Two recent high-profile ransomware attacks are a perfect example of why it’s vital to not only have backup and recovery software but to also test a disaster recovery plan.
In May 2021, Colonial Pipeline and JBS, the world’s largest pork and beef producer, were hit with ransomware. Both suffered largescale outages for nearly a week, and both paid the attackers millions of dollars in ransom, continuing the attack cycle by giving the criminals what they wanted.
The companies reportedly had backups of their systems but ended up paying $4.4 million (Colonial) and $11 million (JBS) anyhow because they weren’t properly prepared for these attacks.
Many people assume that companies that pay the ransom in this type of attack are doing so because they must not have a backup of their data. But that’s not always the case. Companies may have a full backup but haven’t tested it and are unsure how long it will take to restore. So, they pay the ransom because they think it’s the fastest way to get operations up and running again.
The cost of downtime averages US $5,600 (CA $6,982) per minute.
No company is too small to suffer from a cyberattack, so it’s important to be prepared and to regularly test your disaster recovery plan. Here are the steps to do that.
1. Prepare Your Goals Ahead of Time
Before you can begin testing your disaster recovery response, you must decide on your benchmark goals. Without goals to grade performance, you don’t have anything to reach for and you don’t really know how your team is doing.
Some of the common disaster response KPIs to test for include:
- Click-through-rate (CTR) for employees on simulated phishing emails.
- Recovery Time Objective (RTO): How fast you need to recover operations before experiencing serious business impact.
- Recovery Point Objective (RPO): This is the least amount of data loss that you find acceptable. This will have to do with how much time you allow to pass between backups.
You want to make sure your goals are realistic. For example, don’t expect to get up and running in 2 hours after a ransomware attack. Discovery, eradication, and backup restoration take longer than that even if done perfectly.
It’s also not realistic to expect a 1% CTR on a phishing drill the first time you do one. According to SANS™ Institute, companies can expect a CTR of around 25% – 30% the first time they test employees with a phishing simulation. Then, as employees are trained and drilled, that number can drop to less than 5% over a 9 to 18-months period.
2. Prepare for the Testing Dates & Environment
Schedule your testing dates during a time that’s not going to conflict with vital company operations. You don’t want to be tempted to cancel the testing because things have become too busy.
You want your testing environment to either be your live environment or an environment that is simulated and as close to live as possible. Working with an IT professional on disaster test planning is also key to ensuring testing is done properly.
3. Identify the Tests You Will Perform
Next, you need to choose the tests that will be performed. Again, if you’re working with an IT pro, they can help with this step.
Decide if you’re doing a full disaster simulation, or just a data deletion and recovery. Also, how are you testing your team? With paper tests, online testing, or simulated phishing attacks that you haven’t let staff know are coming?
4. Conduct Tests and Record Results
When conducting testing, you need to ensure that more than one person is recording what’s happening. You’ll want hard data, such as how many team members clicked on phishing links and how many hours a data recovery took. And you’ll also want efficiency input from your team, such as, “If we had a checklist of responsibilities ahead of time, we could’ve shaved an hour off the recovery time.”
Make sure you have systems in place to test all the goals that you laid out in Step 1.
5. Share Results with Your Team
Disaster recovery is a team effort, so you want to share the results with your team. This isn’t to shame them if they didn’t score well, but to encourage them to improve in needed disaster response areas and to celebrate progress during subsequent testing.
This type of meeting can also open the door for employees to give you valuable input as to how disaster preparedness could be done better in their area of the company.
6. Update Your Disaster Recovery Plan Based on Results & Team Input
Improve your documentation, training, response software, etc. according to your testing results and team input. A big reason to do disaster recovery testing is to identify weaknesses and optimize both disaster prevention and recovery time.
Put a Solid Disaster Recovery Testing Plan into Action Today
Data First Solutions can help your business put together and execute a solid disaster recovery testing plan that improves business resiliency and mitigates downtime.
Contact us today to book a free assessment. Call 416-412-0576 or book your assessment online.