Re-establishing all aspects of an organization’s processes and operations once a major attack has occurred can be very challenging. Likely, there has been a substantial amount of chaos during the response, and the impact has likely been felt by many different elements of the organization. There are multiple things an organization can do to smooth the process:
- Recovery leadership: Someone will need to be in charge of the recovery and work with the incident response leader to insure good coordination.
- After action review: An important element of recovery is reviewing all the impacts, lessons learned, and changes to the organization’s procedures.
- Identify overlapping efforts: There will be no clean cutoff between the incident response and recovery efforts; many of the various efforts may overlap for weeks or months, and litigation concerning the breach may span years after the incident.
- New process: The recovery manager will need to implement organizational process changes mandated by the problems created. For example, if a major finding of the attack is that the organizational network must be segmented to keep external partners away from the financial processing network, significant reconfiguration will be required for a full implementation.
- Board/C-Suite review: For a major breach, I would recommend that the Board of Directors take the time to do a thorough review of the actions taken during the recovery process, and ascertain that the actions implemented will result in a stronger, cyber-resilient posture for the entire organization.