Steps MSPs Need to Follow to Recover from a Cyberattack

The odds aren’t good. Cyberattacks happen and you are the target. For the majority of organizations, it’s not a matter of if, but when, and the differentiator for most managed services providers (MSPs) and the companies they serve is this: How fast can you respond and recover?

This two-point question is crucial for security-minded MSPs who want to protect their digital assets and business reputation. Your success as an MSP depends on how safe you keep your customers and the effectiveness of your company’s security measures. It’s also important to understand where responsibility lies should you or your customer fall victim to a cyberattack, as you’ll be working to identify the scope of the issue and to contain and recover. Furthermore, you’ll need to determine where the attack originated from so you can improve the security posture for all. 

Recent Gartner research shows that over 90% of employees who admitted undertaking a range of unsecured actions during work activities knew that their actions would increase the risk to the organization but did so anyway. Additionally, Gartner’s e-book notes by 2025, 60% of organizations will use cybersecurity risk as a significant factor in conducting third-party transactions to prevent the compromise of information, systems, and infrastructure. Add both to the truth that today’s cyberattacks are increasingly more sophisticated and the pressure is on MSPs, and CISOs for that matter, to be intensely proactive and stand ready to help respond and recover.

Here are the preparation steps that can help you increase readiness before, during, and after an incident. 

Before the Attack

• Establish and maintain a security mindset and company culture led by a zero-trust policy.
• Continually assess your clients’ cybersecurity hygiene and make sure security policies and patches are up to date. Take action to minimize risk with automation, identity management, policies, systems, and procedures. Always update your systems and your clients’ software and systems regularly to prevent cyberattacks.
• Set security standards and best practices for yourself and your clients—and assess them regularly.              
• Create a backup and disaster recovery-as-a-service (DRaaS) plan and review it at least once a quarter, noting that instant recovery isn’t always the best or available option for safe recovery and restoration.
• Simultaneously, develop an incident response plan that outlines the steps to be taken in the event of an attack. It should include measures to isolate infected systems, notify stakeholders, and recover business operations. This plan should be linked to your DR plan. Identify your crisis communications plan and call tree (including attorneys, insurance, key stakeholders, your crisis coach, alliance partners, and employees).
• Print out a hard copy of your plan (in case you can’t access it during an attack) and create a single sheet summary with the most important points.
• Encourage your customers to run tabletop exercises for their company and their clients to practice the execution of the disaster recovery plan. Test the procedures and find the gaps. The goal of these exercises is continuous improvement. 
• Establish cyber resiliency so you can respond to a breach while also managing to carry on with daily operations.

During an Attack

• Identify the type of attack.
• Using your incident response plan, determine the severity of the issue and begin to mobilize your response team.
• Contain the incident by following your incident response process. This may entail isolating an endpoint, disconnecting the affected network from the internet, disabling remote access, or changing all passwords.
• Assess your data exposure. Determine if this issue constitutes a security breach. 
• Determine if you need to engage your cyber insurance provider, legal counsel, or even the authorities.
• Initiate your crisis communications plan.
• Execute your backup and disaster recovery plan, which includes your cyber resiliency strategy.

After the Attack

• Assess the damage.
• Debrief with the response team.
• Communicate with customers, stakeholders, investors, partners, and employees.
• Learn from the experience and share it.
• Expand your protective measures to ensure the root cause cannot occur again.
• Expand your detections to ensure variations of the attack can be detected in your environment.
• Establish a new prevention plan based on what you learned.
• Test areas that didn’t function well during your tabletop exercises.

To maintain the success and reputation of your business and those you serve, it’s imperative you plan to prepare, prevent, respond to, and successfully restore pre-attack business processes and operations. By taking the steps listed above, you can keep your team and your clients better protected from cyberattacks and help them recover quickly and securely.

DAVE MACKINNON is vice president and chief security officer at N-able. He has over 20 years of experience leading global security teams focused on cybersecurity, incident response, forensics, and threat intelligence across various industries. Prior to joining N-able, Dave was an IT security leader for AT&T/Warner Media, where he implemented an extensive security program managing complex incident response events.