CISOs are rethinking the way cyber crisis training is conducted; focusing on improving cognitive agility to speed up human response in pressure situations.
A survey of 400 CISOs by Osterman Research showed that table-top exercises were failing, with 40 per cent admitting they have little confidence in responding teams. Tabletop exercises are meant to help organisations consider different risk scenarios and prepare for potential cyber threats. The fact that just over half (53 per cent) had taken the step of setting up a regular Incident Response (IR) group compounded this finding. The paper was keen to note that where tabletop exercising was taking place, more often than not it excluded communications teams (80 per cent) and customer teams (87 per cent). In a modern cyber crisis response, which is an all-consuming brand and customer issue, this approach leaves significant gaps — leaving the organisation vulnerable to a plethora of risks.
Here’s proof. According to an IBM report, the average cost of a data breach in 2020 was $3.86 million, a 1.5 per cent decrease in costs from 2019 but still a 10 per cent rise over the last five years. Here, organisations with incident response teams and plans in place averaged breach costs of $3.29 million, while organisations that didn’t have any such plans witnessed an average breach cost of $5.29 million.
Moreover, attackers evolve fast and update the methods they use to infiltrate organisations. Yet, on average, companies will conduct a dry-run of their protocols once a year. Micro-drilling is a new approach to overcome the limitations of less frequent, meeting room style tabletop exercises. It also suggests looking beyond the security team and training different departments so companies can establish a unified response to a breach. Leadership must also participate in taking calls such as; how to manage trade-offs associated with cybersecurity, and how to discuss cybersecurity issues and protocols more effectively.
Developing cognitive agility
People typically lean on their natural decision-making skills, if faced with a situation they haven’t dealt with before. The cybersecurity team will analyse the parameters of the attack, try to map it to a situation they’ve experienced before and draw conclusions from those aspects. Security experts say this method can be the start of a series of decisions based on wrong assumptions because of cognitive biases. Progressive psychological research into the skills required to work in stressful crisis environments has identified the need for a new type of agile and adaptive thinking — called cognitive agility.
To use this approach, companies need to develop the mental capabilities of the individual responders to act individually or as a team and be prepared to go beyond a predefined set of situations. Immersive Lab’s Cyber Crisis Simulator throws decision-makers into an emerging attack scenario. Leadership can experience how human psychology plays its part in an evolving crisis and see the impact of decisions made under pressure in real-time. The model can collect data on the performance of each decision, it also provides a feedback loop to spot patterns to help teams improve decision-making.
Infection Monkey is a solution that tests an organisation’s infrastructure running on Google Cloud, AWS, Azure or premises. It runs a non-intrusive attack simulation so it doesn’t impact network operations. Similarly, NeSSi2 is an open-source simulator that focuses on testing intrusion detection algorithms, network analysis and profile-based automated attacks. Security validation platform AttackIQ lets companies customise the attack scenario to focus on industry-specific attacks and mimic real-world threats as closely as possible.
Also Read: When The Chips Are Down
When Deloitte worked with Bursa Malaysia, a stock exchange, to prepare their team to combat possible cybersecurity attacks, it suggested a range of exercises from basic incident exercising to dynamic cyber war games. The training touched upon deploying incident response notifications across the company, crisis response to customers and press, and following breach protocols based on the laws in that region. Viewing crisis response as a strategic business issue – not just a technical one – allows for better information sharing across legal, communications and finance teams. This is imperative to ensure that all stakeholders understand the business impact of a breach in monetary terms.
Deloitte’s crisis simulation uses information, analytics and tools that could be available in real crisis situations combined with practical experience to immerse participants in an interactive environment. The most intense simulations mimic worst-case scenarios. When participants make decisions, they must consider the consequences of their decisions in the days, weeks and even months to come. The crisis simulation provides insights into an organisation’s readiness to manage crises, calculates confidence, clarifies roles and identifies what aspect of the crisis management plan needs to be escalated.
According to psychologist Rebecca McKeown, advisor to the US Ministry of Defence, the micro-drilling approach requires companies to run simulations more frequently, like once every two months. It needs to add variation in the type of simulations it runs and analyse the data from these simulations to spot patterns. By involving all stakeholders and thorough repeated simulations, the team can build resilience towards external attacks and protect from internal threats.
With the pandemic induced remote working situation, the need to train every member of the team, regardless of the nature of their job, has increased in proportion to the risk. The very people who are closest to the data and corporate assets can often be a weak link in a company’s cybersecurity program. This is particularly a concern when employees use personal devices, share passwords or files over unprotected networks, click on malicious hyperlinks sent from unknown email addresses, or otherwise act in ways that open up corporate networks to attack. Threats from inside the company account for about 43 per cent of data breaches, as per data from a McKinsey report. In such a situation, keeping the team well-prepared for the worst seems like the only available option.