Op-Ed: How cyber crisis simulations prepare organisations to mitigate cyber threats

The 2021–2022 financial year saw an increase in cyber crime, with over 76,000 reports made to the Australian Cyber Security Centre (ACSC), with no signs of slowing down. This trend has forced organisations to take a deeper look at their cyber preparedness and responses to reduce the damaging impact of an attack.

Organisations must move beyond focusing on just investing in more secure tools and technologies and redirect attention towards the human side of cyber security. Having a workforce that is well-informed about the most common threats, along with effective protocols in place to handle cyber attacks, is critical in preventing catastrophic outcomes. This is particularly true in a security landscape where threats are rapidly evolving, and attackers are increasingly targeting unprepared employees through tactics like phishing and ransomware.

Running crisis simulations is one of the most effective ways of boosting human cyber resilience. These simulations can pressure test both teams and processes by creating real-world, hands-on environments to prepare and train staff for the event of a breach. These scenarios should reflect the organisation’s most common or critical risks today. However, when running practice scenarios, there are often a few problems that tend to arise across many different organisations.

The most common issues are:

1. Lack of defined delegation chains and unclear accountability

Most delegation chains go one person deep. So, if the first point of call isn’t available, then the decision goes to the next person. However, this system fails when that person is also unreachable. This highlights the importance of a broader and more dependable fallback plan; ideally, one that’s not reliant on a specific individual but rather tied to a role, like the incident lead. Furthermore, it’s important to clearly define the decision-making capabilities for each role.

Too often, an incident lead theoretically has the power to shut down systems; however, in reality, they can’t do this without the CEO’s approval, ultimately rendering the delegation chain ineffective. If an employee is given the authority, are they prepared to exercise it? If the answer is no, the business must make sure that the decision-making process is properly documented. Most of the time, the decision-making processes laid out in playbooks are theoretical, and not practical in a real-world setting. Organisations should focus on creating comprehensive, pragmatic delegation chains that function effectively in any circumstance.

At the end of the day, who is responsible for making these decisions? And, to what level can they make that decision? Organisations need to be explicit in the playbook or response documentation around the threshold to which decisions can be made. Who can make which decisions and who assumes responsibility for each action should be clearly defined. For example, an incident responder may have the authority to deactivate infrastructure items A, B, and F; however, C and D can only be decided by another individual.

VIEW ALL

This responsibility could be determined based on the level of impact on the customer or even the financial implications. There need to be clear guidelines that empower individuals to make critical decisions, such as shutting down systems, without hesitation or uncertainty about their authority. For the most part, the stumbling block often lies not in an individual’s unwillingness to make decisions, but in their uncertainty about whether it falls within their jurisdiction. This lack of clarity often leads to unproductive finger-pointing.

2. Paralysis through analysis

Quick decision-making, even without the benefit of a complete information set, is critical in crisis management. Often, the instinctive response is to await further data or delve deeper into the problem for analysis. While this can sometimes lead to better-informed decisions, it can also act as an avoidance tactic, delaying necessary action. Indecision or passivity can, in many cases, be worse than making the wrong decision.

During a malware campaign, damage is actively happening, and every moment spent digging or asking further questions will only make the situation worse. In such high-stakes situations, executives must be comfortable with making decisions under pressure, even when they don’t necessarily have all the answers right in front of them. The reality is that many decisions, particularly in a crisis, fall between bad and slightly less bad options. The goal is not always to select the best option, but to choose the least bad one.

3. Communication is critical

In crisis simulations, a robust communication strategy is crucial, yet it’s an area where organisations often fail to invest sufficient resources. Having a predefined communications plan isn’t just a requirement; it’s an absolute necessity for smooth crisis response and for ensuring all relevant information reaches the right people at the right time, minimising confusion as much as possible. This plan should be comprehensive, targeting all stakeholders involved, not just the customers.

It should also detail what needs to be communicated to the staff, and at what frequency. This is important because employees need to be well-informed and guided, and they are often the first line of contact for the customers. Senior executives, too, require frequent updates, given their roles in decision making and overall management of the crisis. In addition, customers need to be kept in the loop with consistent, clear, and accurate information to maintain their trust in the organisation during the crisis.

Putting humans at the centre of cyber security

Businesses can’t rely on robust cyber security measures through technical solutions alone. The human element is still a major factor in breaches, which means it’s time to close the gap. One way to do this is through cyber security crisis simulations, which offer unique and essential real-life training experiences that every organisation should prioritise.

Consider a situation where an employee’s laptop, repaired by an external IT technician, leads to a data leak. The challenge lies in deciding whether to track down the technician or mitigate the online data spread. Such complex situations require quick, informed decisions: a skill that can be honed through crisis simulations.

These simulations go beyond typical training exercises, immersing personnel and processes in simulated emergencies before they face the real deal. By highlighting areas for improvement and fostering collaboration among team members, crisis simulations let organisations develop battle-tested approaches for crisis management. Ultimately, the more prepared an organisation’s employees are for the real thing, the better they will do when, not if, a genuine attack occurs.

Craig Searle is the director of consulting and professional services (Pacific) at Trustwave.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.