5 ways to maximize a cybersecurity exercise

The threat of security incidents and cyberattacks looms large for every organization. Data breaches rose 17% in 2019 compared to the previous year, according to the Identity Theft Resource Center. Preparing your defenses to guard against and deal with the aftermath of a cyberattack is challenging, but it’s vital to strive for resilience to reduce the potential damage. While cyber insurance can help mitigate some of the expense, with the average total cost of a data breach pegged at $3.86 million, according to the Ponemon Institute, and 280 days as the average time to identify and contain it, the need for action could not be clearer.

Proactive organizations recognize the importance of cybersecurity exercises in testing their defenses and measuring response in the face of different cyberattack scenarios. These exercises can prove invaluable in identifying weak spots, improving processes and technology, and in crafting recovery plans that minimize the fallout of a breach. While many businesses run cybersecurity exercises, few manage to extract maximum value from them. Here are five ways to do exactly that.

1. Review the exercise and feedback

It’s only by assessing the cybersecurity exercise in-depth that you can gain insights into what action needs to be taken to improve your defenses and overall response. This exercise review must be methodical. Discuss problems that arose, pore over the feedback that participants provided, and analyze where your organization’s strengths and weaknesses lie.

Evaluate how participants handled the incident as it developed, identify where your processes fell short or were not followed, and assess which technologies were used. When looking at participants, ask questions such as the following:

• How quickly and effectively did they detect the cyberattack and determine its scope?
• Did they triage, investigate and respond to attacks as expected?
• Was sensitive information properly protected?
• Did they make the right decisions and follow instructions properly?
• Were the defensive actions taken recorded?
• Did participants effectively communicate and work together with colleagues?
• Was the correct chain of responsibility followed with appropriate alerts to the right people?

2. Compare with other exercises and data

To give your assessment more context, it’s helpful to compare the result of your latest exercise with previous cybersecurity exercises. Naturally, you’ll want to include previous exercises you conducted internally, but it’s also smart to identify similar exercises run by peers and to pull in other sources of information. Additional contextual data can be drawn from incident analysis results, information risk assessments, and System and Organization Control (SOC) reports.

3. Create an action plan

Once you have a clear indication of what went right and what went wrong with your cybersecurity exercise, craft a plan to mitigate any problems you identified. While it should include recommendations for improvement and specific actions to address issues that arose, it’s also important to consider how achievable your suggestions are. Bear in mind that plans may be sidelined or rejected if found to be too difficult or expensive to implement.

Many different elements should be stirred into your plan, including recommendations for staff training, updates to procedures and processes related to incident response and business continuity, new or enhanced security controls, and suggestions on software and tools that might improve your infrastructure. Remember to attach a tangible benefit to every suggested action.

4. Share findings with stakeholders

With your review and analysis complete, and a clear action plan drafted, it’s time to present your findings to key stakeholders. The shorter the gap between the end of the exercise and the meeting, the better, provided your analysis has been thorough and your plan for suggested action well-thought-out. Pull together all the appropriate internal people from across the company and any relevant external parties.

The presentation must consider the original objective of the cybersecurity exercise, it must raise any problems that were revealed, and it must explain what action is required for effective mitigation.

Think about the requirements for each of the stakeholders in attendance, so they understand what’s expected of them. Highlight the benefits of your action plan beyond simply addressing issues that arose during the exercise. There will inevitably be some debate during this phase, but eventually, you will reach a consensus and tweak the action plan accordingly.

5. Implement the action plan

Even with an approved action plan in hand, there’s still some work to be done to ensure that it is fully realized. Take time to:

• Assign a responsible party to implement each action that’s outlined in the plan.
• Set a priority level and an implementation deadline for every action.
• Allocate appropriate budget and resources to complete each action.
• Monitor progress and follow up to ensure effective and timely implementation.

Keep all documentation and analysis related to the cybersecurity exercise for future reference and use it to determine, in part, how future exercises will be conducted.

Cybersecurity exercises can be an extremely effective way of assessing your defenses, and they are a vital component of any security strategy, but only a comprehensive review that drives an action plan will deliver maximum value.

Steve Durbin is managing director of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. ISF membership comprises the Fortune 500 and Forbes 2000. Contact him at steve.durbin@securityforum.org.

Related:

• Insurers need to master data security now more than ever
• Study: Businesses, consumers need agent guidance on cyber threats
• What has COVID-19 taught us about cybersecurity?
• 5 cybersecurity events that keep CEOs up at night