“Plans are good — but practice is everything.” — PricewaterhouseCoopers (PwC)’s “Global Economic Crime Survey 2016

If there’s one thing 2017 taught us, it’s that we need to get ready for the inevitable data breach — especially regarding how we respond once we know about the “boom,” which is the time we first learn of a security event.

A new report by IBM’s Institute for Business Value (IBV), “Beyond the Boom: Improving Decision Making in a Security Crisis,” emphasized the value of conducting crisis response simulations for top leadership. The report comes amid increased global awareness about the likelihood and impact of cyberattacks, as evidenced by the World Economic Forum (WEF)’s “2018 Global Risks Report.”

Another positive development is the shift from a primarily defense-oriented mindset to a more agile approach to cyber resilience.

Why Is Crisis Response So Important?

As the IBV report pointed out, top leaders of breached organizations can expect to be “grilled” by lawmakers, shareholders and (of course) class-action lawyers. So, while the breach itself may not be an entirely preventable event, top leadership’s response can make or break a company.

A September 2017 PwC report noted that out of 164 CEOs surveyed around the world, 65 percent had experienced at least one crisis in the past three years. Also, nearly two-thirds of executives had experienced two crises, and one-fifth had experienced three.

According to the IBV report, a business has a one-in-four chance of being hit with a significant threat during a two-year period. A 2016 report conducted by the Ponemon Institute, and commissioned by IBM Resilient, found that 75 percent of organizations lack a consistent incident response plan.

The boom event is the realization of a breach. “Left of boom” refers to everything that happened before the breach was discovered, and “right of boom” represents what happens afterward (this is where an organization has a chance to mitigate the damage). Nearly everything that happens right of boom is under the organization’s control. Whether the response is handled well or fumbled miserably is up to its leaders, which is why it’s crucial to practice the crisis response plan.

Finally, the “2017 Cost of a Data Breach Study” conducted by Ponemon and IBM found having an incident response team was the most important factor impacting the per capita cost of a data breach, followed by the use of encryption and employee training.

Practice, Practice, Practice

The PwC report noted, “crisis management needs to be practiced so that people are clear about their responsibilities and who the decision-makers are.” At right of boom, organizations have very little time to regroup, deliberate and test out various response strategies. Instead, they must respond in nearly real-time and in the court of public opinion.

If your team didn’t put the plan into practice, would you be willing to bet your shirt on your leadership team’s response?

“Getting crisis response wrong goes beyond significant financial pain and affects reputation and relationships,” the PwC report asserted. Practice, while not necessarily reflective of future situations the team may face, can ensure the organization can work on creating an environment that supports quick decision-making during the crisis and clear communication with both internal and external stakeholders.

Listen to the podcast: Have a Plan, Practice It and Then Practice It Again

The Value of Crisis Simulations

For organizations that are only now starting to practice their crisis response plans, tabletop exercises might be the right level. However, those activities are no substitute for a full-on cyber range with phones ringing off the hook, real-time news and stock tickers, monitors and up-to-the-minute dashboards showing the systems impacted.

A good crisis simulation should feel like the boot camp phase of military training — a feeling of being put through the paces with the stress and fatigue, unknowns and self-doubt of a real-life data breach. It should also provide chances for participants to reflect and process lessons learned.

It’s important to note that executives are getting increasingly involved with crisis response preparedness and practice. According to PwC, board directors are asking questions such as:

  • Has the Board recently practiced its response to a cyber crisis, including with deputies?

  • Who has authority (training, decision-making remit) to respond in less than an hour?

  • Is the action plan for emergency management thorough, well rehearsed and effective (including with no IT)?

This is where the IBM X-Force Command Center (XFCC) crisis simulation center shines. In the XFCC, IBM can create a business-level crisis simulation that truly stands out. After all, a cyber event isn’t just about IT — it’s about the business and how well it responds.

The XFCC makes it possible for response teams to experience the unexpected twists and turns of a data breach in a controlled environment and learn how their reactions might enable or impede a good response. For example, as reported on the NBC’s “Today” show, members of the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently participated in an exercise that simulated a cyberattack against a fictitious bank.

What is the XFCC experience like?

“We have had over 1,300 customers come through the cyber range in 2017, and we focus on the importance of showing what great looks like and defining a security culture, organizing correctly to allow a resilient business response to a technical cyber incident and having the entire company focusing on reducing all aspects of risk,” said Chris Crummey, executive director of IBM Security X-Force Evangelism and Outreach and one of the masterminds behind the XFCC. “Another way to describe this experience is cyber best practices meets Game of Clue meets a Disney roller coaster ride.”

Ultimately, a crisis simulation enables an organization to pressure-test its incident response plans — including who has decision-making authority and who communicates what to whom — identify gaps, and improve strategy and tactics accordingly. After all, it’s much better to go through a series of practice runs than to be thrown to the wolves when the real crisis happens.

Take command of your security posture: Visit the IBM X-Force Command Center

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today