A cyber-disaster plan must not only be designed to keep an organisation or business functioning in the wake of a cyber-attack, but it also must be practiced regularly in order to be fully effective, according to the members of the Disaster Planning Cybersecurity Style panel at the RiskSecNY conference today.
The panel, composed of retired USAF Colonel (ret.) Cedric Leighton, chairman of Cedric Leighton Associates; Chere McGuire, group CISO Standard Chartered Banks; and Devon Brown, executive VP and CISO, The Federal Reserve System, noted any plan had to have a contingency for business continuity, the ability to keep everyone in the loop and to pre-make important decisions.
“You need to have a business continuity plan in place to not only understand what is happening, but also to recover,” said Leighton.
Bryan agreed, adding the Federal Reserve's plan is built around resiliency and its ability to continue operating even when its systems have been degraded by a cyber-attack. To have this ability he recommended companies have a 3-2-1 backup plan which means having three separate copies of the data, stored on two different mediums with at least one copy of the data stored offsite.
McGuire added that while most plans involve what the company's first responders will do, but must include a way to keep everyone from the board of directors to public relations to the firm's cyber-insurance company informed as the event unfolds.
Another issue that should be included in any plan are pre-made decision covering topics such as should a ransom be paid.
“You need to decide whether to pay a ransom ahead of time as you don't want to have to make it on the fly while it [the attack] is happening,” McGuire told the audience, adding company leaders should be consulted on the amount of financial pain a company is willing to absorb.