Cyber exercise case study: Optimisation
Balancing good cyber security with business productivity is not easy. All too often the textbook cyber security measures result in friction in the business and a reduction in performance. Worse still is when these same measures then get bypassed by users meaning their investment offers no security benefit.
Cyber exercises allow you to optimise your cyber security and reduce business friction. They let you understand how an incident would affect your business and what the impact would be. This lets you take informed decisions about how to minimise this risk while limiting the impact on day to day business. They also let you learn from a realistic incident without the pain of actually having to experience one.
Cyber exercises have been used by the military for some time. However they are a relatively new concept in the private sector. To help explain how they work and how they can add value this case study will consider how a fictional company could use them to improve their cyber security and enhance productivity.
Example Ltd are in the manufacturing sector. Their reliance on information technology has increased in recent years and their leadership now recognise how important it is to the successful running of the business. They have some cyber security measures in place but they want to take a more holistic view of how the business would handle a cyber incident.
They have noticed that companies that experience a serious cyber incident typically make large improvements after the incident. These companies also learn a great deal in the process of dealing with the incident. Example Ltd want to make these improvements and gain this understanding without having to experience an incident and the associated costs.
They decide to conduct cyber exercises as they consider them to be the most comprehensive and realistic way of experiencing a cyber incident. They hope to use them to identify areas of weakness, refine their incident response and to create a more security focused culture. This is all work towards the larger goal of minimising the impact of an incident should one occur.
Exercising to understand
They conduct a cyber exercise to gain an understanding of where they currently are in terms of their cyber security posture. This exercise is the first time that people from across the business, and not just IT and security, have been brought together to work out how a cyber incident would affect their areas.
One exercise scenario considers a simple phishing attack. This scenario involves a user receiving an email with an attachment that if opened would lead to that computer being compromised. This would allow the attacker to steal or destroy data or to attack other computers in the company for the same ends. As the exercise involved people from across the business it was possible to discuss how this type of incident would affect each area of the company.
From these discussions it was realised that the loss or compromise of the sales database would have a huge impact on the ability to secure new business. It was also noted that as the sales database was simply a spreadsheet, it could quickly be compromised by a single phishing attack.
The impact on production systems was also discussed. Here it was found that if a computer controlling the manufacturing process was compromised all production would potentially stop.
The finance team also noted that they would be significantly affected if it was one of their computers that was compromised. This was because of the accounting and banking services that are accessed from these machines.
Example Ltd realise that they have multiple areas to consider. The decide to prioritise on only a single area at a time. They consider the impact of these issues and decide that an incident affecting their sales team would have the biggest impact on the business. They plan to address the other issues as soon as they have a plan established for the sales team.
Example Ltd realise that having the entire sales database in a single spreadsheet is making them very vulnerable to a range of incidents. They decide to invest in a cloud based sales database that uses two-factor authentication (for details of what two-factor authentication is and why you should use it, check out this podcast). The impact of losing access to one of the sales computers would now be minimised as the sales team can access the cloud service from any computer with a web browser.
The use of two-factor authentication does add some friction to the sales team’s daily working however. This friction has been accepted in principal by the sales team as the new cloud based service offers far more features than their spreadsheet previously did. Having taken part in the cyber exercise the sales team are also aware of the role that two-factor authentication plays in protecting the confidentiality of their sales data.
Example Ltd consider implementing additional security controls on the email coming into their sales team. They are already using a reputable email service and feel that additional controls will limit the sales team’s ability to conduct their day-to-day business. They instead consider segmenting the sales team’s computers from the rest of the organisation to limit the wider damage that an incident could cause.
They confirm that these changes will reduce the impact of an incident by conducting another cyber exercise prior to making any changes or investment. They then plan to repeat this exercise after they have implemented the changes to confirm their initial assessments.
How exercises helped
Cyber exercises bring people together from across the organisation and provide the framework for them to discuss how a cyber incident would affect the ability of the business to function. This focus on business impact and not the technology provided a focus that non-IT and non-cyber security managers could understand. This allows them to make well informed, business focused decisions.
This understanding underpins all subsequent decisions concerning cyber security investment and business continuity planning. Decisions to make changes or investments can be directly linked to the value they bring in preventing or minimising the impact to a specific part of the business.
The cyber exercises also helped by raising awareness of common security issues and threats throughout the organisation. This resulted in a higher degree of understanding as to why the IT department were always warning about suspicious emails.