How testing/exercising promotes early identification of cyber threats and strategies and how to manage a response

‘US air traffic control system a hacking risk’

‘Cyber-crime’s new front: Your reputation’

………some of the headlines over the last few weeks.

Many businesses are burying their heads and leaving ‘cyber’ protection to their IT departments, unfortunately the best and biggest systems in the world are being hacked on a daily basis so businesses need to be prepared to manage a cyber event.

In January 2015 Continuity Central published an article by David Honour – ‘Three Challenges that Business Continuity Managers Face in 2015’. The first of these was ‘The rise and rise of information security threats’. It is definitely when not if an attack will affect your business either directly or through a third party entity. The subsequent impact on reputation and trust needs to be understood and managed by senior leadership teams before something happens.

David Honour’s article also talks about the growth of Ransomware. This growth is being fuelled by some organisations paying ransoms after having their systems disabled. Running a scenario along these lines with the senior management team to determine strategies to be employed, how would they ethically manage a ransom situation and how they would work with government agencies in advance of an attack places the organization in a stronger position than reacting when an event occurs.

Between 2012 and 2014 we conducted a series of simulation exercises with one of our clients, a large government agency. The scenarios for these exercises have been cyber attacks on their organization resulting in loss of personal information, phishing to divert funds to overseas bank accounts and denial of service to their own and third party systems.

The exercises have exposed the senior leadership team of the agency to the challenges of managing such an event, determining their response strategies, as well as exposing the line managers within IT and customer services, who would be at the coalface of such an event, with the understanding of the issues it would raise.

Feedback from the participants at these exercises has included:

• Good opportunity to test our individual and collective understanding of the crisis response process
• Helps people involved to identify areas they need to focus on for future events in their specific business units
• Ability of crisis management team to put into action a constructive approach to working on an evolving problem
• Great use of 3rd tier managers – they have the knowledge and the expertise
• Better understanding of cyber-risks to our business and that the risks are business risks not just IT
• The planning was excellent – a good simulation of a (hopefully non-likely) scenario
• Great opportunity to understand why investment in IT security is so important.

The key to a successful exercise is having the scenario realistic and clearly aligned to the business and reputational impacts that would be faced, both within the organization and any third parties with gateways which could also be compromised.

Cyber crime is with us. It will only increase in intensity and severity in a short space of time and all businesses need to establish how they will manage such an event. Crisis exercises allow teams to face the reality of the problem in a safe environment and to be able to consider the response without real pressure from stakeholders and the public.