It was about halfway through the morning when the IT Manager decided to quit, the Head of HR started concealing incriminating evidence, and the Chief Financial Officer called in the police. With an active attack in progress against Company X, early signs of insider collusion, and a mounting social media campaign denouncing the organisation’s business practices as unlawful, things could hardly have been more stressful. It was then that the Head of Legal broke into a laugh and offered to fetch the biscuits, which the Board saw as an entirely appropriate response.
If this had not been planned, then the reaction would have been very different. Instead, this was an incident response exercise designed to stress test the capability of Company X to respond to and contain an escalating attack that could threaten the foundations of the organisation. Taking time to reflect on the scenario over tea and biscuits was part of the learning process.
Predicting the future isn’t possible, at least not with any certainty. So putting in place plans to address potential attacks, outages, and breaches often feels as if it will only go so far in preparing a company for such an event, and once these events enter unfamiliar territory the plans can quickly fall apart. Add to this the increasing frequency of so-called “Black Swan” events (defined by Nassim N. Taleb as low probability, high impact occurrences) such as a global pandemic or collapse of the financial markets, and the problem can appear almost impossible to deal with. So how can these plans be properly tested?
One way is by making your plans generic so that they take into account impacts instead of trying to second guess all possible causes of these impacts. For example, the plan should be flexible enough to deal with your main premises no longer being available for use, which could be due to roadworks or all staff being forced into quarantine at home. Or the plan could provide general approaches for dealing with the lack of critical products in the supply chain, regardless of whether that is caused by transportation issues or scarcity of raw materials…such as your favourite fried chicken joint running out of chicken. Although that would never happen, would it, KFC?
By focusing on a toolbox approach instead of playbooks for each event, your incident response plans can cover most eventualities without needing to kill a small forest printing it all out. The basics of an incident response plan should at least include a communications strategy for staff, customers, suppliers, and the media, the use of backup information processing facilities, prioritising and coordinating actions, and key contacts for specialist assistance.
The final piece of the puzzle is to train your staff who will have pivotal roles to play during a real incident. Make sure they are familiar with the plans, have a copy available off site, and best of all – run them through a simulated incident. When we run incident workshops for our clients, we tailor the exercise to the organisation’s vulnerabilities and operations, creating a scenario that is based on things that could genuinely occur…and then let it spiral out of control into areas no-one could guess ahead of time.
These are fun, interactive sessions that involve key personnel and challenge them to the limits of their experience. What starts off with a few reports of seemingly harmless phishing attacks could develop into a data breach, with ransom threats issued in real time to the participants, the clock ticking all the while, adding an element of pressure to decision-making. These workshops add a human factor too, changing people’s motivations during the exercise, forcing the team to try to contain the situation in the face of conflicting priorities.
For decades scientists have discussed the acute stress response in animals (including us hoofless human versions), which leads to a fight, flight or freeze reaction. In the face of a difficult situation, will you combat it head on, run away, or become frozen by indecision or fear? Without testing yourself in such a situation, you cannot know for certain how you will respond, so electing to run through a simulated incident exercise can be revealing, and provide a safe space for this to happen. As the author E. M. Forster said,
“How do I know what I think until I see what I say?”
You can be sure that when the time comes for Company X to face a live incident, they will be ready.
To discuss how Clear Loop can help you with developing your own incident response plans and put them to the test in an entertaining and challenging manner, get in touch today.