Testing the Cyber Incident Response Plan

As cybersecurity becomes a more urgent concern in the corporate world, the field is attracting external talent and ideas. We’re seeing this with the entry of operational technology safety specialists into the cybersecurity market, for example. Another company making its way into cybersecurity is BeST (Be Strategic), which helps organizations test their crisis response plans.

BeST provides computerized crisis simulation software. The tool lets organizations face hypothetical, but realistic, potential disasters and deal with them in real time based on their existing response plans. It’s an auspicious moment for such a service. Senior executives are starting to realize how exposed they are, in both personal and corporate terms, to the consequences of mishandling a cyber crisis.

GDPR, to name one example, is presenting BeST with a host of new opportunities. As companies in the EU come to grips with the strict new privacy regulations, they see that they must have a well-honed response plan in the event of a data breach that involves personal data. And, they know they have to practice the response process or risk paying huge fines.

“A hundred million private data records were stolen on my watch is not a good resume builder,” said Chelsea Zfaz, head simulation architect at BeST. “People need to be ready for the breach that they know is coming,” she added. The issue not one of planning, in most cases. Indeed, most large organizations have good crisis response plans. The challenge is making them work in reality.

“In our experience, if you have a plan, even a good one, it can be hard for people to follow it when a serious crisis hits,” Zfaz explained. “There are many reasons for this. For one thing, the crisis almost never looks like the one you planned for. People also come and go, so the plan might call for you to contact what has now become an empty desk. Or, key people can’t be reached. What do you do when you can’t reach someone? Does your plan provide for this highly realistic contingency? Plus, personalities tend to take over. People start acting from their gut instincts, which are usually not correct.”

Alternatively, a company might lack a coherent or updated plan. The most notorious case of this concerned British Petroleum and its lackluster response to the Deepwater Horizon disaster. The company had, per US government law, a lengthy disaster plan. As the company mishandled the crisis, though, it emerged that the plan had been cribbed from an Alaskan subsidiary and contained such non-sequiturs as protecting walruses in the Gulf of Mexico.

BeST’s business originated in a separate part of the corporate world. Their main work is testing and validating emergency response plans that are mandated by law. Banks, for example, are required to maintain and verify the efficacy of a crisis plan in many countries. BeST enables this process to work. Now, they are increasingly getting called into test and validate cyber crisis response plans.

The company’s approach is to run a real time simulation using software that triggers real people to take concrete actions. Their software’s Procedure Editor models the client’s emergency plan and organizational structure. For instance, in a simulation, the CEO might get an email notifying her of the disaster. She then consults their plan and sends emails to the designated contacts listed on the plan.

Chelsea Zfaz, Head Simulation Architect, BeST

The BeST software tracks the activities and responses. It scores the client’s response process based on industry best practices. Their findings can highlight where an organization is poorly prepared to deal with an actual crisis. They expose gaps in the response plan and suggest ways to remediate deficiencies in the plan.

“Some of the issues we see are structural,” Zafz added. “Until a few years ago, it was reasonable to say, for example, ‘call the IT guy and wait for him to call back’ if there was a data breach. Now, senior people want to know what’s going on right away. The incident escalation process in the plan needs to align with the seriousness of the situation. We can point out these sorts of gaps and suggest ways to fix them.”

“It always pays to be prepared,” said Zfaz. “We can tell you if you’re really ready for an incident.”

Photo Credit: marcoverch Flickr via Compfight cc