Just because your business has suffered a cyber-attack once, doesn’t mean it won’t suffer another one. Businesses that take their cyber security efforts to the next level are planning their attack recovery metrics. By measuring key factors, the business improves it chances for a faster recovery when it is attacked in the future. Lessons learned can be invaluable for controlling recovery costs and reputational damage.
The NIST Draft Special Publication 800-184, Guide for Cybersecurity Event Recovery, identifies 3 key recovery areas that warrant metrics:
- Assessing Incident Damage and Cost (direct and indirect)
- Organizational Risk Assessment Improvement
- Quality of Recovery Activities
Each business will want to weight the metrics to reflect the potential damage and the importance of speed and thoroughness of recovery actions.\One metric a business might consider is the Recovery Time Objective (RTO). How long does it take until service is fully restored and functional to key users and to all users? This can include time to recall backup media, ensure the system is safe, bring up services, test the system and deploy to users.
Another metric to monitor is the maximum amount of recent data loss the business is willing to accept due to the time to restore the data. Sometimes referred to as Recovery Point Objective (RPO), this metric can measure from the last back up available for recovery until the attack event occurred.
Additional metrics that the NIST draft suggests include:
- Hardware, software, and labor costs to execute the recovery plan
- Frequency and/or scope of recovery exercises and tests (did they have a positive impact in recovery ease or speed, compared to a previous attack)
- Consequential damages due to loss of reputation to customers
- Number of significant IT-related incidents that were not identified in risk assessment
- Percent of successful and timely restorations from backup
Whatever metrics a business selects, they should be meaningful and encourage positive behavior. The metrics should be reproducible, so they can be used for multiple cyber events. They should be manageable so they promote realistic actions of improvement.
Businesses frequently measure performance in financial terms, customer/sales terms, and in operational efficiency terms. Businesses should apply the same management discipline to metrics in cyber security recovery to improve knowledge of cyber security weaknesses and strengths.
The National Cybersecurity Institute offers cybersecurity training for small business and non-profit owner and their employees. Learn more about protecting your business.