Key is to get back up and running after cyberattacks

If breaches are now an expected part of doing business, what matters most is the ability to rapidly and securely recover

Michelle Harris, sales director, Triangle. ‘I think the focus is not only moving to data, it's also moving from prevention to recovery, because I think the realisation has hit home that breaches happen’

Cybersecurity has changed significantly in recent years, with new approaches and technologies being deployed to face an ever-evolving threat. Despite this, the threat continues to grow, with what was once hacking now a major criminal enterprise.

Company Details


Year founded: 1999

Number of staff: 130

Why it is in the news: With the EU regulation DORA coming into force, regulated businesses need to be able to recover in the event of a breach

One positive move is that the focus on security is moving from infrastructure to data security, indicating that organisations realise that what they really need to protect is their data, not their computers.

Michelle Harris, sales director at critical IT solutions provider Triangle, said that many organisations were going further. Businesses today realise that the cyber threat is so serious that they want to ensure they can get up and running quickly in the event of a breach.

“I think the focus is not only moving to data, it’s also moving from prevention to recovery, because I think the realisation has hit home that breaches happen,” she said.

In practical terms, this means businesses need to be on top of their data, including knowing what data is essential for operations and what is not.

“It is about understanding what data you have and really understanding and classifying it, knowing what is throwaway and what is critical,” Harris said.

“You really need to understand what data you need to run your business and therefore what you need to recover. It still won’t protect you from the pain you go through or the brand damage, but it will allow you to get back up and running.”

The goal, following a breach, is to get back to a state of being a minimally viable company, and that should guide what data matters and what does not.

Of course, every single piece of data could be designated vital, but that is not the reality.

“The menu for your canteen is throwaway data,” Harris said.

Regulations such as the Digital Operations Resilience Act (DORA) and the revised Network and Information Security Directive (NIS2) are among the factors driving the renewed focus on recovery.

“Up until, I’d say, two years ago, the requirement even at enterprise level was to have a tick in the box of the business continuity plan. With the regulations coming out now, that has changed.

“It has been driven by DORA, in particular. For NIS2, it’s a little more vague, it’s not as clear as DORA. What we’re finding is people are adding budget based on DORA,” she said.

In addition, high-profile attacks got a conversation going.

“The HSE attack made a lot of people sit up and gave people permission to talk about security,” she said.

Immutable backups are a good first step, Harris said, and are useful for day-to-day recovery of files. However, to counter the cyber threat and be able to recover, more is needed.

Backups are the most commonly attacked surface in an organisation and they are visible throughout the network

“Backups are the most commonly attacked surface in an organisation and they are visible throughout the network. With cyber recovery, backups don’t meet the requirements; you need your data to be both logically and physically separated.”

Core data should be physically copied into a data domain storage that is not visible on the network, going in via a one-way method and being deep content scanned at the time.

“That methodology is where people are going in financial services and insurance, as well as in telecoms,” Harris said.

Cloud-based disaster recovery is common today, but while it is extremely useful in the case of a physical site being shut down, it is not designed for recovery after a breach.

“One of the first things you do [when there is a breach] is shut down your network; you sever the link to the outside world,” she said.

“You can have a DR [disaster recovery] plan but that does not give you cyber resilience. With DR you typically know what happened and you are just trying to get a platform up and running; whereas with cyber you have a lot of forensics.”

It sounds daunting, but Harris said having a recovery plan in place is a real help. “Because you are doing scanning on a daily basis you catch things much quicker.”

In addition, organisations should not throw their hands in the air.

“As the old expression goes, you eat an elephant one bite at a time. You need to sort out priorities. There are things you can do. There absolutely are,” she said.