Never let a crisis go to waste: Preparing for a cyber attack
Cyber attacks today are more prominent than ever. According to Verizon’s 2015 Data Breach Investigations Report, nearly one million malware vulnerabilities are created every day.
Security spending is also up, according to Citrix CTO Faisal Iqbal. Iqbal, who led a session on the future of data security at the 2015 NextGov Prime conference, said that almost 75 percent of people have been attacked one way or another, especially through vulnerable mobile devices.
“There is no silver bullet, but technology can help mitigate risk,” Iqbal said.
One technology that is shaping how companies react and respond to cyber breaches is the concept of cyber wargaming.
“Cyber wargaming is an interactive technique that immerses potential cyber-incident responders in a simulated cyber scenario to help organizations evaluate their cyber incident response preparedness,” Daniel Soo, a cyber wargaming leader for Deloitte simulations explained.
These cyber war simulations, used by Deloitte and other crisis management services, prepare clients to handle a cyber attack.
During a demonstration last month, Powers pinpointed technology and innovation as factors that increase cyber risk. “Strategies to do better create cyber risk, but organizations can’t give that up,” Powers said.
This is why resilience is one of the goals Deloitte had in mind when designing its wargames.
“How do you make the organization stronger and more durable and able to recover from these types of incidents?” Powers asked. “It’s probably not minimized the threats, but it’s reduced the risk, because it’s made the organization better prepared to deal with not just a particular scenario, but made them better prepared to make better decisions and to communicate with their stakeholders more proactively and effectively when they do have an incident.”
The cyber wargame itself is just one of seven steps that Deloitte takes to help clients with preparing for a cybersecurity breach. They spend time designing the scenario based on objectives that the client has, before coordinating the logistics of the simulation and developing appropriate materials. After the wargame has been completed, the team writes up a report to help the client better understand how they can improve their cyber preparedness.
Sitting around what is supposed to be an executive office, eight individuals playing high-level executives deliberate how to handle an hours-old cyber attack.
“What do we know?” the CEO, played by Powers, asks.
The Chief Risk Officer suggests that they conduct incident response internally, in addition to letting law enforcement do their job.
The team goes on to simulate dealing with the cyber breach one day, one month and one year after the incident.
Soo, the game leader, reads off what he calls injections, bits and pieces of information for the simulation based on how the players have responded.
The scenario jumps from one day after the staged cyber breach to a month and then a year later. The game leader announces a dramatic drop in stock for the made-up company, along with a failure to renew third party contracts with some of the company’s vendors.
“I assume I still have my job?” the CEO quips.
After the wargame is over, Powers explains the reason for the progression in the simulation time period.
“We like to show kind of the progression of an incident,” Powers said. “Whether it’s 30 days or 60 days or whatever it may be, while that’s a very hectic time and there’s a lot going on, that’s not the end of it.”
When Deloitte first started offering cyber wargame simulations to clients, they focused on lower-level employees, usually in IT, that would be responding directly to cyber attacks. Today, almost 50 percent of the simulations they execute are with C-suite level executives, the people who will be making decisions during a cyber breach.
The clients that participate in cyberwar games aren’t going through just one simulation. Deloitte’s Lawrence Lai, who manages cyber war game portfolios, says 60 to 70 percent of clients complete multiple simulations, as many as 4 or 5.
“Participants are learning what their roles are in a cyber crisis, how to make sure decisions are being followed through on, and how to manage the escalation of an attack,” he said. “It’s one thing to have a plan, it’s very different to execute it.”
Emily Mossburg, Deloitte’s Resilient team practice leader, shared proof of the wargame’s effectiveness in preparing organizations to better handle cyber breaches when they happen.
“There’s changes to policy and high-level guidelines. There’s changes to processes and plans. And in many cases there are actual shifts in terms of solutions,” she said.
“We’re really trying to make it as absorbing as possible,” Mossburg added.
According to Powers, Deloitte operates with an approach of resilience to cyber war, not just security or vigilance. This sets them apart from crisis management competitors such as Booz Allen Hamilton.
Part of resilience is not just the team’s ability to become capable of dealing with a security breach, but how to restore confidence in an organization’s stakeholders.
“It’s one of the areas that often gets kind of overlooked in the initial stages. Everything gets focused on the IT piece,” Powers said.
Deloitte is not only designing wargame simulations for individual clients, but for entire industries. The group spent time designing “threat maps” for 22 different industries.
For simulations, the wargames are fairly realistic. Powers explained that they tailor their wargames to create realistic scenarios for their clients.
“The targets of a cyber attack tend to vary by industry, whether it’s the technical designs of a company’s product or a retail organization’s credit card database,” Powers said. “Those threat maps or threat profiles will serve as a basis for the simulation.”
The cyber war simulation focused on a company in the private sector, but Department of Homeland Security deputy assistant secretary Gregory Touhill says the simulation doesn’t change much for federal agencies besides the content of the breach.
“It’s a great framework for risk in general,” he said. Touhill also stressed the importance of cyber war simulations such as the one that Deloitte provides. “Folks that don’t practice ahead of time generally fall.”