Cyber Response Drills: A Vital Ingredient of a Cyber Resilient Enterprise
The key reason behind the 2007 financial crisis was that many banks failed to build up sufficient capital against complex securitisation exposures. As the US Government’s ‘Financial Crisis Enquiry Report’ revealed, ‘In the years leading up to the crisis too many financial institutions, as well as too many households, borrowed to the hilt, leaving them vulnerable to financial distress or ruin if the value of their investments declined even modestly.’ Consequently, when the housing market crashed, heavily leveraged businesses were forced to fund exposures that they had not anticipated, and some were forced into bankruptcy.
As Mark Twain is believed to have declared, ‘History does not repeat itself, but it rhymes.’ Like several banks during the financial crisis, the majority of enterprises are ill-prepared to deal with unanticipated, highly targeted and debilitating cyber attacks. These attacks can be much deeper and more prolonged than imagined, leading to major financial shocks resulting from significant operational losses, share price declines or customer litigations. In extreme circumstances, it can even threaten the existence of an enterprise. Business leaders have a key responsibility to play here. They need to take deliberate steps to anticipate major cyber breach scenarios, assess the adequacy of response measures and more importantly, set aside sufficient capital to absorb the shocks should each scenario eventuate. To achieve this, business leaders can engage external consultants to facilitate desktop cyber-risk simulation exercises, or ‘drills’.
These drills must be attended by senior business, technology and risk stakeholders, as well as cyber security experts. During these drills, business leaders identify business impact from major plausible cyber scenarios, for example, a sustained distributed denial-of-service (DDoS) attack rendering key digital services inaccessible, a wide-scale sensitive data breach or extensive contamination of production data. Narrowing down key cyber attack scenarios is important because attempting to anticipate every possible attack scenario is not feasible. Once the stakeholders have agreed on plausible scenarios, the next step involves quantifying associated impacts and determining how much capital should be set aside. Quantifying financial impacts from cyber breaches is still in its infancy, and this is where external consultancy can provide insight using their wider industry exposure. Cyber security response simulations should achieve four key objectives. They should:
- Inform business leaders of their most critical digital assets, the strength of their existing defences and what alternative business controls can be put in place in the event of a sustained breach. In this context, cyber drills reveal the difference between perceived versus actual cyber security
- Challenge the priority of teams and business functions. For example, does the enterprise know which team has the highest priority to the business continuity site in the event of an internet outage resulting from a sustained DDoS attack?
- Inform business leaders of malfunctioning business controls such as obsolete crisis management plans or out-of-date business documents. For instance, in the event of a cyber attack or breach, an enterprise may resort to manual payments but realise only too late that authorised cheque signatories have long left the enterprise
- Clarify crisis response roles and responsibilities, as well as escalation procedures, specifically when addressing the following questions: Who is responsible for authorising customer communications in the event of a major sensitive data breach? Who liaises with regulators, investors, suppliers and critical business partners? Who is authorised to respond to media enquiries in the event of data breach fallout? Who notifies the board? Does the enterprise have precanned messages for call centre staff to provide consistent messages to customers once a breach has been publicly announced? Who authorises ransom payment in the event of a debilitating ransomware attack?
Although the last question may sound absurd, business realities are much more complex than most people think. When critical files are rendered inaccessible, senior leaders may need to make a tough call. Given the current environment of heightened cyber security awareness, it is tempting for stakeholders to overstate potential impacts from cyber attacks. This unnecessarily locks in capital that could be invested in defensive controls or other value-adding initiatives. External consultants or internal audits can play an integral part here by independently challenging the model used to quantify cyber risk likelihood and impacts, and ensuring that agreed-on capital levels are ratified at the right level. This rapidly evolving threat landscape dictates that cyber drills be institutionalised into the fabric of the enterprise operations, rather than be treated as one-off exercises.