Why Run a Cyber Exercise?
Regulators around the world now have an expectation that organisations will test cyber resilience through exercising. Organisations such as NIST and the CPNI recommend regular exercises to prepare for a cyber attack and it has become an important part of corporate risk management. This means that your crisis management team need to be well rehearsed and prepared for a cyber security incident. Exercising is the best way for them to practice their respective roles in a safe place where mistakes can be made and learnt from.
Your company could have the most detailed response plans in the world but if they have not been tested they may well be useless when they are most needed. Running a cyber exercise can make the time you invested in your plans worthwhile. A cyber security incident is not a good time for seeing if your plans actually work.
Running immersive, scenario-based cyber exercises is a high-impact, low-risk way of allowing your crisis management team to practice things like teamwork, high pressure decision-making and communications strategies. Like a fire drill, the more frequently you practice the better and more familiar they will be with the process and plans.
Lack of Preparation Amplifies the Damage of a Cyber Attack
The damage caused by any cyber incident can be amplified by poor or hesitant decision making by the crisis team. Today’s hyper-connected society, social media and 24 hour news culture are unforgiving when it comes to cyber-attacks. The company’s that have suffered the most made fatal errors when it came to communications, containment and prioritisation of resources. There are a growing number of companies who have come out the other side being praised for the efforts and being heralded as the gold standard. If your company suffered a serious cyber crisis today which one would you rather be? When was the last time you read a news report of a cyber attack that was anything other than critical?
Modern society now exists with an irreversible reliance on technology. Our businesses need technology for almost every commercial operation that we engage in. We use the cloud, complex algorithms, new applications to give us an edge in the competitive world, IoT devices to improve the management and monitoring of processes and social media to promote the work we are doing. It is therefore not surprising that cyber attacks see year-on-year growth both in number and damage. It is causing so much international concern that regulators, legislatures and markets around the world are getting involved and demanding companies take preventative and preparatory actions.
Initial Response is critical
Almost daily we see headlines of cyber-attacks now. The initial response is critical and can frame public perception of how you manage the incident in the days, weeks and months that follow. A poorly managed response can often cause more reputational and financial damage than the cyber attack itself. A poorly managed response suggests that not only did your defences fail but you also were not prepared for an incident. This isn’t a reassuring message to send to your existing and prospective customers. Poorly managed responses also make much better news stories so your incident will quickly become front page news.
There is a general expectation that companies will protect their clients at all costs and go above and beyond to mitigate any damage.
What is The First Step?
The first step is to have an incident response process that manages an incident from identification, investigation, containment, remediation and review. Once created the Crisis Management Team need to be proficient and comfortable with putting it into practice. In an incident they will be under tremendous pressure so they need to be comfortable in using the plan, it needs to work for them and they need to have a good working relationship with one another. Cyber exercises provide a safe learning space for them to make mistakes and fine tune the response.
Who are the Crisis Management Team (CMT)?
The composition of a Crisis Management Team (CMT) varies greatly between organisations. Some companies opt for the Gold, Silver, Bronze structure for strategic, tactical and operational response teams others opt for a single, cross-disciplined team. These are the people who need to be prepared for an attack and take part in your cyber exercises.
It is important to have different key business areas represented on the CMT. Usually the CMT will include the CEO, CIO,HR,Finance, General Council and Communications leads. Their regular job role is not the only important thing to think about when forming a Crisis Management Team. You also have to ensure that the various different skillsets required to manage an incident well are represented.
It is important to nominate a Chair for the CMT to guide the team through the decision making, keep everyone focused and on-task and ensure that all actions have owners. Always have a Deputy Chair nominated and well-trained just in case the CMT Chair is absent on the day of the incident.
Build a Response Plan
Building a response plan is a start but a plan that has never been tested may be as good as useless. Every cyber simulation we run we find ways to improve the response. It is an ongoing cycle. Testing your plan during a serious crisis is not a wise strategy. You test your fire drills and evacuation plans because it is too important to just leave on paper. The same must be true of cyber attacks.
Putting your plans to the test in a table top crisis simulation will also provide your crisis management team with the opportunity to practice their roles. No company is dealing with a serious crisis every week. Many go years without the need for the crisis management team to meet. So how can you expect a group of busy, senior people to be well-rehearsed and confident in their roles when it comes to handling a crisis. The companies with the best CMTs run various simulations every 3/6 months. More often organisations run exercises once a year. It is an ideal way to get them together, working as a team, practicing their roles and rehearsing the playbooks that your company has. This is the best way to build cyber resilience.
A crisis is a time-pressured challenge that often involves multiple business areas and demands a coordinated response from identification through to remediation. Cyber incidents evolve in a high-speed and high-profile way with the scale of the threat ever-expanding. Mistakes can cause serious financial, operational and reputational damage. Your company will be under a microscope when it comes to responding to such issues so you want your CMT and your incident response plans to be mature and adaptable.
The faster you can react the faster you can mitigate the damage.
Test Your Incident Response Plans
When was the last time you tested your plans? Increasingly regulators are encouraging yearly cyber crisis simulations. This is also being reflected by insurers who are also requiring such testing takes place. This may sound intimidating, especially if you haven’t run a cyber exercise for a while but we run these table top exercises a lot and we have seen it all. Companies with no real plan at all, no crisis management team, excellent CMT but no contingency planning, no playbooks, too many playbooks. The list goes on. The point is that no matter where your company is on this huge spectrum you can run a cyber exercise and you will improve as a result of it.
Security is a process not an end destination. Every positive security step you take will increase your company’s resilience. That is good for your company, great for your customers and really bad news for attackers.
Cyber Risks Present Unique Challenges
Cyber risks present different challenges to a lot of other disruptive events you may well have rehearsed before.
- They are extremely fast-moving and it can be very difficult to visualise the damage.
- The reputational damage flowing from a cyber incident is also likely to be far greater than a fire would be.
- There are a lot of dependences in our digitalised way of conducting business that can be difficult for non-IT people to comprehend and manage.
- Finally, unlike a lot of other incidents, in the eyes of the media companies that suffer cyber-attacks are rarely viewed as victims. Social media can cause incorrect messaging to spread like wildfire and it can be very difficult to get control of the narrative.
Every organisation is different, every attack is different and so every plan and exercise must be different too. It is vital that the exercise is tailored specifically to your business, your technologies, your assets and the threats your business faces.