Getting hacked is becoming the norm. As more value migrates online, cyber attackers are taking advantage of poor security awareness among employees and customers and many more companies are being targeted. Two-thirds of large businesses in the UK have experienced a cyber breach or attack in the past year.1 And a recent global study revealed that all of the established organisations surveyed (nearly 300) had fallen prey to cyber-attacks to varying degrees, with the annualised cost of attacks spiraling well over $7.5 million on average.2 The chances are your organisation has probably already been targeted. You just don’t know it yet.
In the event of a successful cyber-attack, how much long-term damage is done by data/value loss depends on the quality of your response. A substandard (or, worse still, absent) response can be significantly more damaging than the attack itself. A leading mobile phone retailer, the target of a major attack in 2015, found this out the hard way, losing £60 million in revenues and 101,000 customers as a direct result.
How would your business fare in similar circumstances?
Is your business ready?
One way to find out how ready your business is to respond is with a cyber 'war game'. The UK Ministry of Defence has been using this approach for a while to test governance structures, clarify roles and responsibilities and build the operational commander’s ability to make decisions in real-time. A small number of companies are starting to copy this model.
A cyber war game simulates the experiences and events of a real cyber-attack. Those involved receive fragments of information that are deliberately obscure, which builds tension and competing views among leaders. The simulation also includes representatives from business units such as information security, customer services, marketing and communications.
Bringing priorities into focus
Even preparing for a war game can improve your response-readiness. The planning and analysis required to develop scenarios for the simulation encourages discussion between business and security leaders about which assets must be protected as a priority and what the different implications of an attack could be with regard to loss of intellectual property, loss of reputation and/or business disruption.
These indicators are not always clear before such a discussion. You may find, for example, that most of your IT security processes are geared toward detecting and disrupting fraud, even though the most pressing risk is the loss of confidence associated with a public breach.
Securing the UK's critical national infrastructure
Putting your response plan to the test
Having a structured incident response plan in place is crucial to ensuring your organisation has the information and processes it needs to respond to a cyber-attack. However, a plan alone is not sufficient. Another key step is to rehearse the critical steps you will need to take during an actual security breach. Rehearsing these steps through a cyber war game can expose gaps in your plan and procedures that you are unaware of and give you a chance to fix them before an actual attack occurs.
Cyber war games utilise a wide range of methods and strategies that help to tailor simulations based on both opportunistic and targeted threats. The outcomes demonstrate how your infrastructure could be compromised and identifies effective countermeasures that can be implemented to combat attempted breaches.
Practising decision-making in a high-stress situation
Managing an attack if it does occur requires agility and sound judgment, and calls for structured and clear decisions, particularly in high-stress situations where your company’s sensitive data and customer information, not to mention your reputation, are at stake. To make these decisions, you may need to interact with third parties, including law enforcement, regulators, industry peers and supporting vendors.
A cyber war game helps you practise assessing and determining the scope of the event and acting decisively to contain the impact of an attack and preserve forensic information. Of course, it is impossible to prepare fully for every scenario because the threat landscape is constantly changing. But war games can give you a better feeling for how tried-and-tested plans can help you navigate a stressful environment should the worst occur.
‘Fail to prepare, prepare to fail’
Conducting a cyber war game is a highly effective way to test your ability to respond to a cyber-attack. It can help you prioritise which assets to protect, identify weaknesses in your response plan and expose people to the experience of taking critical decisions, very fast, in a situation where they have limited and often confusing information.
The old adage – ‘fail to prepare, prepare to fail’ – couldn’t be more relevant. To minimise the long-term and even irreparable damage that a successful cyber-attack can cause, every business should have a carefully planned response. War games put that response to the test and can prepare your business to thrive on the cyber frontline.
1 UK Cabinet Office Cyber Governance Health Check, February 2016
2 Octree Global Report http://www.octree.co.uk/Documents/2014-Global-Report-on-the-Cost-of-Cybercrime.pdf