• United States




Cyber resiliency – a key to corporate survival (and sleep)

Sep 11, 20175 mins
Backup and RecoveryCritical InfrastructureCybercrime

The recent major cybersecurity events – including WannaCry, NotPetya, and most recently, the Equifax data breach – underscore the need for organizations to be able to respond quickly to incidents.

quell cyber attacks primary
Credit: Thinkstock

For those of us in the healthcare industry, and I suspect many others, the  WannaCry ransomware attack is now referred to as the weekend without sleep. In my organization, a cross-section of folks from all areas spent most of their weekend on long conference calls ensuring that we had the maximum possible protection. Many repeated the same exercise, to some degree, during the more recent NotPetya outbreak. 

As we now know, the spread of the WannaCry worm was halted abruptly by a security researcher registering a domain which turned out to be the kill switch. Still, the virus did reach the United States, infecting some organizations. 

Now, imagine that your organization was one of the victims, with a few of your PCs infected. How fast would it spread before you could intervene?  If a bad actor unrelated to the outbreak were to try to penetrate your network during the outbreak, would you have the bandwidth to respond to that at the same time?  If not, you lack cyber resiliency. 

If this scenario sounds far fetched, think again. An organization I am familiar with experienced a similar situation recently. On a seemingly quiet Friday afternoon, they began receiving reports of Internet access latency, followed quickly by complaints about the public applications being unavailable. A quick query of the security information and event management system (SIEM) identified the problem – a Distributed Denial of Service (DDoS) attack was under way. The traffic was coming from a number of addresses in China. The information security team quickly swung into action, working to control the attack and restore service. A few minutes after the attach began, a different system alerted the team to a seemingly unrelated issue – key users were reporting an apparent phishing attack. Some members of the team immediately jumped off of working the DDoS attack, and quickly mitigated the phishing attempt. The actions of this team demonstrated a key aspect of cyber resiliency — the ability to effectively respond to multiple cyber attacks at the same time. 

Another aspect of cyber resiliency involves how an organization recovers from a successful attach. Since many in the industry now acknowledge that completely preventing attacks is nearly impossible, an organization must be able to recover their operations quickly following such an event. The key to recovery is good planning in advance, and repeated testing of the plan. 

One does not have to look further than the recent outbreak of the NotPetya ransomware worm to appreciate the cost of the failure to quickly recover from an attack. According to Forbes, the NotPetya infection at shipper Maersk cost them as much as $300 million dollars, in part due to extended downtime, causing them to face a quarterly loss, despite increasing revenue. What may be worse, however, is the customer bad will generated by such a service disruption. 

Achieving cyber resiliency is not an easy goal, but it is possible, and in fact, critical to sound sleep, an organization’s success, and in some cases, survival. Here are some key elements of a strong cyber resiliency effort:

Have a plan

In my experience, many organizations have significant delays in responding to a cyber crisis because they don’t begin planning for the event until after it happens. The term “fog of war”, coined many years ago to describe the confusion in the midst of a battle, applies to a cyber war. There is far too much confusion in the middle of a crisis to devise a good plan. So, don’t wait. Have your plan in place before the crisis strikes. 

Test the plan

Once you have a plan, test it, frequently. The most practical approach to testing is a table top exercise, during which representatives from all involved areas in an organization work through a representative crisis scenario. You will never be sure it will work until you test it. You will likely find that it changes after each test. 


It is important to keep your employees and customers informed about any crisis that impacts them. If they don’t hear from you, they are likely to make up their own explanation, which may be worse than the truth. Keep them informed from the beginning of noticeable impact. Many organizations that survived WannaCry and NotPetya did so because they successfully communicated information and appropriate precautions to their users during the crisis. 

Have a strong operational security team

In my DDoS example above, the organization succeeded because their team was able to focus on two cyber incidents at once. To accomplish this, you need a security operations team that is large and well trained enough to split their focus. If you cannot practically have such a team, this is a good area to outsource to a Security Operations service provider. 

Maintain good backups, and test them frequency

One of the topics often discussed related to ransomware is whether it is appropriate to pay a ransom to recover files. This discussion was rendered moot during NetPetya, when it was determined that there was no way to actually pay the ransom and get your files back. Thus, have good backups, and test them – frequently. 

Stay plugged into threat intelligence sources

There are numerous sources for good threat intelligence information, and reliable information from them is often of great value, not only in anticipating a crisis, but having the data necessary to prevent it, or if the worst happens, recover from it. There are Information Sharing and Analysis Center (ISAC) organizations for many industries that are particularly helpful in this area. 

Bottom line – you can survive a cyber crisis, but doing this will require a good, well tested plan, properly executed, with appropriate communication to affected parties.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author