Why run a cyber crisis exercise?
Regulators around the world now have an expectation that organisations will test cyber resilience through exercising. Organisations such as NIST and the CPNI recommend regular exercises to prepare for a cyber attack and it has become an important part of corporate risk management. This means that your crisis management team need to be well rehearsed and prepared for a cyber security incident. Exercising is the best way for them to practice their respective roles in a safe place where mistakes can be made and learnt from.
Your company could have the most detailed response plans in the world but if they have not been tested they may well be useless when they are most needed. A cyber security incident is not a good time for seeing if your plans actually work.
Running immersive, scenario-based cyber crisis exercises is a high-impact, low-risk way of allowing your crisis management team to practice things like teamwork, high pressure decision-making and communications strategies. Like a fire drill, the more frequently you practice the better and more familiar they will be with the process and plans.
Initial Response is critical
Almost daily we see headlines of cyber-attacks now. The initial response is critical and can frame public perception of how you manage the incident in the days, weeks and months that follow. A poorly managed response can often cause more reputational and financial damage than the cyber attack itself. A poorly managed response suggests that not only did your defences fail but you also were not prepared for an incident. This isn’t a reassuring message to send to your existing and prospective customers. Poorly managed responses also make much better news stories so your incident will quickly become front page news.
There is a general expectation that companies will protect their clients at all costs and go above and beyond to mitigate any damage.
What is the first step?
The first step is to have an incident response process that manages an incident from identification, investigation, containment, remediation and review. Once created the Crisis Management Team need to be proficient and comfortable with putting it into practice. In an incident they will be under tremendous pressure so they need to be comfortable in using the plan, it needs to work for them and they need to have a good working relationship with one another. Cyber crisis exercises provide a safe learning space for them to make mistakes and fine tune the response.
Who are the Crisis Management Team (CMT)?
The composition of a Crisis Management Team (CMT) varies greatly between organisations. Some companies opt for the Gold, Silver, Bronze structure for strategic, tactical and operational response teams others opt for a single, cross-disciplined team.
It is important to have different key business areas represented on the CMT. Usually the CMT will include the CEO, CIO, HR, Finance, General Council and Communications leads. Their regular job role is not the only important thing to think about when forming a CMT. You also have to ensure that the various different skillsets required to manage an incident well are represented.
It is important to nominate a Chair for the CMT to guide the team through the decision making, keep everyone focused and on-task and ensure that all actions have owners. Always have a Deputy Chair nominated and well-trained just in case the CMT Chair is absent on the day of the incident.
Cyber risks present unique challenges.
Cyber risks present different challenges to a lot of other disruptive events you may well have rehearsed before.
- They are extremely fast-moving and it can be very difficult to visualise the damage.
- The reputational damage flowing from a cyber incident is also likely to be far greater than a fire would be.
- There are a lot of dependences in our digitalised way of conducting business that can be difficult for non-IT people to comprehend and manage.
- Finally, unlike a lot of other incidents, in the eyes of the media companies that suffer cyber-attacks are rarely viewed as victims. Social media can cause incorrect messaging to spread like wildfire and it can be very difficult to get control of the narrative.
Every organisation is different, every attack is different and so every plan and exercise must be different too. It is vital that the exercise is tailored specifically to your business, your technologies, your assets and the threats your business faces.