For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?
In a recent blog posting, we suggested 5 questions to ask your CISO or CIO to begin a meaningful internal dialog about cybersecurity. One of those questions was “Can you explain our Disaster Recovery Plan and what we have done to exercise it in the last year?”
While many businesses have adopted an Incident Response Plan, and/or a Disaster Recovery Plan, few have actually conducted effective exercises to test management readiness to execute the plan. Companies may have a regulatory obligation to test incident response procedures, particularly in the financial services and healthcare industries. It’s not enough to gather the head of IT, someone from the C-suite, a communications spokesperson, and a sales manager, and have them discuss for an hour or two potential data breach or systems failure scenarios and how the company plans to respond, leaving each participant with an improvement goal or two—before repeating the exercise the following year.
Effective cyber response exercises of any plan require significant planning, an agreed set of objectives to be accomplished during the exercise, measurable and meaningful evaluation criteria, the participation of members from every key business component that could be affected by the incident(s) being tested, and an experienced facilitator.
Think carefully about what cyber threats are most likely, given the nature of your business. Are you more likely to have a hacker who wants your employees’ or customers’ personal identification information, or a disgruntled former employee who misappropriates trade secrets? Could someone social engineer information from your accounting department (a.k.a. “business email compromise”) that would allow an unauthorized wire transfer of company funds to pay a fraudulent invoice from a non-existent vendor? How well could your organization withstand a ransomware incident? Not every company is a target of the Russian government, but virtually every company experiences hundreds of phishing attacks each year. So, exercise your plan to address threats that are realistic for your company and reduce your risk in meaningful ways.
In a typical tabletop exercise, there will be discussion of a hypothetical incident. But, will every participant be permitted to speak to the efficacy of each of their co-workers’ actions? What or who will determine who speaks first? How long should someone explain what they would do next? If an employee declares that she would make a call to a third party contractor to perform a responsive function, should she provide the phone number she would use during a weekday, or on the weekend? Should the conversation focus on detection of threats, containment of the threat, eradication of the threat, preservation of evidence, law enforcement notification, recovery after the incident, or all of the above? Should there be discussion of what the budget and funding sources would be for each recovery step discussed? An effective exercise must have clear ground rules and objectives before it begins.
In evaluating the exercise, consider: Who will take notes of the discussion? Should the discussion be recorded so that it can be analyzed more carefully later, especially if there was a portion of the discussion that generated conflict? Who should conduct the evaluation? Should participants grade their coworkers’ performances? If so, does that grading need to be anonymous, to avoid damaging work relationships?
There are myriad potential measures of whether the exercise effectively revealed sufficient resilience. Was it clear from the exercise that all critical data, configurations, and logs were recoverable to ensure continuity of operations, consistent with the company’s Business Continuity Plan? Were all backups that were used to restore the system encrypted, and had they been stored both offsite and offline? If so, the company is better protected from both natural disasters and malicious threats like ransomware. An effective exercise must include a detailed and thoughtful evaluation process and product.
Effective exercises test not only incident response capability, but also whether key employees coordinated their responses while protecting their respective interests. Can human resources, legal, communications, compliance, IT, physical security, finance, operations, and sales share information in real time and in terms they each understand in order to minimize the consequences of a cyber attack? When disagreement occurs in the discussion, who has the authority to resolve that disagreement? Ideally, senior leadership needs to participate not only to give them a clear sense of the team members’ strengths and weaknesses under pressure, but also to solidify who has what level of decision-making authority at each stage of the exercise. Of course, senior leaders need to recognize that their presence can chill the frankness of the discussion and undermine the exercise, if they fail to convey clearly at the outset that the exercise environment is a “judgment free zone.
In some circumstances, it can be useful to include governmental regulators or law enforcement organizations. Getting to know who would be the responding agents from local, state or federal authorities and building relationships with them during an exercise can pay big dividends when a real incident occurs. Likewise, participation by contractual partners who would perform call center, forensic, or public relations functions during or following an actual cyber attack can be exceptionally revealing. In today’s environment, any substantial data breach will generate social media responses that can quickly overtake a company’s intended messaging.
Managing the aspects of an effective exercise described above in an orderly, balanced, and respectful way is not a task for the faint of heart. An experienced facilitator will have the ability to evaluate whether the discussion is getting too far afield to produce measurable results, or is neglecting the role of one business function or department at critical stages of the exercise. The facilitator must be able to communicate the ground rules for the exercise at the outset, and enforce them in ways that promote productive discussion and do not shut participants down even when they make a mistake. The ability to ask the right questions will enable all of the participants to see the tangible risk reduction purposes that attach to each aspect of the exercise.
The many questions and aspects of a well-designed exercise introduced above reveal that there is much to coordinate and control to maximize the results of your exercise. Taking the time to consider each of these aspects will help you better determine your company’s ability to respond effectively to a security incident.