve the same function which can be utilized in the event of a loss to the primary system.
Data Breach Response Times
One of the cyber attacks which regularly targets small businesses is a data breach. Within a company's cybersecurity disaster recovery plan should be specific information on dealing with a data breach, as this is the most likely attack to hit a business. Quick data breach response times for small businesses are essential, as these firms are expected to defend the data their customers have entrusted the business with. This is where the term used above becomes essential - redundancy.
4) Prioritize your business' recovery plan - While cybersecurity itself can be an after thought for businesses, particularly smaller businesses with less accessibility to funds compared to their corporate counterparts, it is essential for your business to thrive. Not only are cyber defenses essential, but in case of a security event, a recovery plan in the only way to preserve your business' crucial data. Knowing and improving upon your RTO is the first step to a successful recovery plan, but it is also incredibly advantageous to prioritize your business' recovery plan; document, implement, and regularly update your business' recovery plan to ensure you are defending your employee, customer, and other important data against new cyber threats.
The longer it takes your business to recover from a cyber attack, the longer it takes you to conduct your business as is needed. Attempt to prevent downtime, even during an attack, by constantly backing up your company data to a separate, protected network other than your company operating network - redundancy, as mentioned above. This can make a world of difference in regards to lost business and time which would otherwise be detrimental for business.
5) Determine which systems need to be up and running first - Conducting a business impact analysis, or BIA, can help your company to determine which processes and systems will need to be saved or recovered following an attack first. These are those systems which are critical to the continued functioning of the business such as payment processing systems for consumer companies and customer data bases. When considering the disaster recovery plan, prioritize shortening the RTOs for these crucial systems to get your business operational.
6) Turn to the experts for help - If the worst happens and a cyber attack strikes your business and you have yet to create and/or strengthen your business' disaster recovery plan, try not to panic. Call upon local cybersecurity companies who have the ability to help your business in this time of need and help to lessen the amount of time your business is nonoperational and under attack.
