Picture the scene Its 10.00am in your office in an industrial park on the outskirts of a major Australian city. You’ve just dialled off on another ‘frank’ meeting with the global IT team, who are holding out on upgrading your local hardware because they are trying to get a better deal on a global package. Your argument that your equipment is five years older than every else’s hasn’t budged them one bit. The head of production has already been in twice this morning reporting on glitches with the brand new machine that’s arrived from Europe last week. It’s not shaping up to be a good day in the life of a CIO. And then – things get a whole lot worse. Your head of IT barges into the office in a panic – company systems have been cyber attacked and all of your information is locked down. She needs to know what to do. Horrified, you try to think on your feet. The most recent cyber security protocols are on the servers – now inaccessible. Your PA blows the dust off the hard copy binder from that planning meeting three years ago. You open it up – it’s hopeless. Information – even the contact details – completely out of date. Who should your first call be to? The CEO, to let him know? He’s on holidays, can he even take calls at the moment? The police – can they even help? Global, to keep them posted? Your off-shore packaging centre, to see if it’s spread there and if not, can it be contained? Your PR team – can we avoid this being a media storm. Your head of customer relations – is there customer data there that could be compromised? Everybody has a plan until….. In the moment, these seem like impossible decisions to make under significant pressure and time constraints. Yet in our experience, this is how a significant number of companies and organisations find themselves in this situation. This is not to say that they haven’t planned. Cyber security is a concern and a risk for every business, and most have plans in place. But as boxer Mike Tyson famously said– everybody has a plan until they get punched in the mouth. Very often the suddenness and severity of cyber-attacks can feel like punches to the face – leaving execs dazed and confused, and with little opportunity in the heat of the moment to consult the 50 page response manual. Response manuals and plans are obviously important, but by themselves – often useless. Agreeing and documenting your processes in the event of an incident, no matter how familiar people are with them, is a completely different prospect to embedding your plans and having the capability in place to actually react. There is a reason that our emergency response services run large scale simulations of disasters. Teams will have been trained rigorously on first responder actions, coordination, decision making, information management and leadership in theory, but simulations allow them to test these in the field. For cyber incidents, organisations need to have the same level of readiness. Security trade-offs need contingency plans While organisations are under intense pressure and competition, there will always be trade-offs made on IT investment and upgrades. When everything is an opportunity cost, legacy systems will remain and upgrades that are not worth the cost won’t happen. These are business decisions, and in themselves, when a certain risk profile across the board is necessary, not exceptional ones. However, where decisions are made to wear a cyber risk to save money, there is a corresponding need to then invest in the plans and the readiness to respond comprehensively should these risks materialise. If you have a high risk exposure and are living with vulnerabilities – you’ve got to invest in genuine cyber monitoring and response capabilities. The response needs to be holistic too – an integrated approach between the technical responders dealing with the threat and the management teams managing the impacts and critically thinking through how the event could play out. Top tips for developing a holistic and effective response plan for cyber incidents Very simple one/two hour discussion-based exercises once a year are not going to develop the integrated, fast, responsive capability that enterprises need to respond to an attack like this. The preparation needs to move beyond discussion and plans. A capability investment – the right people with the right skills to manage this – is also required. Your plans need to be specific to cyber incidents – denial of service, customer data breach, cybercrime, hacktivism, advanced persistent threat etc. – the responses to which are very different to more traditional disruption risks. For instance, there will be an active on-line technical community feeding the media, your eco-system will be impacted in different ways and will need to be managed differently, information accuracy will continuously change which will make for a challenging communication environment. Cyber war-games are an excellent way to explore the sorts of decisions and communication you would make in these situations. When do we contact regulators, suppliers, staff, retail and B2B customers and what should we say? How do we work with industry or others to co-ordinate? Cyber war games provide the opportunity to think about the relationships and interfaces that need to be managed that you can easily get wrong in the moment. There will be technical decisions that need to be made during a response that should be understood well in advance – think about delegations of authority and explore these in cyber war games. Who has the authority to shut down services? Who decides whether it’s ok to monitor a cyber threat to learn more about it and its potential compromise? Will the organisation bypass its usual governance processes to introduce a production fix quickly? Will it be the senior cyber security leader/CIO, the business owner, the crisis team, ExCo or CEO? With cyber risk, your plans, no matter how well laid, are often the least important part of your response. Awareness of cyber threats is only the first level of readiness. What does really count, are the exercises and the journey you go through to embed them. Deloitte offers a range of cyber services for organisations, including cyber war-games.