This is a guest post written by Secure360 Twin Cities 2017 spotlight speaker Regina Phelps.
It seems there isn’t day that goes by without another story of a cyber attack or breach. It has almost become a “breach a day”! Companies are spending millions of dollars to prevent these attacks from occurring, which is a wise and prudent investment. No one, however, is talking about how to deal with the impact of such a breach. We have surveyed our clients, professional colleagues, and firms and found no one is planning for the impact.
We have done numerous exercises on the impact of a cyber breach and have found them to be the most effective and rich exercise narratives we have ever used in over thirty years of practice. Do you want to get your executives and incident management team ready for such a cyber attack? Then you need to do a cyber exercise.
What makes it so different?
One of the things I often hear continuity professionals say is that they “plan for the worse-case scenario.” Whenever I hear that come out of someone’s mouth, I immediately stop them; this is simply not true. We don’t plan for the worse-case scenario, we plan for what we think will happen, what is called a “routine” emergency. What we plan for may be a really bad situation, but there is not enough time, money, or risk appetite to plan for the truly worse-case scenario.
Six design aspects you must consider in this exercise
To manage this very different type of exercise, you need to have six things in place to make it work:
1. Management support
Right off the bat, senior management needs to understand that this exercise is likely to produce many learnings and issues that will need to be resolved, and it will present topics that they have never thought about or deeply understood. This could easily make people feel uncomfortable with quite a few unanswered questions at the end of the experience. As you explore the topic, you will also likely need to provide some cover to the IT and Information Security departments so that it doesn’t become a blame game or a witch hunt.
2. A willing IT department
IT needs to be an active planner in the exercise. You need several excellent IT staff members who will not be players in the exercise to be part of the design process. You need them to help you determine what the cause will be. When you first begin, this will undoubtedly make them uncomfortable, because in the back of their mind, they are going to be fearful of being blamed. You’ll need to reassure them that’s not the goal of the exercise.
The first question you need to ask the IT department is, “Could we be hacked?” The answer will inevitably be “yes.” The next question is, “How could that happen?” The list is long but could include things such as phishing, watering holes, or infected flash drives. You just need to find a likely means, not a deep exploration of the intrusion. You need the IT team as your ally and you may need to provide them some cover.
3. Two Design Teams
You need two design teams: An IT/Information Security design team, and a standard Exercise Design team. The IT/Info Sec team needs to do a deep dive on the narrative and develop the timeline of issues that happened before the exercise’s scenario date, and then provide a very detailed timeline of what happens during the exercise. Once they have developed the breach timeline, the other design team can begin to develop their injects.
The standard Design Team should include key lines of business, Human Resources, Communications, Facilities, Security, and any other key departments. Those team members should take the IT narrative and timeline, and develop their injects, which will tell the story of the IT problems from their perspective. Remember: In an exercise, if you don’t tell the players what’s happening, they don’t know what’s going on and will invent things. The injects are the way we tell them the story.
4. The Right Exercise Type
There are three styles of exercises that can be used with a cyber narrative: Advanced Tabletop, Functional, or Full Scale . What they have in common is a Simulation Team. This exercise requires a Simulation Team to make it work. The teams going through the experience need to have someone to speak to as they work through the problems. If you don’t have a Simulation Team, you will not be able to work through the issues to a deep-enough level to gain value from the experience.
5. Interwoven Narrative and Injects
The narrative for this exercise will have lots of nooks and crannies. It has a certainly complexity that can’t be avoided. The story progresses through the injects, and the injects must “dance” with the IT narrative. The exercise players have to tease the information apart, work with the Simulators to figure out what’s going on, and then improvise a plan. When they develop that plan, then the Simulators have to adapt to the new plan and, in some cases, create injects “on the fly” to make it all work. The narrative and the injects are constantly ebbing and flowing together to tell the entire story.
6. Make it Public
One of the key aspects of this narrative is the potential damage to the reputation of the company. To damage that reputation, we have to “out” the narrative. We usually do this early on in the exercise by having our “perpetrator” post the story on a social media platform such as Twitter. (NOTE: Of course, we don’t put a real post on Twitter. This is all done via “exercise magic.”) We often have our AV team produce videos in a similar style as a hacker video, such as those done by Anonymous . In exercises we have done, we play such a video for the participants, and watch as their jaws literally drop.
To make it even more interesting, we then create a second video by one of the local news stations, saying they are sending reporters to the company under siege seeking official comments and interviews with executives. Mission accomplished! Company outed! The players then have to deal with the fallout.
For businesses, the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months . The C-suite and Board members can no longer ignore the drastic impact a data breach has on company reputation. Meanwhile, consumers are demanding more communication and remedies from businesses after a data breach occurs.
If the future is anything like the past, cyber incidents in our company’s lives are not going away anytime soon. Life will continue to be complicated. Plan your next exercise to be a cyber exercise. Focus it on the impact of a breach and how your company will deal with it. And based on the probability of a cyber event, you had better get going!
 Data Breach and Industry Forecast 2015, Experian http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-experian.pdf