Cyber scenarios have become much more common in business continuity exercises, due to the increasing concern about the impacts of information security threats. Dominic Cockram offers some lessons learned from practical experience of running such exercises.
Organizations are increasingly focused on understanding the impacts a cyber attack could have on their operations and reputation. Many are now using cyber scenarios in their crisis exercises to test and validate their assumptions on how they would respond and reflect on the unique challenges a cyber attack could bring.
The exercises range from fully immersive simulations, that develop and build competence and confidence, by allowing a realistic replication of the pressures, issues and uncertainty, to desktop sessions, that provide leadership teams and broader management the opportunity to familiarise themselves with the nuances of a cyber response such as the awkward language and reporting processes.
Having run a large number of cyber exercises over the last 18 months, I thought it would be useful to share some of the common lessons:
1. Set clear exercise objectives from the outset
In a cyber exercise it is easy to become lost in the complex technical linkages, databases, applications and networks which are all facets of a cyber exercise. Being clear about what you want to rehearse, validate or test is key.
I use these three terms explicitly because an organization can only ‘test’ something which can be measured as a pass or fail. They can test a firewall, database integrity or an ITIL (Information Technology Infrastructure Library) process, but not a response in the broader sense. That can be rehearsed.
Validating processes, rehearsing procedures and raising awareness are useful ‘standard’ objectives and thought should be given at the development phase as to what needs to be achieved.
2. Exercise the process not the scenario
Generally a crisis exercise scenario should be seen as a vehicle to rehearse and familiarise teams with process. The idea is to conduct an activity that puts an organization’s response teams - i.e. its people – through the processes and procedures of its cyber incident response plans.
The scenario is there to prompt the teams through the procedures and allow them to demonstrate how well they are understood, (if they work), and how people conduct themselves, their thought processes and responses under pressure.
A good cyber scenario is important but it should be remembered that the purpose of an exercise is to rehearse people and processes.
3. Take it to the top
‘Cyber’ remains an intimidating term for most of the executive team and is still seen as a technical issue.
Cyber attacks are a serious top team issue though as they can impact operations, customers and reputation. TalkTalk announced it lost £60 million and more than 100,000 customers as a result of the attack it suffered in October 2015.
Any cyber crisis – as opposed to incident – exercise should always involve the top team at some stage, even if it is just to build their awareness and understanding of the terminology: DDoS, malware, ICO, personal/sensitive data, hackitivist and so on. They do not need to be cyber experts but they must understand what it means for their business.
Exercises are a great way to raise this awareness, focus the executive’s minds on the implications of a cyber attack and enable them to think through how they might respond and communicate.
4. Ask challenging questions and seek the inconvenient truths
It is easy in a cyber exercise to become overwhelmed in the detail and confused by complexity.
Continuing to ask challenging questions such as ‘just how does that work in practice’ or ‘exactly when would the external forensics provider arrive’, ‘how do you operate without that system’ and ‘just how fast can you really email several million customers’ is key to understanding the many problems a cyber attack might bring. It can be all too easy to brush aside some of the difficult and knotty problems.
A cyber exercise can – and should – force out the issues and surface the solutions. Knowing it could be 36 hours before critical external support will be on site is quite important when you are front page news – as are many of the other inconvenient truths that may come out.
5. Maximise benefit during exercise development
Often when we develop cyber exercises we uncover gaps or vulnerabilities in preparedness and plans. It is always preferable to address these during exercise development than highlight them in the spotlight of an exercise.
It is much better that an exercise demonstrates how good a response is – assuming that is the reality – than highlight things that could have, and probably should have, been addressed earlier. Any early learning and resolution should be captured and recognised as a product of the exercise as well.
Validating plans and processes in an exercise is a great outcome but I have yet to run an exercise which does not result a lot of other lessons being identified along the way.
6. Involve external advisers and support
It is important to rehearse the full response team and if this includes outsourced services or partners, they should be brought into the exercise as well. It is just as important – if not more so in some cases – that all parties are familiar with one another and aware of how the other works. An exercise is a great way to do this, even if the other parties only observe.
7. Communications has a critical role to play
The scenario may be cyber but the communications team must be involved. They are the conduit between the organization, the outside world and employees, and their strategy will influence the wider stakeholder view of the organization’s response.
How messages are developed when there is ongoing uncertainty and ambiguity of information; communicating with stakeholders including customers, employees, and bodies such as the Information Commissioner (in the UK) and other authorities; questions around insurance, compensation and credit monitoring; as well as the inevitable media furore, mean no cyber crisis exercise should be without the communications team.
Exercising an organization’s response to a cyber attack or data breach is a great way to check that response teams across the business – from the executive through to the incident management and technical resolver groups – are in the right place, understand the nuances of a cyber response, have the support set up and are prepared for the potentially overwhelming scrutiny such an event could put its business under.
It is critical to test the links all the way from the technical specialists and their specialist outsourced cyber support, through to the business impact management and the strategic corporate response and communication. The speed, complexity, uncertainty and public outrage factors of a cyber crisis are not to be taken lightly, but can be much better conducted if you can rehearse them.
Dominic Cockram is a director of Regester Larkin and managing director of Steelhenge Consulting, a Regester Larkin company. A pioneer in simulation exercises, Dominic has more than 20 years of experience in crisis management and business continuity planning.