Key questions to ask to effectively recover from a cyberattack

Cyberattack recovery frameworks are a necessary part of cybersecurity. Learn how to develop a recovery plan that meets your company's needs.

Data Security

Image: iStockphoto/Andriy Onufriyenko

The cliche, "It's not a matter of if, but when" is wearing thin when it comes to cybersecurity; however, no matter how weary the cliche, it can serve as a reminder to prepare for a cyberattack. During an attack, cybercriminals are counting on the fact that no one is thinking clearly, so devise and set your recovery plan now.

SEE: Security Response Policy (TechRepublic Premium)

Applying the reflective model to cybersecurity

There are lots of recovery frameworks available, but most are complex, expensive, and meant for large corporations.

One option is based on a proven cognitive engineering concept that can quickly be adapted to work as a recovery framework. It's free, and it can be developed in-house by management and those in charge of cybersecurity.

Professor Gary Rolfe and colleagues created what they call the reflective model. Rolfe developed the model to help the medical field, but it can work equally well as a way to recover from a cybersecurity incident.

The model is divided into these three stages:

  1. What?
  2. So what? 
  3. Now what? 

The idea is to suggest a series of questions that apply to the stage and the event. The purpose of the questions is to refine reflective thinking and isolate key elements of the event/situation so they can be examined to gain understanding. 

Reflective thinking involves considering the big picture, the meaning, and the implications of an experience or action. Reflection doesn't just mean jotting down what you did or plan to do--it also means:

  • Considering why what you did or planned to do matters

  • Proactive planning to help work through unexpected situations

  • Exploring emotions, feelings, and reactions that might interfere with the desired outcome

Now let's look at the three stages of the reflective model and some possible additional questions to ask. 

What? 

This stage is concerned with describing the event or occurrence being reflected upon and defining one's self-awareness in relation to it. Some additional questions might be:

  • What is each party's role in the developing cybersecurity event?

  • What actions need to be taken to resolve the issue? 

  • What if the response is ineffective? 

  • What, if any, outside entities need to be notified, and when?

The critical piece is to develop questions that specifically apply to the organization.

So what?

This stage analyzes the cybersecurity event--during and immediately after--evaluating the circumstances being addressed and their effectiveness.

  • What does this say about existing cybersecurity measures?

  • Were company policies and responses adequate for this particular incident?

  • What other approaches might have been brought to the situation?

  • What might have been done differently to ensure a more positive outcome?

This stage is easy to overlook. Everyone will want to get back to business as usual, though hosting a meeting to document impressions will be helpful for the next stage.

Now what?

This is the element of Rolfe's reflective model where information from the other two stages is synthesized, insights particular to the affected organization are added, and decisions on what to do differently are made to be better prepared if a similar situation presents itself again.

  • What has been learned?

  • What will make things better?

  • What, if any, outside support makes sense?

  • What will help recognize this situation in the future?

Final thoughts

The chief advantage of using the Rolfe model to build a recovery plan is its simplicity and clarity. By having employees be a part of the process as well as the solution, it promotes significant buy-in and better results. 

To be clear, the reflective model is not an end-all answer, but a way of understanding what is in place and what steps need to be taken if a cybersecurity event occurs. 

Also see