Cyber simulations - forewarned is forearmed

Many companies have cyber incident plans in place – but how many would stand up in the heat of a real event? One energy provider decided to find out with a cyber simulation.

Problem

In the immortal words of heavyweight boxer Mike Tyson ‘Everybody has a plan – until they get punched in the face’. A similarly rapid unravelling is what most companies’ cyber incident plans would experience if they were to be subject to a real event. Badly thought through, not practiced or integrated and lacking high level support – many companies’ incident response plans are little more than business continuity plans.

A lot of companies don’t have a budget for addressing cyber risk or are reluctant to spend money on it. And in truth, it is almost impossible to prevent a determined and sophisticated attacker causing a data breach. With hackers ranging from script-kiddies through to nation-state sponsored criminals, cyber breaches are an ever-present danger.

Solution

The only way to find out if your company’s cyber crisis response would stand up to a real event is to put it to the test in as real a scenario as possible. That’s what one large UK energy provider requested of a multi-disciplinary cyber specialist team. 

The company wanted a hypothetical but realistic breach scenario to test its incident response capabilities, its management reaction, and their overall readiness for a future event. It was kept a closely guarded secret but had the support of the board. The cyber team was given access to the company’s policies and incident response plan – so they could understand how it should work in theory. They then created a hypothetical but realistic scenario and arrived one morning with a ready-made crisis to deal with.

The scenario was that a supplier to the company had had a major breach, and the energy company, including its systems, had been caught up in the fallout. With the company’s full incident response team in place – more than 20 senior folk – new facts were injected into the crisis as the morning went on. With each new development the teams – who had naturally clustered themselves into business function groups – were asked how they should respond to each new factual development. Invariably, what IT wanted to do differed from Legal, which differed from Communications, and so on. 

“It soon became clear that the full team had never met in person before,” says Ian Birdsey, cyber specialist and Partner at Clyde & Co. “There was also little sign of collaboration between the teams – each function saw the crisis only from their own perspective. With no one department allowed to pull rank on the other, decisions needed to be found that benefited the whole company, not one particular business area.”

Towards the end of the scenario it became clear that there needed to be more collaboration and greater transparency, and that the team needed to move forward and work as one.

Outcome

Once the simulation had been completed, the cyber team produced a report for the management board. This played back where the team and plan had worked well, where any gaps were identified and made a series of recommendations for actions over the following 12 months. “Not only is the exercise a good analysis of incident preparedness, the report and follow up will reassure a regulator that the company is taking cyber risk seriously,” says Ian. “The UK regulators can punish companies that don’t – including finding non-compliance with the GDPR, which has already resulted in significant ICO and FCA fines in recent years.”

While preventing cyber events in the first place is almost impossible, realistic breach simulations are a necessary and good way to judge preparedness. And as that other great thinker Benjamin Franklin, once said: ‘By failing to prepare, you are preparing to fail’.