Ask a Security Expert: How Do I Get Started With DR?
What are the first steps in creating a disaster-recovery policy? Are there any templates to use or best practices on what to include?
This one comes from Chris Cable, senior engineer and team lead at Techworks Consulting, who hears this question from his customers.

Chris Cable
We live in a world where headline after headline features yet another company that has fallen victim to a breach, leak or cyberattack. And we need no reminder that cybercriminals are not discriminatory when choosing their targets. Organizations of all sizes and across all industries are constantly faced with the reality of the threat landscape surrounding us today.
So, what can organizations do to ensure they are prepared for a cyber incident, such as a data breach?
The process of mitigating a disaster must begin well before a breach – or fire, flood or hurricane – happens. Successfully recovering from a security disaster requires proactivity, and it’s crucial that organizations establish a security/risk management program to stay ahead of potential risks.
Organizations seeking to develop an effective disaster-recovery plan should start with an existing risk-management framework to begin implementing proper cybersecurity policies and procedures. NIST’s Cybersecurity Framework, for example, is centered on five core functions of identify, protect, detect, respond and recover. When addressing how to create an effective disaster-recovery policy, it’s important to focus on four core functions for cybersecurity incidents.
- Identify – To adequately prepare for a security disaster, organizations must first determine and understand their critical systems, assets and data, as well as the risks they face.
- Protect – Organizations should then ensure that a proper cybersecurity program with appropriate security controls and capabilities is in place.
- Detect – Detection is a crucial part of disaster recovery, as organizations must be able to efficiently identify and investigate the occurrence of a cybersecurity event.
- Respond – Once a disaster is confirmed, organizations must take action to contain the impact of a cybersecurity incident.
- Recover – And finally, recovery. This involves keeping the company in operation and assisting efforts as it returns to normal business operations.
As the NIST framework shows, a successful disaster-recovery program does not start with recovery; on the contrary, it requires proactive planning and documenting of current controls and contingencies to remediate incidents.
Part of this planning involves being aware of new regulations, such as GDPR, that will drive the need for organizations to review and update their disaster-recovery policies. NIST’s five core functions provide a solid foundation for customers looking to not only comply with regulations, but also ensure resilient business operations and a successful recovery if and when a disaster happens. And if an incident does occur (an eventuality that every company should be prepared for), an MSP should first circle back and do a deep review of the incident to ensure the same problem doesn’t arise again. You might not be able to do much about Mother Nature, but you can help customers do better with patching or phishing prevention.
In addition to NIST’s framework, organizations should follow general security-related best practices to aid in disaster recovery, including:
- Backing up all data.
- Keeping all systems updated with antivirus and anti-malware security software.
- Ensuring all computers are updated with current operating systems and security patches.
- Securing wireless networks with encryption.
- Implementing, monitoring, and auditing system and network logging.
- Installing access control and authentication of sensitive data.
- Training employees in cybersecurity awareness and proper use of business systems.
With today’s evolving threat landscape, it’s imperative that MSPs work with customers on disaster-recovery policies. NIST’s five core functions and general cybersecurity best practices are a great starting place for any organization looking to manage its risks and minimize the potential impact of a cyber incident. And once the process is started, don’t stop.
As Webroot‘s CISO, Gary Hayslip is responsible for the development and implementation of all information security strategies, including Webroot’s security standards, procedures and internal controls. As CISO, he also contributes to product strategy to guide the efficacy of the Webroot security portfolio.