By some reports, there are more than 2,200 cyberattacks per day – that equates to about one cyber attack every 40 seconds. According to the U.N. Disarmament Chief, cybercrime is up 600% since the start of the COVID-19 pandemic. In response, nearly every industry has quickly adapted and embraced new cyber solutions. It’s no longer a question of “if” but “when” a data breach will occur. Organizations are relying more heavily on crisis scenario simulations – finding that there is such a thing as a “beneficial security crisis,” as it can be an invaluable pressure test of an organization’s true security posture.
Crisis simulations are designed to unveil critical vulnerabilities across an organization's people, processes, and technology – and it can help participants gain valuable skills in a safe and controlled environment. The power of the simulation is in making it feel as real and pressing as possible, while also customizing each simulation to help organizations prepare for potential attacks relevant to their risk profile and infrastructure.
Organizations can determine the effectiveness of incident response capabilities and existing practices, identify areas for potential refinement or improvement, and update documentation and processes based on lessons learned. With these insights, organizations can better equip their defenses and optimally respond to cyber emergencies. The progression of the scenarios is designed to monitor and measure the participants’ ability to work as a cohesive team for tasks such as processing information presented, identifying potential falsehoods, controlling communications, and making appropriate use of available resources.
Ransomware tests are often the most common crisis simulations because of the total pervasiveness of ransomware attacks. The objective of these tests is to provide an overview of cybersecurity challenges, the basics of how ransomware threats are posed, and the fundamental technology and terminology to master to recognize a ransomware attack. While ransomware is at an all-time high, organizations need to be prepared for all potential crisis incidents and attacks.
Through cybersecurity crisis simulation exercises, Trustwave recently identified a series of common security shortfalls and steps organizations need to take to prepare for the next security crisis:
Don’t limit crisis teams to IT and security staff
A single incident can – and oftentimes does – affect every department within an organization. A crisis requires a multidisciplinary team comprised of legal, finance, PR, communications, marketing, risk, IT, security and HR. The details of each scenario should be pre-defined, but the participants must not be given any prior knowledge about the scenario details for the simulation to accurately depict a potential real crisis.
Deciding how to communicate cybersecurity sensitivities to staff in every branch of the organization is paramount, especially since many cyber threat entry points exist outside of the security sector and on each staff member’s devices and technology. Lack of visibility into the entire ecosystem of security information across the organization and lack of unity in safety measures poses its own threat altogether.
Any piece of technology in any staff member’s office or on any floor could be targeted for derivation of the information necessary to pose a ransom, requiring ransomware simulations to be all-encompassing. Avoiding indecision, or knee jerk reactions and ultimately containing issues as effectively as possible is a full team endeavor. As an incident escalates, issues arise requiring subject matter expertise in various domains including Legal, Corporate Communications, Human Resourcing and Information Technology.
Organizations must adhere to an around-the-clock model
Crisis actors don’t wait for the most convenient time to attack. Without proper foresight, a cyber-attack could easily take place during a timeframe in which an organization has no employees actively on the clock. To mitigate this threat, organizations should identify a designated backup team member located in a different time zone who can initiate a crisis response outside of typical working hours. As more employees work remotely than ever before, organizations should actively consider and even capitalize from the time zone differences.
Make an effective plan, stick to it, and continually review it
Out-of-date or out-of-commission security planning documents do nothing to protect an organization. Consider developing playbooks, or pre-defined response and recovery strategies for events deemed likely, delineating communication plans and recovery plans. Then, organizations can develop simple checklists to ensure that required stages of an incident are performed before closure. Generating/collating canned statements for use as templates during incidents requiring public statements such as breach notifications and press statements can prove invaluable.
Assign a scribe to document everything so you can get better and be more prepared for the next time
Organizations should also have a vested interest in maintaining the efficacy of their security measures by assigning a scribe to document everything. Each simulation or real crisis can help inform the next event and this anecdotal information will always be the most directly relevant to an organization’s industry vertical, risk profile or technology setup.
Once a crisis simulation has been conducted, third-party trusted providers can help organizations design and advance cyber threat operations, improve threat hunting capacities, and speed response times. 24x7 monitoring is also possible when using an outsourced vendor to help organizations protect data, users, and assets any time of day. Still, organizations should do continuous testing – just as an organization’s infrastructure is constantly evolving, so too is their potential attack surface.
