Cyber exercise case study: Budgeting
Investing effectively and efficiently in cyber security is hard. Very few organisations have the budget to do everything so decisions have to be made and priorities established. Understanding where to invest is a fundamental step in making these decisions.
Cyber exercises allow you to experience realistic cyber incidents so you can work out how much to spend on cyber security and where. Cyber exercises allow you to assess the value of a potential investment before you actually make it.
Cyber exercises have been used by the military for some time. However they are a relatively new concept in the private sector. To help explain how they work and how they can add value this case study will consider a single exercise scenario.
This case study will show how a company can use cyber exercises to prioritise their cyber security spending. It will show how a combination of well informed cyber and business decisions can improve the resilience of the company. It will also highlight the value of involving people from across the organisation in cyber incident management.
Example Ltd manufacture components for the aerospace industry. The company leadership has made cyber security a priority however the business lacks the resources to establish a fully featured cyber security capability.
Example Ltd are struggling to understand which cyber security measures they should implement and where. They have considered a number of individual cyber security products and services but are unable to tell which will deliver the greatest benefit to their business. They are also concerned that they are about to make investments without a full understanding of the value that will be delivered.
They decide to conduct a cyber security exercise to simulate how they would perform in the face of realistic cyber incidents. The plan is that by simulating an attack they can work out where they are most vulnerable and so prioritise investment in those areas. They can also consider products and services in exercise scenarios before they commit to purchasing them. This allows them to understand the value of these investments before they commit to making them.
The exercise is conducted in a tabletop format with the help of an experienced facilitator. Individuals from across the company, and not just IT and security, are involved. This allows Example Ltd to better understand how the whole business would be impacted by a cyber incident.
In this scenario a ransomware attack disables a number of computers across the business. Out of the discussions it is discovered that in such a scenario HR would be unable to do the monthly pay run, dispatch would not have access to order information and production would stop.
The main business priority for Example Ltd is the timely dispatch of their products. The cyber exercise has allowed them to understand the impact of a cyber incident on their dispatch function. They therefore decide to invest in cyber security in this area. They consider a number of different measures in their exercise scenarios and decide to invest in patch management. They considered network segmentation but judged that, for their circumstances, the costs outweighed the benefits.
Production is less sensitive to a cyber incident as they maintain a 10 day stock of finished products. To mitigate the impact of a cyber incident extending beyond this period they plan to conduct a real world test with their IT supplier. This will let them see how long it would take to rebuild their production systems from the ground up.
Ensuring everyone gets paid on time is important to Example Ltd. However, due to their low staff turnover and the strong values of the company it is not assessed that the late payment of wages would result in non-attendance. To mitigate the impact of a cyber incident HR decide to engage with their bank to investigate how they could conduct a pay run without access to their normal systems. Repeating the previous month’s pay run and the issuing of cheque books are two options that can be considered and prepared for.
How cyber exercises helped
Conducting a cyber exercise has allowed Example Ltd to prioritise their immediate cyber security budget to the area that they consider to be most important to the business. The exercise also allowed them to evaluate cyber security investments before they made any commitments.
Cyber exercises maintain the focus on business operations. Example Ltd were able to make non-cyber security decisions, such as adjusting stock levels, based on the understanding they gained from the cyber exercise.
Involving people from across the company in the exercise has allowed Example Ltd to consider a cyber incident in a holistic way. This involvement also acts as the impetus to get people across the business to come up with their own solutions to a cyber incident as HR sought to do by engaging with the bank.
In the longer term the company leadership can use the output from the exercise, assessed against standards such as NIST 800-61, to understand the areas they need to work on. They can then use this as a roadmap to progressively improve their cyber security over the next 12-24 months. Further exercises can be conducted during this period to keep track of progress. They can also allow Example Ltd to keep abreast of emerging threats or changes to how the business functions.