Cyberattacks Are Inevitable. Is Your Company Prepared?
Preparing for the unexpected is much easier said than done. In the case of cyberattacks, many companies have vulnerabilities in their defenses and reactions they haven’t prepared for that hackers will test. Many organizations can benefit from instituting fire drills and tabletop exercises, which test a company’s response plan at every level. These exercises will almost certainly reveal gaps in security, response plans, and employees’ familiarity with their own roles. While investing in external facilitators for these exercises will often allow for a more rigorous test separate from internal dynamics, there is guidance for organizations who wish to execute internal exercises to better prepare for a cyberattack.
Cyberattacks always happen when you least expect them. And when they happen, they happen quickly. Responding appropriately is not just the responsibility of your cybersecurity team; everyone in the organization has a role to play. Is your team prepared? Do they know what to do and what not to do? Most importantly, has your whole team practiced their response? Everyone — the board of directors, company executives, managers, and team members — has to know their roles and responsibilities and work out any potential problems with their response before a live cyberattack puts immense stress on the organization.
There’s an easy way to determine whether your incident response plan (IRP) works and whether your team knows their roles: a test. Yet a Ponemon survey determined that 47% of organizations have not assessed the readiness of their incident response teams, meaning that the first time they test their plans will be at the worst possible time — in the middle of a cyberattack. Hackers constantly and consistently test your defenses and reactions. You must do the same.
In our work helping organizations — both public and private, large and small, domestic and international — plan for cyberattacks, we’ve found that fire drills and table top exercises (TTXs) are a great way to prepare for the worst.
Think of an emergency room scenario following a car accident. When seriously injured patients arrive, the ER staff has to know exactly what to do and how to do it. They cannot be learning at the same time the crisis is happening. The same goes for C-suite executives and top management. To make sure they are aligned and aware of company plans during a cyberattack, they need to practice ahead of time and build muscle memory in how to respond. Simulated scenarios help organizations to validate their plans and prepare company leaders.
An effective engagement takes a few weeks of planning, and works best when realistic situations and scenarios are used. We usually create videos simulating the company being criticized on the evening news, have journalists show up and demand to interview the CEO, or interrupt a press conference to ask about the cyberattack. We have simulated dark websites where executives can see their most valuable intellectual property being auctioned to the highest bidder, and their stock price dropping like a rock.
The first step is to make sure there are clear learning objectives and to determine which cyberattack consequences will have a serious negative impact to the organization. Fire drills and TTXs help organizations identify vulnerabilities and risks that need to be addressed, demonstrate to the organization the magnitude of the risk and the importance of security resources and investment, and test plans in a way that helps everyone be ready. It’s almost a certainty that something unanticipated will occur. Knowing what to do helps executives respond when the unexpected actually happens.
Each test serves a different purpose. TTXs are occasional and test managerial capability and team-level response; fire drills are regular exercises that test people, processes, and technologies to make sure they respond appropriately and that there are contingency plans in place in the event that first-line responses don’t work. If the digital systems that support the organization are compromised, it is critical to have alternative communication plans, operational plans, back ups, and emergency resources identified that can back-fill until normal processes and systems can be restored. Without these tests, companies are left vulnerable to whatever might be thought of in the moment when their main systems are compromised, and that can result in major business disruption such as was experienced recently by Santander Bank, the City of Baltimore, and just recently, the U.S. Treasury.
So where should you start? It depends on who and what you want to test. We have found four types of fire drills and table top exercises to be the most effective.
Each approach listed above tests a different part of a company’s plans. A TTX for your C-level team will help them practice the current company response plan and test alternative contingencies should the unexpected happen. A TTX for your board provides a similar opportunity. Ultimately TTXs and fire drills drive awareness and build values, attitudes, and beliefs around the importance of everyone participating in keeping the organization secure. Importantly, each test helps companies find out what about their plan isn’t going to work — and gives them time to fix it before they need to put it into action.
A good TTX immerses participants in a cyberattack so they can feel the effects of the decisions they make and the effectiveness of the company plans. Most organizations discover something about their plans that previously had not been obvious, such as:
One manufacturing company realized their incident response plan was 400 pages long and no one had ever read it. When your shareholders and the press are clogging your switchboard asking for information, your employees are not sure what to do, and the cybercriminal is exfiltrating gigabytes of data or encrypting your computers so the employees cannot work, that is not the time for each executive to read a 400 page document — of which only 5-6 pages may apply to them — to determine what actions to take.
In another exercise, the first line solution to the crisis was that “someone will call Pat who will handle that by checking this software.” However, only one person knew Pat, Pat didn’t know it was their responsibility, and the software didn’t really work as the person assumed. It’s this level of detail that maximizes the value of the exercise.
At other times, these tests can make companies aware of risks they had never considered — let alone planned for. In 2018, we conducted several TTXs where the scenario included several physical locations of an organization being uninhabitable, and the organization had to move to an all-work-from-home scenario. We unwittingly prepared these organizations for the reality of the current Covid-19 situation (though some at the time didn’t believe there was a situation in which this could occur).
A TTX is a useful tool to highlight impacts beyond business continuity. In a very large financial institution, we created an exercise with a scenario that caused customers to lose confidence in doing business with the organization. One of the C-suite executives stopped the exercise in the middle and responded, “You realize that he [the TTX facilitator pretending to be a cyber criminal] just destroyed our company with one plausible scenario! We need to invest more in cybersecurity.”
In a recent study by Osterman Research, 45% of respondents said that following a TTX, they were able to increase their security budgets. Most of this budget was spent on procuring additional solutions and training their workforce. This same study highlighted that 78% of cybersecurity professionals believed that their TTXs and fire drills had better prepared their organizations to respond to future cyber threats.
Using an external source to create and conduct a fire drill or TTX can increase the benefits. Internally designed exercises often lack the level of surprise and unexpected scenarios and interventions. After creating the response plans, internal team members have a difficult time envisioning something unexpected. Further, team members may have difficulty challenging their peers and senior executives, resulting in groupthink or letting the team off the hook rather than challenging their responses and ideas. External leaders don’t have the same assumptions and don’t come to the table with the organization’s institutional memory and habits. Pressing for details and discovering flaws in plans can be career limiting for an insider, but it’s expected and necessary for an effective exercise.
That said, while there are benefits to bringing in outsiders (and we’d argue that it’s worth the cost), companies can organize these tests on their own. Here are a few best practices for creating and conducting your own exercises:
Companies who conduct fire drills and table top exercises report that they are both better prepared for a cyber crisis and more cohesive as a team in the face of an emergency. The cost benefit of TTX can be realized quickly — and the result is an increase in the agility and quality of a response which could reduce the financial impact to an organization by millions. It’s time to schedule your team’s practice sessions.
Acknowledgement: This research was supported, in part, by funds from the Cybersecurity at MIT Sloan (CAMS) consortium at MIT’s Sloan School and Boston Consulting Group. All authors contributed equally.
Cyberattacks Are Inevitable. Is Your Company Prepared?
Research & References of Cyberattacks Are Inevitable. Is Your Company Prepared?|A&C Accounting And Tax Services
Source