In the not-so-distant past, a cyberattack warranted little more than a wander down to IT support with the infected endpoint in hand. You might waste a few hours, but the worst outcome was a few bad jokes about visiting certain websites on your work laptop.
Fast forward to now. Companies are on the frontline of an indefinable battlespace where nation states and criminal entities lob sophisticated digital weapons as part of hybrid war. IT support has become a quasi-militarized operation.
Cybersecurity is now more than just a technical issue. It is a whole company problem, capable of dragging down share-price, scuppering hard-fought brand cachet and even earning executives a very expensive date with a regulator or Government committee. For this reason, a broad range of stakeholders outside of technical teams now play a vital role in effective crisis response.
Miranda Ward, who helped some of the largest brands on the planet respond to and plan for just such an issue in her role at communications firm, Brunswick, says it starts with the basics: “More often than not, security teams don’t communicate effectively with other parts of the business about what’s going on.
“There are a variety of reasons for this. It’s either because they don’t think it’s significant enough for escalation or because those dealing with the situation at the start aren’t aware of the processes. However, it’s always detrimental if non-technical teams aren’t brought in early.
“The best way to overcome this is to make sure everyone involved in the crisis response knows everyone else before an issue arises. It sounds basic, but so many times I’ve worked with companies where crucial people have never got together, run things through and decided who is responsible for what in a cyber crisis.”
Getting senior level backing for crisis simulation exercises is the best way to help these teams coalesce.
She adds, “Executives at large corporates appreciate the need for simulations with a range of stakeholders, but getting their explicit buy-in and sponsorship is the only way to make sure they actually happen. Ultimately, it’s in their interests to run exercises or things get pretty awkward when there is a breach.”
Andy Simpson, who has been in-house legal counsel at a number of well-known global brands, agrees: “Different organizations have varying structures, but leaders with responsibility for privacy, risk, compliance, legal, HR, customers and finance should be involved”.
He outlines that once the relevant teams have been identified, three elements are key:
- Prioritize risk
- Tier and define roles
- Run an appropriate number of simulations
“Cybersecurity should form part of a well-prepared crisis response structure; however, given it is higher on most risk registers, it should have a higher level of tailored preparation than, say, a global pandemic would.
“I’ve seen Gold and Silver teams work well as they can mobilize quickly and are aware that their initial job is to ascertain the situation and get the right people working on it.”
“I have been at organizations that have done no simulations and others that have regularly taken the Gold and Silver teams into crisis simulations. The latter is definitely effective, but depending on your sector the range of potential crisis topics can be large, meaning cybersecurity may only be on the rotation every 2-3 years. A huge amount can change in that time. This is where risk prioritization is key.”
An effective cyber response is clearly one that is regularly practiced by representatives from across the business. However, this jars with legacy exercises, which involve large amounts of preparation and heavy time commitments.
Immersive Labs’ new Cyber Crisis Simulator has been built to address this problem. By providing a browser-based environment where multiple participants can quickly run and assess crisis exercises against the latest threats, teams can hone their response without burdening their resources. For more information about building a mindset of cyber crisis preparedness, download our free eBook below.