I’ve attended a number of great workshops, webinars, and other events this year that address this growing topic of interest for all businesses and organizations. We’ve all grown too accustomed (and possibly desensitized) to the news story about another data breach by a Fortune 500 company or other large organization. We know that cybersecurity is a significant risk for each one of us. We hear about great solutions and services in the marketplace to address this risk. But how many of us are more focused on preparation, monitoring, and risk mitigation than on actual response? If so many of the largest companies in the world have responded to their own data breach in spite of their complex and multi-layered defenses, it’s just a matter of time until the rest of us are faced with this crisis. We need to plan for a cyber response just as much as we need to prepare for, implement, and monitor our cybersecurity defenses.
Cybersecurity is not just an IT issue
Many organizations that we’ve engaged with relegate the topic of cybersecurity to the IT department alone. The reality is that during a cyber incident, it quickly becomes “all hands on deck” for all departments. If a cyber incident took place at your organization, how many of the following departmental issues would need to be addressed?
- Legal – contractual, legal, and regulatory issues associated with response actions and communications to customers, media, and regulators
- Finance – coordination of insurance policies and claims, approval and payment of unbudgeted and costly response and remediation expenses, resulting in adjustments to financial forecasts and budgets
- HR – managing internal communications to employees, what they can say, what they can’t say, and addressing all sorts of questions and concerns while trying to keep top talent from fleeing
- Customer Service – fielding much higher than usual call volumes from customers about social media rumors, actual news stories, and other reports about the incident impacting their services or data
- Sales – devising strategies and messages to respond to prospect’s concerns over the incident and how it will affect their decision to buy your services or products
- Marketing/PR – managing communications and strategic messaging on social media, in the press, and preparing executives for interviews
There are other departments that could be impacted as well, and that’s before we even consider the impact to the IT department trying to troubleshoot, respond, and resolve the root cause of the cyber incident.
Planning for a Coordinated Response – Tabletop Exercises
A good cyber incident or data breach response plan should include the coordination of activities, communications, and information among all of the departments listed above. The challenge that we all face is – how do we get them all on the same page to even begin writing a plan? The answer is simply a tabletop exercise.
I have facilitated dozens of tabletop exercises this year covering a broad range of topics and scenarios, and cybersecurity is quickly becoming the most popular topic. In my experience there is no better or more effective way to bring everyone together to understand their role and to define their responsibilities that will be required during a cyber incident.
An effective cyber incident tabletop exercise should include the following elements:
The right participants – make sure you include the right representatives from each department that will have a role to play during an actual incident. While the above list of departments is a good starting point, consider other departments that may have a role to play in operations or other areas of your organization. Certainly include the required IT representatives, but make sure the other departments have the right people at the table.
The right time – set aside enough time for an effective exercise. In my experience, that’s a minimum of 3 hours and should be 4 – 6 hours. It sounds like a lot of time but if done correctly it will be highly engaging and valuable. People should leave with a clear understanding of their roles, responsibilities, and issues that they need to address to set them (and the organization) up for success during an actual cyber incident.
The right objectives – define exactly what is that you are trying to accomplish during the exercise. Is it to define the roles, responsibilities, and tasks for each department as the foundation for developing a response plan? Or are you trying to identify and resolve any gaps in an existing plan? Other objectives could include focusing on coordination between departments, developing communications messaging, or determining which external resources may be required.
The right scenario – develop a realistic scenario that will achieve your objectives within the allotted timeframe. Make sure you include scenarios and questions for each of the departments participating in the exercise. You don’t want to have anyone sitting around with nothing to do, so be intentional about the scenarios to cover the likely issues of concern for each of your participants.
If you check all the boxes above, you are well on your way to a successful tabletop exercise that will initiate or accelerate development of your cyber response strategy and plans. People should leave the exercise with a clear understanding of the identified gaps, issues, and action items identified during the exercise so work can begin immediately to address these items. The good news is that most people leave these tabletop exercises motivated to actually tackle the issues and action items that were identified. By placing them in the middle of the fictional crisis, it elevates their attention and engagement. It’s the reason why these tabletop exercises are so effective.
Finally, there is one important element that I intentionally omitted from the above list for your tabletop exercise – the right facilitator. You need to find the right person to facilitate your exercise who is experienced and capable of keeping everyone focused, on task, and preventing the entire exercise from running off the tracks. You might have this person in mind in your organization today, or maybe you are that person. But if you need help, please contact us for more information. As a Master Exercise Practitioner, I’d be happy to help you develop, design, and facilitate your tabletop exercise. Either way, be sure to schedule a tabletop exercise soon. Past experience has demonstrated that it is the best way to engage the various departments on this important topic and increase your organization’s cyber resilience.
As the impacts from Hurricane Florence affected many coastal and inland communities, our thoughts and prayers extend to those who suffered from this storm. While the recovery process may continue for some time, one of the best practices we’ve found to be extremely valuable after every disaster is the After Action Review. This process helps organizations to identify areas of improvement in plans while the event, actions, and timeline are all still relatively fresh. It’s great to have and implement plans in response to an event like Florence, but a critical improvement opportunity is missed if organizations don’t make time to identify and implement improvements quickly so the plans work even better next time. Following are some key areas to review and evaluate your plan’s performance, along with our observations during Florence.
