July 02, 2021
Tech Beats: How to Start Building Cyber Resilience with Tools You Already Use
Tech Beats is a series on Datto’s MSP Beat blog that features insights from the technical minds on the Datto team. In this series, you’ll find how-tos, product details, and more. In this article, you’ll hear from Chandler Fulton, a Solutions Engineer at Datto who comes with a rich technical background working at a managed service provider as a technician and project engineer, as well as working in Information Security and Business Continuity in the Financial Services sector.
You may have heard the term “cyber resilience” around the IT channel as of late but may not know what it is, much less how to get started with it. A close cousin to cybersecurity, cyber resilience takes the “get a good lock on your doors” approach several steps further and begins with the assumption that eventually, bad actors will get in and compromise your or your clients' networks.
While it sounds defeatist, it’s a powerful way to start building controls and security measures because you start looking at what you can do to mitigate the effects of these compromises and breaches proactively, rather than spending time flustered because your security controls didn’t keep them out at all. In addition, rather than putting all of your eggs in the basket of “security,” you’ve diversified your security stance by investing in training for your technicians and clients, documenting processes and plans ahead of time, and ensuring your technology is ready for recovery.
With security breaches prominently filling news headlines and several new flavors of ransomware coming out every week, managed service providers (MSPs) are facing increased demand from their clients to step up their security and resilience.
At the risk of spreading FUD, the truth is that you will eventually have a compromised client, whether it’s through ransomware, becoming the latest recruit to a botnet, or having data stolen. At the end of the day, even if it’s not your fault that your client got breached, it can still reflect poorly on you in their eyes and could potentially cost you business.
How to build cyber resilience
While all of the tools above are vital to a security strategy focused on the Defense In Depth concept and should still be used, there are several tools and practices you already use that can be employed in an effective cyber resilience program not only to increase your security and resilience but also to add value to your offerings to clients.
First of all, backups themselves are crucial to building resilience. After all, when a compromise occurs (and remember, we’re assuming it will), what tools do you have to remediate events such as malicious data deletion, destroyed servers, or even having your data stolen and held ransom? The answer, of course, is a secure, offsite, uncorrupted, tested backup of your environment (you are testing your backups, right?).
Suppose you have image-based backups of your servers, backups of your network configurations, and the process to restore them all safely documented. If you don’t have anything that the malicious actors can hold hostage, you are safe even if you become compromised. You can resume business operations while hopefully also remediating the issue that caused the compromise in the first place. You don’t have to pay any ransom, and you certainly don’t have to pray that the decryption key the attackers give you actually works.
However, even if your data can’t be held hostage or stolen, your time certainly can be, which can be just as devastating for a small business. It takes time and effort to restore those backups and get everything back to running normally, which is why another important part of resilience is your business continuity plan (BCP).
At its core, a BCP is what you will do to mitigate the downtime that disruptions inevitably cause, and work within pre-established recovery time objectives (RTO) to restore servers and data to an acceptable recovery point objective (RPO). This is most commonly a technology-based solution to keep your critical servers up and running through either high-availability services or a BCDR appliance that can quickly spin up virtual machines of your production infrastructure following a failure. BCPs can also encompass planning for redundancies at all levels of the business, including but not limited to:
- Planning for a secondary work site if your primary worksite is unavailable (even if that worksite is the employees’ homes)
- Cross-training as many employees as possible on critical business processes
- Having secondary vendors lined up for essential parts/services
While you may not technically have a BCP in place right now, chances are you are roughly aware of the steps that would need to be taken to resume business following a disaster or even a disruption at your client’s site. The one thing that’s probably keeping you from having this is simply writing it down so that your technicians and even your client can fully understand what recovery looks like.
This also gives you opportunities to make changes to this if the recovery timeframe you’ve documented doesn’t work for them. With sound BC practices, regardless of what they turn out to be, you’ve now built resilience even further because you have the confidence that your time to recover can’t be held hostage either.
The final piece of cyber resilience you may already be doing (and is relatively easy to implement if you’re not already) is disaster recovery testing. If you’re able to, running a client through an actual exercise of your BC and DR plans for them, whether that’s virtualizing everything on a local BDR server, switching over to another part of a high-availability cluster, or running the business on pen and paper (not recommended!), it can be an enlightening exercise for all parties involved as far as verifying that the recovery time, recovery points, and final recovery state you’ve determined are actually realistic to work in.
The issue you might run into here is that doing a full-blown disaster recovery test can be expensive. Depending on your recovery model and the services you’re using, you might incur a massive charge. In this case, you can easily do a Tabletop Exercise of your BCP and simply run through a hypothetical scenario with key leaders and experts involved in the recovery process. The worst time to find out there’s a specific configuration you need to be aware of for your environment to work in a recovery state is not while you are executing a recovery; you need to be aware of those in advance when you have more time to remediate them.
Many factors contribute to a robust cyber resilience program. Hopefully, this has demystified what the term means and has put some goals into easy reach for you in a world where security is at the forefront of everyone’s mind. Cyber resilience doesn’t have to be complicated. While getting breached sounds scary, having several layers of protection and mitigation from these attacks is invaluable to keeping your business running and keeping your clients profitable and happy.
If you’re interested in how Datto can help you build cyber resilience with local virtualization appliances and free quarterly DR testing, chat with a Solutions Engineer to learn more.