USA – NEW YORK Trends and Developments Contributed by: Evan Roberts and Meredith Griffanti, FTI Consulting, Inc.
What Success Looks Like – Insights in Action If companies avoid these pitfalls, they are well on their way to a meaningful, productive exercise. But what does it look like for an exercise to be more than a check-the-box compliance activity, and what kinds of actionable – and potentially unforeseen – insights might come out of a truly excellent tabletop? Below are just a few exam- ples to encourage regular tabletop drilling. • It is the little things – and they can have major implications. When designing cybersecurity incident response plans – whether they be for information security, legal, communica- tions teams or all of the above – it is virtually impossible to account for every nuance of an organisation’s tech stack and IT infrastruc- ture. The little things often go overlooked – but they can have real world consequences in a live cyber crisis. For example: in a recent exercise, an organisation made the decision as part of its containment and remediation process to conduct an enterprise-wide pass- word reset, without giving much context to its workforce as to why. Subsequently, company leadership realised that many of their busi- ness units relied upon a sizeable number of external contractors, and they also had a significant number of employees collocated onsite with their customers. Suddenly, the risk of a leak – and speculation – became much higher, forcing the executive team and communications team to make a decision to distribute an emergency text alert to all staff explaining the need for the sudden pass- word reset. This type of seemingly very trivial nuance is an easy thing to overlook in crisis communications or incident response plans, but can be spotted by thoughtful tabletop exercise participants. It is much easier to come up with a fix for something of similar
legal, communications and IT/information security feeling completely hopeless. • It is a drill – companies should make sure everyone knows that. Just about everyone knows that slides used for a tabletop exer- cise should be marked “fictional scenario for training purposes” or something similar. But what about more intricate exercises or simulations that involve sending email injects to participants throughout the day? Those are great, but companies should make sure everyone who will be tapped to play a role knows ahead of time that there is an ongo- ing exercise. The last thing companies want is for someone to be sent a fictious ransom note and it gets flagged to IT as a real threat and IT ends up disconnecting all or portions of a company’s network in a panic, creating a real business interruption from what amounts to grown up Dungeons & Dragons. While this sounds fantastical, this has actually hap- pened – more than once. • Gametime is set – and it is called on account of rain. This is less of a case of a poorly designed exercise, and more an indication that an exercise is exposing a fundamental lack of understanding of how real-life cyber crises play out, and why creating realistic exercises is so important. If a tabletop was intended to be conducted in person and there is a sudden snow day, companies should pivot to something virtual. Organisers should not punt an exercise into next month because the weather is inconvenient or the head of HR is out sick. Cybercriminals halfway around the world or sophisticated foreign intelligence operatives do not care that it is not blue skies and sunshine, and the exercise should not either. Companies should be as flexible in their tabletops as they would need to be in a live cyber crisis.
182 CHAMBERS.COM
Powered by FlippingBook