It’s clear that cyber-attacks are a significant threat to organisations large and small, and have tangible, unwelcome impacts, not only in terms of costs to the business but also frequently in reputational damage and consequences for customers. However, what is not so clear is why organisations seem to ignore protecting the vital data that is the target of such attacks.
The answer may lie in that, when developing resilience capabilities, organisations are often blinkered in simply focussing on time-critical data – data that’s associated with their time-critical activities – while invariably ignoring other vital data assets (VDAs).
Why does this happen?
Typically, when organisations develop resilience capabilities, they build them from the ground up. Firstly, by using business impact analyses (BIAs) to identify their priority activities and (amongst other things):
- Activity RTOs – when do they need to resume those priority activities following a disruption?
- IT RTOs – What infrastructure, application and data availability must they have up and running to support the activity RTOs?
- IT RPOs – What data currency is needed to support the activity RTOs?
But by ignoring non time-critical data, there’s a significant and potentially dangerous gap in preparedness. This is because not all vital data is time-critical, and equally not all time-critical data is vital in the event of a cyber-attack. This means that vital data is not being identified and appropriate protection and recovery capabilities deployed. It can also mean that wider solutions, budget and resources are not up to the task.
So, what are vital data assets (VDAs)?
A reasonable definition of Vital Data is data that can directly and significantly influence the overall performance of the organisation both financially and non-financially. It likely has the following characteristics:
- It’s probably a subset of what most organisations classify as “Tier 1” or “Mission-Critical” data – and that subset is maybe 10%-20% of that data.
- It likely supports core products/services, financials and logistics.
- Its loss would threaten the viability/sustainability of the business.
That’s admittedly a pretty broad set of characteristics, and of course they will vary depending on sector/industry and the organisation’s risk appetite. But, Vital Data identification is key to informing what an organisation needs to protect from a cyber-attack – and why.
Some examples of VDAs and why they matter
At a very prosaic level most organisations depend on inventory, client and financial databases to run most day-to-day business activities. While these databases are likely to fall within our definition of VDAs, they’re also likely to have already been identified as time-critical through the “conventional” BIA.
Nevertheless, not all such databases are identified and even if they have been, they’re likely not afforded the right kind of protection and Disaster Recovery. Data Analytics departments in many businesses hold lots of VDAs. Much of this data is used to ‘train’ dynamic processes (such as pricing for insurance or allocations for investment platforms) by analysing past performance to provide weighting for formulas. If a dataset is lost, then the ‘price’ or ‘allocation’ departs rapidly from the optimum. Whilst individual transaction information is confidential (and potentially the target of a ransom attack), the aggregate dataset is much more ‘vital’ (even without the link to the individual) and is a juicy target for industrial espionage and/or ransom attack.
A rather different scenario is at play in the energy and mining industries, among others, where having constant access to reliable exploratory data, which costs tens of millions to create over multiple years, is essential. Yet, because it’s historical data that isn’t necessarily needed to support day-to-day priority activities, it may well not have been identified as vital because it doesn’t have to be available within a few hours or days.
The same is true in the insurance industry, where so-called long-tail liabilities are dealt with in classes of insurance such as Employers Liability. These are policies that are often triggered by claims related to occupational hazards and diseases that may manifest themselves many years after the cause of the claim has occurred. So, having assured access to data that is sometimes 30 or 40 years old is essential for the insurer, and in the case of class actions the loss of that data, or its unavailability, could cost millions.
In healthcare, while the data associated with patient records is often cited as being critical, the reality is that very often those records are a patchwork of datasets that are held within various systems owned and maintained by a variety of healthcare suppliers – labs, radiology providers, pharmacies, clinical diagnostics etc. No singular organisation has custody or control over every dataset and the protection afforded to each will vary enormously.
Likewise, in the pharmaceutical industry, having records of drug development and trials over many years is essential to obtain regulatory approval, however, because there’s likely to be no clear requirement for some of that data to be available at short notice, the DR requirements for that data are likely to be minimal.
The challenge of identifying VDAs
It’s clear that rather than simply looking at the IT services and data that support priority activities (those that are time-critical), organisations need to identify their VDAs – data that, if it were lost, would threaten the viability/sustainability of the business. VDAs and time-critical data are NOT likely to be the same thing, and recovering compromised data after a cyber-attack needs to be focussed on those VDAs. Their importance cannot be over-emphasised and therefore BIAs – the foundational component of BC and IT DR – need to identify what these are, where they sit in the production environment, how they’re backed up, what their minimum acceptable recovery configurations and requirements are, as well as their technical profile (data types, size and growth rates, structured and unstructured, archive requirements etc.)
So, the questions for every BC or IT manager are:
- Do you actually know what your VDAs are?
- Do you know WHY they’re vital and the consequences if they’re lost and/or unavailable?
- If there is (or might be) a copy of a VDA, how easy/expensive will it be to get hold of?
- The last time you tried to restore production systems from backups, did you achieve your stated RTO/RPO?
- Are you confident that following a cyber-attack that compromised your vital data, you’d be able to eradicate malware, validate that it’s safe to resume operations, and repatriate confirmed clean data to the production environment – all within your stated RTOs?
- Do your current BC and ITDR plans incorporate activities to mitigate prolonged unavailability or loss of VDAs?
If the answer to any of those questions is “no”, then it’s likely your cyber-resilience capabilities needs some attention.
Speak to our experts today who will guide you through the most cutting-edge practices to ensure your organisation’s safety against the ever-evolving threat landscape.