Investment by top management is cyber security is vital, and plunging them into the middle of a cyber attack is the best way to get their attention, says Marco Gercke, director for the Cybercrime Research Institute.
“Getting top managers out of their comfort zones to feel the stress of making decisions in a cyber attack is a powerful teaching tool,” he told the Gartner Security and Risk Management Summit 2014 in London.
The simulation approach, which is gaining traction in commercial and government organisations around the world, is patterned on war games used by military organisations.
“The aim is to confront top managers with what feels like a real situation in which they are required to make decisions relevant to their roles,” said Gercke.
The idea was inspired by a government minister who was not very supportive of cyber security initiatives, but then became a champion of the cause after his personal email was hacked.
“The minister’s attitude completely changed because cyber attacks were no longer theoretical, but something real that had impacted his personal life,” said Gercke.
He believes it is vital to get support from the top managers because they are often the targets of attacks aimed at gaining entry to a network. He said they are also not aware of the devastating effects cyber attacks can have on a business and that they do not know their legal and regulatory obligations.
“Simulations can be used to illustrate and highlight all these things, as well as force top managers to answer and ask questions about their organisation’s cyber defences,” said Gercke.
More on cyber attacks
Often, simulations force top managers to identify their organisation’s most important data assets for the first time, as well as consider the potential risks to those assets of cyber attack.
These exercises can be used to define what top managers need to do in the event of a cyber attack and to train them on how to be good a delegating, how to keep control, and how to ask the right questions.
The exercises also present an opportunity to encourage a change from 100% IT security spend on technology, to 70% on prevention, 10% on detection, and 30% on response and recovery.
A manager’s private mobile device could be infected in a simulation scenario, for example, leading to a breach of the corporate network to mirror attack techniques used in the real world.
“In one targeted attack, I have seen attackers poison the websites of local golfing clubs to infect a particular golf-loving executive’s mobile device to access merger and acquisition data,” said Gercke.
Simulation exercises should identify and focus on the type of decisions that top managers are called on to make during cyber attacks, such as when to contact the media and what to say.
Ensure top managers understand what happened, why it happened, and the consequences of their decisions
“In a real cyber attack, I once saw a board take nine days to issue a press statement because they did not understand the complexity of their company’s IT systems,” said Gercke.
“At the time, the financial impact of the delay was estimated at around $10m,” he added.
Gercke believes the similuation approach is extremely useful in getting the attention of top managers and enabling better communication between them and IT security professionals.
But he warns against making such events table-top exercises. For this to work, Gercke says top managers need to forget it is a simulation and feel the stress in sessions that last at least 45 minutes.
“Start with an email with an attachment that appears to come from company CIO, and then go on from there with a scenario that is tailored for the particular organisation and industry,” he said.
“Make it real, make it personal, and then follow up it with a detailed debrief to ensure top managers understand what happened, why it happened, and the consequences of their decisions."
He believes that using simulations is successful because it can be “fun” and it provides an opportunity for top managers to experience the challenges of facing a live cyber attack.
Gercke said it is a useful strategy for not only getting the attention and involvement of top managers, but also of educating them about the status of an organisation’s defences to identify potential gaps.