Cyber crisis management exercise: definition
According to NIST, a crisis management exercise is: “A discussion-based exercise in which employees with roles and responsibilities in IT matters meet collegially or in small groups, to validate the content of the action plan, discussing their roles and responses in the event of a crisis. A facilitator launches the exercise by presenting a scenario, and asks questions based on this scenario.”
Crisis drills, or tabletop exercises, are an excellent way to identify shortcomings across your tool stack and organization at large. They can highlight the need to equip specific cybersecurity solutions, or to improve internal or external communication systems in the event of an attack.
To begin with, here are three misconceptions that need to be dispelled at all costs.
Bad excuses for not organizing a cyber crisis management exercise
Lack of time
“A crisis management exercise takes time and organization, and we don’t have that.”
Not practicing crisis management is the best way to find yourself caught off guard when an attack occurs. Indeed, it can’t be repeated often enough: it’s not a question of if you’re going to be attacked, but when.
And finally, when we know that the consequences of an attack can extend over several months, what’s a few hours of practice compared to the days, even weeks, gained in managing a real crisis?
Too small an organization
“We’re too small to be the target of attacks.”
To get rid of this preconceived notion, you should know that in 2023, a Campus Cyber report showed that French SMBs (99% of the economic environment) were attacked almost 20 times more than large companies.
The CISO is solely responsible in the event of an attack
“It’s the security team’s role to intervene in the event of an attack, not anyone else’s.”
The security team is, as its name suggests, in charge of security, but it doesn’t operate alone. It is linked to the IT Department and must coordinate with an entire organization in the event of an incident.
In addition, other teams are likely to be involved in the event of an attack: the management team for strategic decision-making, the communications team for public statements, the technical team to provide expertise and operational responses… All these stakeholders must act together, following well-honed procedures.
Now that we’ve seen a few beliefs about crisis management exercises, let’s move on to the arguments in favor of this essential approach, with a view to ensuring better response and resilience in the event of a cyberattack.
3 arguments for promoting cyber crisis management exercises
Just a few hours can be effective
To be effective, a cyber crisis management exercise doesn’t need to last one or more days. A few hours can be enough to test a tool or procedure, raise questions among the participants, and debrief.
The exercise may, for example, consist of solving a problem theoretically through a discussion without a simulation; testing alert escalation and qualification; testing a tool or tool functionalities (e.g. mass notification).
By dividing the exercises into several sessions, you can cover a wide and complete perimeter, with minimum impact on the work rhythm of the business teams and limiting the risk of dispersion.
Crisis simulation strengthens team cohesion and cyber culture
Technical issues are obviously central to a cyberattack, but they’re not the only ones!
An attack can have legal, administrative, and financial consequences, to say nothing of the organization’s reputation… Gathering all stakeholders around a table not only strengthens ties but also enables everyone to be aware of each other’s scope and expertise.
It is also an opportunity to get business teams to work together on security issues that are not part of their daily routine, and to reinforce their knowledge of threats, attack techniques, attacker groups…
These crisis management exercises are an excellent way to raise awareness about esssential cybersecurity best practices.
In short, optimum protection of an IT fleet depends not only on cybersecurity tools but also on the vigilance of all users and on perfectly oiled crisis management processes in terms of both technical aspects and communication.
“In some organizations, crisis exercises have been an opportunity to raise awareness about cybersecurity issues and to release budgets to strengthen security before a real attack occurs. So it’s a great way of convincing a management team to allocate resources to cybersecurity solutions before it’s too late.”
Léna Jakubowicz, Pre-sales Engineer – HarfangLab
Exercise saves time in real cyber crisis conditions
A cyber crisis exercise is much more than ticking a box on a checklist. It’s about simulating an emergency situation so that you’re ready for battle and ready to make the right decisions at the moment an incident occurs.
To execute a successful cyber crisis management exercise, you need to define the objectives beforehand, identify the players and the people in charge of the organization, and ensure post-simulation feedback to draw lessons from it.
Through this feedback, an organization can take appropriate measures to reinforce security where necessary and ensure that each stakeholder has a clear understanding of their roles, responsibilities, and scope within the strategic or operational unit.
What if you can’t organize a crisis management exercise?
Since no organization is too small to fall victim to a cyberattack, no organization is too small to organize a crisis management exercise!
On the other hand, if expertise or resources are lacking in-house, the support of external resources can be beneficial, especially as these exercises need to be organized on a regular basis to validate the relevance of tools and processes over time. To this end, you can call on the services of a MSSP, both to organize exercises and to provide support in real-life crisis situations.
“A cybersecurity crisis highlights the responsibility of management teams and the processes defined upstream to manage the situation.
Decisions have to be taken urgently, under stress, sometimes without full access to information. Formalizing a crisis protocol, even a simplified one, is essential for dealing with an emergency situation. Crisis exercises help to build these reflexes, a bit like an athlete prepares to optimize their performance.”
Nicolas Brossard, Director of Cyber Crisis Management – Advens
“The support of a MSSP partner in crisis management makes all the sense in the world, from construction to exercise to real-life implementation.
MSSP partners are accustomed to managing large-scale incidents and crises and have all the elements needed to conduct operations where every minute counts. Crisis exercises help to assess the relevance of defined processes by putting them into context.
For example, it is possible to include service interruption situations in exercise scenarios with a view to measuring the potential impact in terms of operating losses. These anticipated impacts, together with the ability to rapidly restore the information system, help to limit the financial impact of a cyber crisis on the organization.”
Tristan Tarrieux, SOC Manager – Atheo
And in the event of a real crisis,
how to communicate efficiently?