Cyberattacks are a constant and evolving threat across all sectors with 2023 seeing a resurgence in data breaches and ransomware attacks with popular variants like Clop, LockBit, and ALPHV, among others, terrorizing businesses and exploiting system vulnerabilities.
The 2021–2022 financial year saw an increase in cybercrime, with over 76,000 reports made to the Australian Cyber Security Centre (ACSC), with no signs of slowing down. This trend has forced organizations to take a deeper look at their cyber preparedness and responses to reduce the damaging impact of an attack.
Organizations need to shift their focus beyond merely investing in enhanced security tools and technologies, emphasizing the importance of the human element in cybersecurity. A well-informed workforce, equipped to recognize and respond to common threats, coupled with robust protocols for handling cyberattacks, is essential for averting disastrous consequences.
Having such a team in place becomes particularly significant in a security landscape marked by the rapid evolution of threats, where attackers increasingly exploit unprepared employees through tactics such as phishing and ransomware.
Conducting crisis simulations stands out as one of the most effective methods for fortifying human cyber resilience. These simulations stress-test both teams and processes, creating real-world, hands-on scenarios that prepare and train staff for potential breaches. These scenarios should mirror an organization's current most prevalent or critical risks.
However, several recurring challenges tend to surface across various organizations during the practice scenarios. The most common issues are:
- Lack of Defined Delegation Chains and Unclear Accountability
Most delegation chains go one person deep. So, if the first point of call isn't available, the decision goes to the next person. However, this system fails when that person is also unreachable. This highlights the importance of a broader and more dependable fallback plan; ideally, one that's not reliant on a specific individual but rather tied to a role, like the incident lead. Furthermore, it's important to define the decision-making capabilities for each role clearly.
Too often, an incident lead theoretically has the power to shut down systems; however, in reality, they can't do this without the CEO's approval, ultimately rendering the delegation chain ineffective. If an organization gives an employee the authority, are they prepared to exercise it? If the answer is no, the business must ensure the decision-making process is properly documented. Most of the time, the decision-making processes laid out in playbooks are theoretical and not practical in a real-world setting. Organizations should focus on creating comprehensive, pragmatic delegation chains that function effectively in any circumstance.
At the end of the day, who is responsible for making these decisions? And, to what level can they make that decision? Organizations need to be explicit in the playbook or response documentation around the threshold to which decisions can be made.
Who can make which decisions and who assumes responsibility for each action should be clearly defined. For example, an incident responder may have the authority to deactivate infrastructure items A, B, and F; however, another individual can only decide C and D.
This responsibility could be determined based on the level of impact on the customer or even the financial implications. There need to be clear guidelines that empower individuals to make critical decisions, such as shutting down systems, without hesitation or uncertainty about their authority. For the most part, the stumbling block often lies not in an individual's unwillingness to make decisions but in their uncertainty about whether it falls within their jurisdiction. This lack of clarity often leads to unproductive finger-pointing.
- Overanalyzing
Quick decision-making, even without the benefit of a complete information set, is critical in crisis management. Often, the instinctive response is to await further data or delve deeper into the problem for analysis. While this can sometimes lead to better-informed decisions, it can also act as an avoidance tactic, delaying necessary action. Indecision or passivity can, in many cases, be worse than making the wrong decision.
During a malware campaign, damage is actively happening, and every moment spent digging or asking further questions will only worsen the situation. In such high-stakes situations, executives must be comfortable making decisions under pressure, even when they don't necessarily have all the answers right before them. The reality is that many decisions, particularly in a crisis, fall between bad and slightly less bad options. The goal is not always to select the best option but to choose the least bad one.
- Communication is Key
In crisis simulations, a robust communication strategy is crucial, yet it's an area where organizations often need to invest more resources. Having a predefined communications plan isn't just a requirement; it's an absolute necessity for smooth crisis response and ensuring all relevant information reaches the right people at the right time, minimizing confusion as much as possible. This plan should be comprehensive, targeting all stakeholders, not just the customers.
It should also detail what needs to be communicated to the staff and at what frequency. This is important because employees need to be well-informed and guided, and they are often the first line of contact for customers. Senior executives, too, require frequent updates, given their roles in decision-making and overall management of the crisis. In addition, customers need to be kept in the loop with consistent, clear, and accurate information to maintain their trust in the organization during the crisis.
Putting Humans at the Center of Cybersecurity
Businesses need more than robust cyber security measures through technical solutions. The human element is still a major factor in breaches, which means it's time to close the gap. One way to do this is through cyber security crisis simulations, which offer unique and essential real-life training experiences that every organization should prioritize.
Consider a situation where an employee's laptop, repaired by an external IT technician, leads to a data leak. The challenge lies in deciding whether to track down the technician or mitigate the online data spread. Such complex situations require quick, informed decisions, a skill that can be honed through crisis simulations.
These simulations go beyond typical training exercises, immersing personnel and processes in simulated emergencies before they face the real deal. By highlighting areas for improvement and fostering collaboration among team members, crisis simulations let organizations develop battle-tested approaches for crisis management. Ultimately, the more prepared an organization's employees are for the real thing, the better they will do when, not if, a genuine attack occurs.
A version of this blog originally appeared on Cyberdaily.com.
