I wanted to take a few minutes to explain how business professionals - Consultants, Attorneys, Doctors, CPA's, and Financial Analysts specifically - can prepare their practice to recover from a cryptoware attack made against their data processing systems.
I'm signaling-out these professionals because they usually have non-disclosure, fiduciary obligations, confidentiality agreements, or legal mandates to safeguard their clients' data.
The nature and risk of that data is therefore more consequential than most; extra precautions should be exercised both protect data from unauthorized disclosure as well as restore operations.
This write-up may get a bit lengthy and for that I must apologize, still, I think it's a good blueprint to help draft a roadmap for your firm.
I'll be writing it in pieces over the next week and I'll provide hyperlink updates within this post to the latest posts that I complete.
We Do Not Pay Ransoms. A terrible strategy that only promotes more attacks. People who weaponize your data processing systems shouldn't be compensated.
Invulnerability Isn't Possible; Failure Is Inevitable. There's no way to guarantee absolute computer security or to avoid systems failure. It will happen. The risk must be planned for.
Disasters are Disasters. Planning for a ransomware attack is just the same as planning for an earthquake, a flood, or a fire. Our disaster recovery plan may be universally-applied.
Access Control. Only authorized people should have access to confidential information. That means strong authentication, managed risk, and low attack profiles.
Separation of Systems. We will design systems that are independent of each other and quarantine sections of risk so that firewalls exist between computing environments.
Layers of Recovery Options. Instead of depending on just one data recovery option, we will use many options to give us an opportunity to recover from a disaster.
Leverage Encryption Everywhere. Throughout our data ecosystem, we will leverage encryption wherever possible to prevent what could be compromised from being used.
Asset Management and Maintenance. A good best-practice that keeps our firm on-top of emergent threats.
Please feel free to contact me if you have any questions about what you're reading in this series.
If you have concerns about your own practice and your disaster recovery planning, contact me. I'd be happy to help.