Plan Triggers – Is your plan based on number of days until landfall or government announcements such as Operating Condition levels (OPCONs)? Generally those plans that used OPCONs or other government activation level announcements were in better position to coordinate with government along an evacuation decision timeline and were not caught unprepared when the Governor announced an evacuation order. We’ve also noticed in some cases that a hybrid approach, including both government triggers and days to landfall triggers, are effective in more complex organizations or plans.
Evacuation Team – Does your plan have a pre-identified evacuation team? While some of us may debate the timing and effectiveness of an evacuation order, the fact remains that the Governor’s order changes things quickly. Schools close, transportation routes change as lane reversals are implemented, and basic staples and supplies such as gasoline and groceries can become scarce. Plans that have an evacuation team identified to leave early and establish remote operations are in a much stronger position to maintain critical operations while these evacuation impacts are experienced even before the storm approaches.
Communications – Does your plan have redundant communication methods? If phone lines, cell towers, and/or internet service are disrupted, can you still communicate with your key people? Planning to evacuate key personnel, especially those responsible for communications to large audiences, to safe areas ensures that these critical functions continue. Always plan to position people with communication responsibilities (website updates, social media updates, email blasts, conference calls, etc.) to safe areas where power, phone service, and internet can be assured to remain active. Following Atlantic’s plan, I evacuated to a safe location well before landfall so I could continue providing support and updates to our customers and the business community at large. I had multiple means of communicating with a team back in the impact zone to get local reports and discuss the situation at regular predefined intervals.
Re-entry Passes – Does your plan include regular annual updates to re-entry passes for evacuated areas? I helped facilitate daily conference calls for business and industry as part of my volunteer responsibilities with the Charleston County EOC. During those calls we answered a number of questions regarding re-entry passes. Make sure you have the correct people identified and updated on your re-entry passes with local and state authorities as part of your annual preparedness tasks.
Operational Rhythm – Does your plan include predetermined meeting times, conference calls, and communication updates to employees and customers? Maintaining an efficient and predictable schedule of daily operations helps everyone to find some structure in the middle of the chaos. People awaiting information updates during a disaster appreciate predictable times for communications. Decision-making is more effective when team members can plan to collect the necessary information in time for a meeting when those decisions will be discussed. Make sure your plan has a daily operational agenda that can be adjusted as needed.
Worst-Case Plans – Does your plan account for worst-case scenarios for people, facilities, communications, technology, and operations? We’ve seen some of the devastating impacts from Florence in North Carolina. Make sure your plan accounts for the recovery of all aspects of your organization following a major disaster that takes months or even years to get back to normal. Too many plans we review make too many false assumptions regarding staff, communications, technology, and alternate facility availability following a major hurricane or other disaster. Plan for the worst of a Katrina, Sandy, or Florence impacting your area and prepare accordingly.
Now that you’ve reviewed these common planning shortfalls or issues associated with Hurricane Florence, conduct your own After Action Review. Assemble your team and review each of the above areas in addition to those issues that were identified during this storm. Then develop your list of actions to address each issue and track them through regular monthly meetings until your plan has been updated and all issues have been addressed. If you need any help, we have a comprehensive and effective After Action Review process that we can facilitate for your organization. Please contact us for more information and make sure your organization is even better prepared for the next storm.
Last year the South Carolina Emergency Management Division (SCEMD) launched a series of workshops to promote business emergency preparedness to the private sector. Atlantic’s founder and principal, Scott Cave, agreed to partner with SCEMD in facilitating these workshops, but instead of using the typical lecture workshop to convey the preparedness message, he recommended an interactive series of hurricane tabletop exercises. Mr. Cave has achieved the Master Exercise Practitioner designation through FEMA’s Emergency Management Institute and leads dozens of exercises each year for Atlantic’s customers and in various workshops. SCEMD agreed to this interactive format and launched a Coastal Resilience Exercise series in Charleston, Georgetown, and Horry counties. Mr. Cave designed and facilitated the exercises to wide and diverse audiences of businesses between August, 2017 and April, 2018.
On June 12, 2018, Mr. Cave was invited to the SCEMD headquarters in Columbia, SC to receive the State Commendation Ribbon in recognition of these efforts. The commendation reads as follows:
“Mr. Scott Cave is commended for notably superior devotion to community and exemplary performance of duty as a Senior Facilitator for the South Carolina Emergency Management Division’s Coastal Resilience Exercise series for the period 25 August 2017 through 25 April 2018. Mr. Cave personally developed and was instrumental in the delivery of three separate tabletop exercises designed to promote emergency preparedness and continuity for the private sector in Charleston, Georgetown, and Horry counties. Mr. Cave’s broad wealth of experience and expertise in business disaster planning, coupled with his unparalleled willingness to volunteer personal time and hours from his own business to share critical best practices has greatly advanced the level of disaster preparedness of South Carolina’s coastal business community. Scott Cave’s superior performance brings great credit upon himself, the South Carolina Emergency Management Division, and the Military Department of South Carolina.
Signed R. Van McCarty
Major General, SCARNG
Deputy Adjutant General”
We at Atlantic are honored by this recognition and appreciate our ongoing partnership with the South Carolina Emergency Management Division. We look forward to working with SCEMD as we explore the possibility of extending this series of workshops and exercises over the coming months.