Cybersecurity: expect the unexpected

Even though they are a nuisance, there is a reason your office building holds regular fire drills. If there really is an emergency, everyone will (or should) know how to act. Emergency drills are routine across any number of industries. Police practice for active shooters. Smart retailers prepare for Black Friday’s crazy shoppers.

And yet [tweet_dis]most companies are totally unprepared when hit by a cybersecurity event[/tweet_dis], and this leads to chaos that makes things even worse. Security experts are thus increasingly recommending that their companies begin routine cybersecurity drills.

Rapid response or bust

Today, industry regulators, the media, and your customers will expect immediate disclosure of a serious data breach, explained Chris Covell, CIO with Absolute Software. The longer you wait to disclose a breach, the less trustworthy you are perceived, so it’s vital to act quickly.

“Having crisis communications plans in place for media, customers, partners, and shareholders will enable a fast, efficient response,” he said. “This includes creating draft email communications, press releases, and landing pages to explain what happened, how your company is addressing it, and what customers should do in the meantime.”

When a security incident occurs, the main objective is resilience–the ability to maintain the smooth running of core operations, isolate the threat, remediate it, and execute on your crisis management plan. Then, as people work through various drill exercises and evaluate their results, Covell pointed out, they will learn from their mistakes, become familiar with different threat scenarios, and be less likely to be caught off guard when a real security incident occurs.

Assembling your drill team

Before conducting drills, there needs to be a security team in place to not only conduct the tests but to serve as the frontline during an actual incident. In addition to IT and security professionals, the security team should include representatives from communications, legal, and leadership teams. Covell pointed out that more companies are collaborating with their suppliers and business partners to develop joint processes to follow in the event of an attack.

“This makes a lot of sense considering up to one third of all breaches occur due to an external attack targeting a business partner or third party organization,” he said. “You want to work with your partners to share experiences and develop best practices for cybersecurity scenarios involving multiple parties.”

The actual drills can be done in a variety of ways. They can be in the form of planned exercises or spot checks, can involve role-playing exercises, and can involve specific teams or participants across the entire organization. The drills test to see how well employees understand security risks, but will also allow the security team to practice its reaction to a potential threat.

“It makes sense to work through scenarios in sandboxed environments to train IT and security staff to successfully overcome a cyberattack,” Covell said. “This will help solidify IT processes and procedures and hone technical competencies for coping with cyberattacks. Be sure to evaluate the overall response as a group–this can be the most beneficial part of the exercise as teams learn from each other’s mistakes and collaborate to identify areas for improvement.”

Drills aren’t just for IT’s benefit

Security drills are important from a cybersecurity team standpoint, but they are vital for employees, too.

“It is important for employees to learn how to make smarter security decisions as this will help companies manage phishing and social engineering attacks like ransomware, CEO Fraud and the like. It costs businesses millions of dollars, their reputations and in some cases, the company,” explained Stu Sjouwerman, founder and CEO of KnowBe4.

A popular–and highly recommended–type of security drill is simulated phishing attacks. Someone on the security team sends out a fake message from a company executive, a regular vendor or the IT department, for instance, with an urgent message and a link to click for more information. The security team would then be able to monitor who clicked on the link.

Social engineering is another good testing method. “A tester could make random calls to users across the company saying that they need the user’s ID and password to conduct some troubleshooting on their email account. Training dictates you never give that information to someone, especially over the phone, unless you can verify their identity,” says Bill Crews, president/owner of Security & Resilience Consulting.

Covell admitted that cybersecurity drills may feel intimidating but once you make them a regular occurrence, people will start to feel more comfortable when faced with different cybersecurity scenarios. Once you’re properly prepared, he added, you can approach any crisis without panicking and by following the practiced steps.