In this week’s bulletin, Charlie covers the important use of RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) in response to a cyber-attack.
This week, I have been teaching a Cyber Incident Management course in Frankfurt. One of the discussions was whether the RTOs and RPOs we capture in the BIA (Business Impact Analysis) are suitable and relevant in a cyber incident. One of the other discussions this week was about backups. Hackers know, the more data they encrypt, the more likely you will pay, so they go for your backups as well as your main system. As organisations don’t like losing data, they will install systems which continuously back up, or use backups inclemently during the day. This allows them to have RPOs as short as 5, 10, 15 minutes, so that there can be a minimal amount of data lost. In a cyber incident, you may have to go back to the last time you conducted ‘gapped’ backups. Gapped backups are those created onto tape or technology which means that the backups cannot be accessed from your system. In some instances, gapped backups are carried out only every 24 hours, one week, one month, or even never. So, in a cyber incident, your RPOs are unlikely to be missed.
RTOs may be much longer than stated in your BIA. Often, applications need to be rebuilt on a new server and then could take days, if not a week or two. The tasks required are:
- Buy or find a suitable server to recover your application to
- Find the right application. This could be made more complicated if you have customised the application, or you may be running your application some versions behind the latest version that the software vendor is now selling
- Reinstall the application
- Reinstall the data from your backup
- Test the application so that it functions correctly, and this may include that it works correctly with data feeds in and out
- Get staff working on it again
If you have practised recovery and have a script, then the actual recovery may not be too difficult, but if you have never practised then this is going to take time. Each application to recover takes IT and IT personnel to be available to carry this out. You therefore may have a limited number of people who can perform recovery in parallel, and you may be forced to recover systems in sequence, adding to the recovery time.
I also find in BIAs that sometimes people put their aspirational RTOs and RPOs rather than what they can actually be capable of, so in a cyber incident, they may take even longer to recover.
In conclusion, it is likely that your existing RTOs and RPOs will not be met and I think it is important to make sure that this is flagged up to senior managers in the crisis team, and then to make them aware of the realistic time they can expect the application to be back. Practising application recovery can provide a realistic time for doing this.