Recent high-profile data breaches and ransomware attacks demonstrate the inevitability of cyber-attacks. If prevention is not possible, what is?

Cyber-attacks have increased in magnitude and frequency since the onset of the COVIC-19 pandemic.

In April 2021, Singapore’s e2i (Employment and Employability Institute), the job and training arm of the National Trades Union Congress (NTUC) found themselves at the mercy of a malware attack.

In May 2021, global insurer AXA saw their Asian division faced with ransomware.

Even more recently, we see more government organizations and large regional entities suffering at the hands of malicious cyber-attackers. Names linked to cyber-attacks such as McDonald’s, LinkedIn, Volkswagen and Kaseya should be familiar by now.

These recent high-profile breaches have made IT and business leaders wary of the security vulnerabilities of IT systems. While it was once said it’s not a matter of ‘if’ but ‘when’ an organization will be attacked, today’s cybersecurity mantra says it’s no longer a matter of when you will be attacked – but how.

The assumption is that no business, big or small, is immune. Prevention is no longer the focus, but resilience in facing inevitable attacks.

CybersecAsia caught up with Ryan Weeks, Chief Information Security Officer, Datto, for some quick insights into cyber-resilience and the inevitability of cyber-attacks.

Cyber-attacks have increased in magnitude and frequency since 2020 with the onset of the pandemic. If prevention is not totally possible, what should be the mitigating strategy? 

Weeks: Cyber-resilience is the strategy – there needs to be broad acknowledgement that a breach will occur despite our best effort to prevent it. 

When we assume a breach, we start to focus more on the people and processes we have that help us detect breaches, respond to them in a timely manner and ultimately recover from them with as minimal an impact as possible. 

How should organizations in Asia Pacific move towards achieving cyber-resilience to mitigate the evolving threats and risks?

Weeks: I highly recommend adopting a security framework that you can do a benchmark or gap analysis against. To get started quickly look at CIS Controls v8 Implementation group 1. For more comprehensive analysis leverage something like the NIST Cybersecurity Framework (CSF)

Both of those frameworks help build out the capabilities that are needed to detect, respond and recover from breaches. 

If you’re struggling to get started, bring in an external assessor to help you walk through the assessment and prioritize actions against your gaps.

What is the role of Business Continuity and Disaster Recovery (BCDR) in cyber-resilience?

Weeks: Cyber-resilience is achieved when a quality cybersecurity program intersects with strong incident response, and BCDR readiness.

You cannot be truly cyber-resilient if you do not have effective BCDR planning, testing and readiness. You are resilient when you are prepared for continuity incidents, which include ransomware incidents, and are able to execute those plans effectively and expeditiously. 

Being resilient also includes preparing for scenarios outside of ransomware incidents where infrastructures that businesses rely on are taken out, due to possible various possibilities such as extended power or internet outage.

How should organizations solidify their last line of defence through backup and recovery?

Weeks: To be cyber-resilient, you must have the ability to recover your environment. Often that means restoring systems and data to a point that business can resume operations and to do so within an amount of time that limits losses. That means that you need copies of your data and systems that you can recover quickly. If you do not have an effective backup and recovery strategy that is tested, then you are not cyber-resilient. 

To ensure your backup and recovery processes are ready to help your resilience, then make sure you follow the 3-2-1 backup rule, at a minimum, and frequently test your backups for integrity and measure your time to recover. 

The 3-2-1 rule says that you should have three copies of your data, in at least two different physical locations, where one of those locations is a backup cloud, which is ideally immutable, meaning it is resistant to modification or destruction by a threat actor.