Do you know that feeling, when you think you did a great job, and suddenly you look at it with a new perspective and only then you realize in terror that it was not at all as good as you thought? I do.
One of the things our Cyberculture team does is War Games. Crisis simulations where we sit the management team of a company around the table. For half a day, we recreate the nightmare scenario of a major event hitting the company, and hitting hard. They have to react to it as they would do in real life: plan, communicate, execute and monitor the response. Hopefully like a well-oiled machine. The teams train the skills and learn from their mistakes, all in a safe environment. The scenarios? Well, they can be anything that threatens company operations, cyber or not: company operations are blocked due to a ransomware attack; Microsoft has been hacked and O365 is down; hackers are publishing the blueprint of the new product online; an employee gone rogue, transferring funds to China; flooding around headquarters… because we build these scenarios based on our team’s experience they are factual, realistic and pretty accurate. It is interesting and always a great learning experience to prepare them.
Let’s start with some context
Last autumn we worked on a tailored exercise for one of our clients. Their scenario? A pandemic. See where I am going?
Designing the scenario was very fun. While our scenarios normally start from real-life cases our incident team has gone through, this was different. None of us had ever lived through a worldwide pandemic (honestly, who on your workforce has?). So we let our imagination run wild. I will spare you the details, but at the end of the exercise we were convinced we had gone a bit extreme.
It was not realistic that something like that would happen in today’s Europe. And most certainly, it would never reach those levels of disruption. Boy, we were wrong…
Would we get to a point where the company needs to shut down the offices and keep everyone home? Not likely. We were even reticent to imply that competitors would get their workforce to work remotely. It just didn’t seem plausible. It never crossed our minds that the whole economy may actually almost stop, not only in Belgium, but all of Europe and, effectively, across the world.
Of course we all have watched apocalyptic movies, read dystopian books. But that is fiction. Some may argue it is fair game, but we try to keep our games realistic. That means we are sometimes limited by our own experience and understanding of “what is possible”.
Fast forward to April, a few weeks into COVID-19. I looked back at the scenario, and I realized how incredibly far we were from even imagining what could happen. But, what had happened to my client? I felt we trained them, sure, but not for this level of disruption. And then they face COVID-19. I felt like I had given them a little kiddies boat and left them to cross Calais to Dover, no oars.
So, War Games are useless because reality is unpredictable?
See the name of the post? Clearly that is not what I mean.
I called the crisis coordinator at my client. Of course, it took a few weeks till we could have a slot for a relaxed conversation. But I was surprised by his update.
In fact, they were very happy. The war games we had been regularly conducting had prepared the crisis management committee to react fast and efficiently. Everybody was aware of:
- their role and what was expected from them;
- what is relevant and not relevant to discuss in a crisis situation;
- the importance of strong communications, with messages adapted to each stakeholder;
- the hurdles of having multiple collaboration channels and the value of making sure they all work.
They felt they were managing, rather than just reacting. They were praised by their very comprehensive and adapted communication towards different audiences, or regular basis (I take personal pride on that, as we often insisted on this!).
Of course they could just say this, but what makes me certain this worked is that the team wants to keep conducting crisis management exercises as from Autumn (we all deserve a relaxed summer).
We cannot predict the future. Crisis management games will probably not prepare the team for the exact scenario they will face. As we learnt this year, may not even prepare for the real magnitude of the scenario. But they will provide the tools and the training to use them. They will create a way of thinking and collaborating, and will help everybody to understand the priorities of the company, beyond their own teams. And that is exactly what you want to have around the table during uncertain times.
So, even if we won’t nail it, it is worth preparing for crisis. How can you start? Small is probably the way to go. We can help, but there are also resources out there (see below) to help you running your first simulation on your own. It should be understood a first step. It will allow you to identify your weaknesses; areas you and your team should work to improve. You can look at it as whole improvement process. But that is a topic for another post!
Training the right reflexes, making sure the team knows how to operate, which information to gather to make decisions… will make the difference once the proverbial flood comes, whatever format it brings.
Some useful resources:
- Open source resources for cybersecurity exercises
- MITRE: technical paper on cyber crisis management exercise preparation.
- Center for Internet Security: Six scenarios to prepare different aspects of crisis management
About the author
Mercedes M Diaz leads NVISO Cyberculture practice. She supports businesses trying to reduce their risks by helping teams understanding their role in protecting the company.