< Back to Thought Leadership

The Importance of Incident Response Plans – Recovery

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

This is our fourth article in a five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.

The first article discussed the preparation phase of the plan and last month we explored containment and eradication. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Ransomware Incident Response Plan – Recovery 

Today we are focusing on the next phase of the response plan which is Recovery. This is when you restore the affected systems and return to normal day-to-day operations after an incident such as a ransomware infection/attack.

Often, this involves restoring not only the operating system but the business applications and associated data for that device (workstation/server). This is dependent on whether the gaps in the systems have been patched and how your organization will ensure these systems are not breached again.

Importance of Backups

The strength of your backups is a critical element to the effectiveness of the recovery phase. Often, organizations realize their backups have been infected as well as their primary system. This results in essentially reloading the ransomware or malware and starting all over in your recovery.

3-2-1 Backup Strategy

Organizations should be implementing the 3-2-1 backup strategy which means having three copies of each backup (one primary and two copies). Copies should be stored on two (2) different types of media (e.g., backup device, disk, removable hard drive, cloud, etc.). Finally, one copy should be maintained off-site and be immutable (cannot be changed) and segregated from the production network (either logically or physically – often referred to as “air-gapped”).

To ensure the ability to restore your backups, you should be restoring backups at least semi-annually (but ideally more frequently), to ensure your systems and data can in fact, be restored.

The next article will discuss the fifth and final phase of an incident response plan, Post Incident Activity: Lessons Learned.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Indiana Sales Tax Changes for Nonprofits

By: Angela Crawford, CPA, Senior Manager The recently enacted Senate Enrolled Act (SEA) 382 (2022) makes significant changes in the way not-for-profit organizations purchase and sell items exempt from sales tax. Sales tax information Bulletin 10 has been revised to reflect these changes. While sales tax-specific changes are detailed within the bulletin, here are the […]

Learn More
Facility Emergency Department Leveling | Stethoscope laying on top of financial reports | Blue & Co., LLC

Is Your Current Facility Emergency Department Leveling Process Working?

Blue & Co. has performed many Emergency Department Leveling Reviews for hospitals. The two most utilized leveling criteria are “points-based” or “intervention-based.” In either case, each hospital must determine which facility resources (or attributes) to include within its criteria, and how these resources crosswalk into ED visit levels (99281-99285). This can create significant reimbursement differences […]

Learn More
Cybersecurity in the Construction Industry

Cybersecurity in the Construction Industry

By: Tom Skoog, Cybersecurity & Data Management Practice Leader Cybersecurity for the construction industry is a growing challenge. The industry is moving towards digital connectivity, not only across the supply chain, but also ‘on site’ as more metrics related to performance, progress, and health & safety are monitored in ‘real time’. This increase in connectivity […]

Learn More