Crisis emergencies vs. routine emergencies, do you know how to handle these?

Just a few years ago, a cyber-security event, information security incident, or data breach seemed like a “one off,” something many IT professionals wouldn’t have to experience first-hand. Fast-forward to today and it seems like these incidents have turned into “a breach-a-day.” In fact, 70 percent of organizations report having been compromised by a successful cyberattack in the past 12 months, and the average data breach cost is now $5.4 million per incident and $188 per record (2013 Cost of Data Breach Study). Unfortunately, it appears this phenomenon is only likely to pick up steam and severity.

One of the ways to prepare for and give advance thinking on how your company could manage these types of harmful incident is to conduct a cyber-security exercise. What is a cyber-exercise, you ask? It isn’t a technology exercise, per se – yes, technology is the underlying theme – however, it’s more about impact to the company. This is a crisis emergency, very likely a situation that you have never really planned for.  This is not some “routine emergency.”

To be clear, routine emergency does not mean “easy.” It can still be difficult and challenging for those needing to restore order. In this context, “routine” refers to the relative predictability of the situation that permits advanced preparation. Our incident management, crisis communications, business continuity, and disaster recovery plans are filled with strategies to manage routine emergencies.

A crisis emergency is a much different animal. These types of events are distinguished by significant elements of novelty. This novelty makes the problem much more difficult to diagnosis and then deal with.

The novel nature of a crisis emergency becomes a game-changer. Plans, processes, training, and exercises that may work well in routine emergency situations are frequently grossly inadequate in a crisis emergency, and may even be counterproductive. We realize that we have to start from scratch.

Crisis emergencies require:

1. Diagnose the elements of the novelty.
2. Improvise response measures adequate to cope with the unanticipated aspects of the emergency.
3. Respond in a creative way, and be extremely adaptable to execute improvised solutions. ‘

To manage this very different type of exercise, you need to have six things in place to make it work:

1. Management Support

Right off the bat, senior management needs to understand that a cyber-attack training exercise is likely to produce many learnings and issues that will need to be resolved, and it will present topics that they have never thought about or deeply understood.

2. A Willing IT Department

IT needs to be an active planner in the exercise. You need several excellent IT staff members to be part of the exercise’s design process. You need them to help you determine what the cause will be.

3. Two Design Teams

You need two design teams: An IT/Information Security design team, and a standard Exercise Design team. The IT/Info Sec team needs to do a deep dive on the narrative and develop the timeline of issues that happened before the exercise’s scenario date, and then provide a very detailed timeline of what happens during the exercise. The standard Design Team should include key lines of business, Human Resources, Communications, Facilities, Security, and any other key departments.

4. The Right Exercise Type

There are three styles of exercises that can be used with a cyber-narrative: Advanced Tabletop, Functional, or Full Scale4. What they have in common is a Simulation Team. This exercise requires a Simulation Team to make it work. The teams going through the experience need to have someone to speak to as they work through the problems.

5. Interwoven Narrative and Injects

The narrative for this exercise will have lots of nooks and crannies. It has a certainly complexity that can’t be avoided. The exercise players have to tease the information apart, work with the Simulators to figure out what’s going on, and then improvise a plan. The narrative and the injects are constantly ebbing and flowing together to tell the entire story.

6. Make it Public

One of the key aspects of this narrative is the potential damage to the reputation of the company. To damage that reputation, we have to “out” the narrative. The players then have to deal with the fallout.

To learn more about cyber exercises, and how to go about implementing these exercises within your organization, check out our newest white paper, “6 Keys to Developing a Cyber Attack Training Exercise,” developed by internationally recognized emergency management and continuity planning expert, Regina Phelps. In addition, explore the Everbridge webinar Regina recently presented, “Training Exercises: Continuity Planning and Mitigating the Impact of Cyber Attacks and Breaches.”

For information on developing highly effective exercises, check out  “Emergency Management Exercises – From Response to Recovery” by Regina Phelps. Available at Amazon – http://tinyurl.com/paq62ok

Visit us on Twitter at @Everbridge and use #CyberExercise to take part in the discussion!