15 Jan Measuring crisis preparedness for cyber attacks
The ISF’s Dan Norman explores how companies can measure their crisis preparedness for dealing with a cyber attack.
The number of data breaches and major cyber incidents is growing year on year across the Middle East – the average cost of an incident in 2023 was well over US$8 million – a 15% increase from 2022. The global geopolitical and economic landscape is becoming evermore unpredictable and turbulent, while nation-state-backed actors, hacktivists and insider threats are becoming increasingly confident and likely to target companies in the region. The Middle East is an attractive target – high-net-worth individuals, emerging tech-dependent industries and high-value critical national infrastructure are ripe for the picking. It is a question of ‘when’, not ‘if’ an organisation is going to be hit by a high-impact cyber attack. Therefore, focusing on resilience and testing crisis preparedness is a critical component of a comprehensive cybersecurity strategy.
Many organisations accept that even with the best technical systems in place, criminals can get into an ever-expanding network – IT, IOT, OT, and ICS are all fair game for attackers. It is better to assume that infiltration is possible and build a strategy to reduce the impact. Of course, organisations should continue focusing on improving security basics, (software updates, patching, strong passwords, robust security operations centre, threat intelligence, risk management, etc) but making a conscious effort to improve response and recovery should play an equally important role. A pivotal part of improving resilience is running cyber simulation exercises and measuring the maturity of the organisation to respond effectively. This must become part of a consistent, repeatable programme, where improvement can be demonstrated over time – even benchmarking performance against industry peers.
Getting the measure
Cyber resilience and crisis preparedness present a multi-dimensional challenge for organisations globally. CISOs and CIOs are frequently asked by board members, “how resilient are we?” “Do we have a robust crisis management plan in place to respond to cyber-attacks?” “What would the impact be if we were hit?” Now, we assume here that senior management and board members understand that cyber crisis response is not simply an IT problem and that many stakeholders and business units can be involved… But this poses the question: what does a good crisis response look like? What are the fundamental aspects of cyber resilience? How can we measure our maturity and ability to handle a cyber crisis?
There are typically five lenses of cyber resilience that should be considered when measuring the level of preparedness an organisation has to manage a major cyber incident: governance, processes, stakeholders, technology and data. A weakness in one or more of these lenses can make the difference in handling the major incident well, minimising the impact and resuming normal operations in the most cost-effective, pragmatic manner possible. All five of these lenses can be assessed during a comprehensive cyber simulation exercise, which can target a variety of stakeholders – from senior management to technical teams to even the board and executive committees.
Build appropriate governance structures, including leadership models and accountability for managing a major cyber crisis across a variety of disciplines and business units. There must be strong direction, oversight, accountability, ownership and policies relating to cyber incident management.
Understand the manual or automated procedures, tasks, activities and steps associated with containing, responding to and recovering from a major cyber incident. This typically touches upon the technical components of incident response but should also include delegation protocols, coordination, decision-making, escalation and communication for a variety of threat scenarios (including internal teams and external teams, such as the regulator, law enforcement, etc).
Have clear definitions of roles, responsibilities, relationships and communication relating to internal and external individuals and groups associated with cyber incident management. Importantly, what are the fallback plans should key individuals be missing?
Profile the use of software, tools, appliances and services that support the end-to-end cyber incident management process. Understand core dependencies across the network, including profiling suppliers, e.g. cloud services, etc.
Comprehensively log details, facts and other information required to support the end-to-end cyber incident management process. For example, good incident management prioritises robust data gathering to mitigate the risk of financial penalties or regulatory punishment.
The ISF has designed a cyber simulation exercise methodology to comprehensively measure the readiness of organisations to handle major cyber crises. Being able to understand the readiness of each component lens will help organisations to upskill the workforce, build robust crisis management plans and prepare for the future.
In 2024, there is almost a sense of inevitability that damaging cyber attacks will happen, disrupting operations and causing financial damage – Every minor cyber incident will happen, which can be handled by the technical teams, but a major incident that involves a variety of stakeholders is a scenario that organisations must prepare for. Without testing response plans and putting individuals in a simulated environment, people will react for the first time to a major crisis in real-time to real things. This must be avoided at all costs.