Written by Suzanne Donovan, Senior Security Consultant for Savanti, part of FSP

SD-1

“All the world’s a stage, and all the men and women merely players; They have their exits and their entrances” ~ As You Like It, William Shakespeare

One of the services that Savanti, part of FSP, can offer is a Cyber Incident Readiness Exercise: testing an organisation’s Incident Response Plan and Playbook in relation to a potential cyber incident such as ransomware, malicious data breach or a DOS or phishing attack.

Testing an organisation’s Cyber Incident Readiness is vital to ensure that when an actual attack happens, the organisation has rehearsed and the key figures are aware of their roles and responsibilities, much like rehearsing a play: it is essential that everyone knows their part in relation to everyone else, and that is rehearsed before the public performance.

There are four key stages of Cyber Incident Readiness to be aware of:

1. Prepare
2. Practise
3. Respond
4. Learn

1. Prepare

In order to prepare appropriately, we can review an organisation’s Incident Response Plan in relation to other relevant documentation within the Information Security Document Set (such as any Playbooks)

Board members should also prepare by understanding their potential roles in the event of a crisis (cyber or otherwise).

In our recent Thought Leadership paper, the Board’s responsibilities have been discussed – including their awareness and commitment in shaping and supporting cyber readiness and resilience initiatives. Read our full paper 'Effective Cyber Security Board Governance – A source of competitive advantage':

TL2 final paper

The Board should recognise the impact of potential cyber incidents on an organisation’s reputation and finances (whether through demanded ransom, regulatory fines, or loss of customer business), and Cyber Incident Readiness such as testing can demonstrate the value in minimising business disruption.

Board Members should actively be encouraged to participate in Cyber Incident Readiness exercises, including developing the scenario (this could be linked to what the Board perceives as a concern or priority) and we can simulate high-impact scenarios for board decision-making training. (Within FSP we are currently developing an AI simulation generator – this will be a future FSP blog!)

2. Practise

Tabletop Cyber Incident Readiness exercises for organisations can be tailored to the specific organisation, to help organisation’s practise in preparation for a potential real-life attack. This can be practising, amongst other things: identifying an incident, rehearsing communications (internal and external), applying decision making, attempting to contact third parties and accessing documents and pertinent information.

Savanti, part of FSP, will provide advice and guidance to the organisation by evaluating the effectiveness of participant and board responses and decision-making.

"The number of choices you make in the event that you see on stage, those choices are sometimes largely determined by the rehearsal process and the experiments that you go through and the choices that you make in the rehearsal room, not in front of an audience." ~ Ben Kingsley

3. Respond

The organisation should practise how they respond during the Cyber Incident Readiness exercise – have the actions been pragmatic and appropriate? Throughout the exercise, we, as the facilitator, keep a record of decisions and actions that are made – do these align or deviate from the Incident Response Plan and Playbook, if so – does the documentation need to be revised?

Communication throughout the Cyber Incident Readiness exercise is key: how participants communicate with other members of the Incident Response Team and Board and intended communications with other stakeholders is analysed, in addition to how they respond to additional information throughout the duration of exercise.

4. Learn

The outcome of the Cyber Incident Readiness exercise is a report providing prioritised recommendations presenting an opportunity to face challenges and develop considerations as part of the learn phase. This phase helps bridge the knowledge gap between the participants of the Cyber Incident Readiness exercise and our cyber security experts. We can help ensure effective communication of technical concepts to the Board and help support the delivery teams to implement the recommendations. Support and education are paramount to address any potential resistance or lack of awareness at the Board level.

Conclusion

By rehearsing Cyber Incident Readiness on a regular basis, different scenarios can be tested, and the main Incident Response Plan can be improved and refined on a continual basis.

It is of vital importance that the Board (and Senior Leadership) are involved in cyber security: being part of the Cyber Incident Readiness exercise will not only help them understand more about (potential) cyber incidents, but also their own role in such cases.

The Board’s participation in Cyber Incident Readiness exercises will directly contribute to the organisation's overall readiness.

Effective communication must be emphasised: efficient and rehearsed communication, both internally and externally, is key. Knowing who is saying what line and when is key to any great performance of a play.

"You need to make mistakes in rehearsal because that's how you find out what works and what doesn't." ~ Clarke Peters

Further Reading

Gloucester City Council recently released a case study of a cyber-attack – which originated from a single, well-crafted email within a chain with a known supplier. 

In this case study it acknowledges that they need to “review roles and responsibilities and how the comms works both internally and externally and the escalation process and empowering staff on how and when to act. The plan should include potential contacts with organisations who have experienced similar incidents, law enforcement agencies and the ICO.”

Savanti, part of FSP, can provide you with cyber services and an experienced team of experts dedicated to supporting you to deliver both tactical and strategic services. Please visit the chat function on the FSP website or fill in your details below if you would like more information on how we can support you on your Cyber Incident Readiness journey