By Steve Durbin, Managing Director of the ISF.
There may be no better way to ascertain your organization’s strengths and weaknesses than by running regular security drills.
Keeping information secure is a difficult task, even if you have bountiful resources. With companies like Nintendo, Twitter, Marriott, and Zoom all suffering high-profile data breaches recently, it’s clear that no one is safe from cybercriminals. While most organizations understand the need to build defenses and develop policies to reduce the risk and potential impact of a successful cyber attack, many fail to rigorously test those defenses.
Cybersecurity exercises are useful simulations of specific cyber attack scenarios that enable organizations to gain valuable insights into their real-world response. From basic, small-scale, brief tests to complex, wide-scale, sustained attacks, cybersecurity exercises can provide verification that your defensive strategy is effective or highlight weaknesses that require immediate attention.
Identify Your Strengths
Despite their importance, 74% of respondents to the ISF Benchmark stated that they do not subject critical systems under development to cyber attack simulations or exercises. This may be because cybersecurity exercises are perceived as time-consuming, expensive to run, and potentially disruptive. If planned properly, there’s no reason that should be the case. Cybersecurity exercises can deliver some truly compelling benefits. Consider these 10 examples of how.
There’s a lot of focus on uncovering weaknesses and problems during cybersecurity exercises, but there’s also major value in identifying what’s working well for your organization. Robust strategies can be emulated elsewhere, smart policies can serve as templates, and effective employees can help to train others.
Improve Your Response
Perhaps the most obvious benefit of running a cybersecurity exercise is that it gives you an opportunity to improve your response to future attacks. An exercise may back up the theory behind your defensive strategy with evidence, or it might point to the need for a fresh approach. Either way, it will drive you to improve.
There’s no substitute for hands-on experience. Cybersecurity exercises provide employees with practical experience of dealing with an attack, they boost awareness of the possibilities, and they can teach people all about the right way to respond. Learning is always more effective with a practical component.
Define Costs and Timescales
In preparing for attacks, many assumptions and estimates are made about what resources are required to handle different scenarios and how long it will take to resume normal operations after an attack. Cybersecurity exercises paint a clearer picture of the costs and timescales involved, giving you hard data to help you build greater resilience, or use for any financial justification that might be required.
Determine External Needs
It’s unrealistic, even for many major organizations, to maintain a team capable of handling any attack scenario without external assistance. Which attack scenarios require external help? How quickly can external expertise be secured? How much will it cost? Running security exercises can help to answer these questions.
Setting expectations for how swiftly different aspects of an attack should be handled and how effective defensive actions should be is vital in defining your strategy. But you can only prove that they are being met when an attack occurs, or by employing a security exercises. This data should inform future strategy and guide your approach.
Identify Your Weaknesses
Whether there are technical vulnerabilities lurking on your network or weaknesses in security controls, cybersecurity exercises can expose them. They may also reveal the need for better training or new talent. Identifying specific weaknesses enables you to craft remediation plans and act immediately to improve.
Update Your Policies
If your current policies, standards, and guidelines aren’t effective then it’s time to revisit them. Effective incident response policies will drastically reduce the potential damage and disruption a cyber-attack can wreak. Regular policy revision is important and security exercises can provide useful evidence to guide that revision.
Find Non-Compliance Risks
The potential cost of breaching legal, regulatory, or contractual requirements is enormous, even if that breach is unwitting. Exposing compliance issues can prove difficult, but that does not mean they don’t exist. Cybersecurity exercises can help to uncover areas of non-compliance, giving you an opportunity to fix them and avoid unnecessary legal – and financial –exposure.
Increase Threat Awareness
From entry-level employees to the board of directors, lack of awareness about the nature of cyber-attacks and the scale of the threats they pose can be catastrophic. Failure to recognize the risk and react accordingly always exacerbates the problem, making a bad situation much worse.
Practice makes perfect. It’s common sense to accept that rehearsals serve an important function in readying people for the actual event. Cyber attacks are inevitable, but it’s how you respond that will dictate the impact on your business. Not only do cybersecurity exercises help to build awareness and understanding across your organization, they test your defenses, identify strengths to build on and weaknesses to mitigate, and offer invaluable practical experience.