Recovery from security breaches

When a security breach has already occurred, the organisation operates too late from the perspective of risk management. The situation must be brought under control quickly so that the organisation can recover as quickly as possible and get to its target state – be it normal, better than before or another desired level.

Recovery is a key part of risk management. Good ways to manage residual risks include

• recovery planning
• regular recovery exercises and
• testing.

The disaster recovery plan must be tested regularly and the processes mentioned in it must be practised. For example, if the backup copies of an information system are considered critical to an organisation’s operations, the organisation must

• regularly test the functionality of the backups
• practise using the backups, and
• improve the quality of backups
• consider how often the backups should be taken
• ensure that an identified risk does not also concern backups.

The disaster recovery plan must also outline internal and external communications during the recovery. Good, timely and targeted communications support recovery and risk management.

Processes are not forever. As the digital operating environment is constantly evolving, changes may require an update of the organisation’s protection processes.

Changes may occur, for example, in the organisation’s

• operations
• stakeholders
• tools, or
• systems.

The digital operating environment, cybercrime and tools are constantly evolving, so it is necessary to develop both protection processes and competence. Outdated process flowcharts do not benefit the organisation if a risk materialises.

Even if the change does not require changes to the protection processes, document the observation. This way, your organisation will know that you have considered the need to change from time to time.

Make the recovery a comprehensive timeline and a memorandum in which you record the following:

1. what has been done and when
2. what kind of resources have been utilised, and
3. what kind of impacts and events were observed.

Analyse this data to streamline and accelerate your organisation’s protection processes.

For example, during the coronavirus pandemic, a lot of data was collected on how the organisation’s operational culture could be changed quickly in a very short time.

You can justify the importance of the financial resources used for digital security and needed for it in the future using the evidence obtained by measuring.

The indicators can also be used

• to enforce the obligation to demonstrate (for example, in relation with the requirements of the General Data Protection Regulation) and
• in the event of a disruption (to indicate resources for digital security and the monitoring of resources and their controlled development).

Taking safety and security into account in all activities is the starting point for a strong culture of digital security. A good digital security culture does just mean having the right reaction to a disruption or high-quality recovery, but a strong safety culture can also help your organisation develop its operations.

The organisation’s operations during normal conditions and disruptions and the operating culture of the entire organisation must be developed systematically and regularly.

Your organisation’s resilience, risk appetite and capability are built in normal conditions. In the event of a disruption, a strong safety culture will benefit your organisation in both recovery and operational improvement.

For example, AI might bring significant change requirements and need to develop the expertise of your organisation’s specialists or change the expectations of customers. Prepare for changes in advance so that you can respond to the need to change in a controlled and systematic manner. Preparing in advance is often more cost-effective than unplanned reactions.