Here’s something for your to-do list, if you’re not doing it already: The next time your organization holds cyber exercises, make sure you include third-party experts, bringing them in to observe, share insights, and provide feedback.
Experts such as law enforcement officers, data security consultants, your insurer, and public relations professionals can provide valuable insights that will strengthen your cybersecurity plan and better prepare you for a real-life emergency.
In today’s article, we’ll lay out who might be good to invite to your next cybersecurity party and what each type of expert can contribute. We’ll also sketch out how exactly you go about reaching out to these busy professionals and securing their participation.
The experts you would benefit from working with are generally more willing to participate than you might think, especially law enforcement, which in recent years has put a special emphasis on combatting cybercrime.
Incidentally, the inspiration for today’s article came from our recent webinar “Building an Effective Cyber Exercise.” In the webinar, we covered using third-party experts in a cyber exercise and we had a good discussion on the topic, so much so that we wanted to expand on some of the concepts:
- Who should you invite?
- What can each role contribute?
- How should you go about contacting the different experts and securing their participation?
We’ll answer each of these questions below.
The Importance of Cyber Exercises
Cyber attacks on business are becoming more prevalent, as we’ve discussed previously. Serious organizations should be running regular exercises that model today’s most commonly encountered cyber threats, such as data breaches and ransomware attacks.
Obviously, the point of these exercises—typically daylong, tabletop events conducted in a company conference room—is to figure out where the weaknesses of your organization’s network security and business continuity plan are so that you can fix them.
As mentioned above, these exercises can gain greatly from the presence of experts from outside the company. Over the course of the exercise, these visitors can share knowledge and insights that are unique to their role, helping your organization in numerous ways. These include:
- Helping you identify weaknesses in your plan that you might otherwise overlook.
- Helping you strengthen weak areas of your response plan.
- Helping you understand how people in their role are likely to respond to the situation if presented with it in the real world.
Keep reading for a breakdown of the various types of professionals you might want at your exercise, the benefits each could bring, and how to secure their participation.
Law enforcement should be first on the list when you’re thinking about who you would like to bring in from the outside to help advise you during your cyber exercise. They can provide guidance all along the way, including how to react to the event and, if it’s a ransomware situation, whether to pay (spoiler alert: they will almost certainly recommend that you don’t).
In recent years, law enforcement has ramped up its resources for fighting cyber crime. This is particularly true of the FBI, which has a large cyber task force. The big metropolitan police departments are also in the game. In more out-of-the-way areas, the state police and sheriff’s departments are sometimes willing and able to assist business in preventing cyber crime.
Another way law enforcement can help is by telling you how they are likely to act if they come to your premises during a real event. (for example, they might be obliged to take certain kinds of control in particular situations). The more you know about how they are likely to react, the better you will be at working with them if and when you are ever involved in a real situation.
How to contact law enforcement:
To reach the FBI, call the local FBI office and ask for the cyber security office or the individual in charge of cybercrime. Explain that you’re interested in doing a cyber exercise and ask what resources and guidance they can provide.
For state and local law enforcement, it’s the same. Give them a call and ask for the cyber unit or person responsible for cyber crime. Tell them what you’re up to and ask if they’re willing to help.
With both federal and state/local law enforcement, your security team may have contacts or a liaison who can help direct you to the appropriate individual.
You might be surprised by how easy it is to interest law enforcement in helping you with your exercise. In our experience, these agencies really want to participate. We at MHA have numerous friends and colleagues in law enforcement who have said they love to get involved with companies when they’re exercising and planning, rather than visiting them for the first time during a real event.
Law enforcement’s assistance should be free of charge.
Your Data Security Consultant
If your company has a data security consultant, that person or a representative of the firm should also be at your exercise. They will be able to supplement your tech team, providing overall high-level security guidance as well as help with forensics, analysis, and research.
How to contact them:
Give your rep a call, tell them about the exercise you’re planning, and ask if they would be available to assist.
If you don’t have such a consultant but are interested in obtaining one, you might be able to get someone to come in for the day to advise you at no charge based on the potential for future work.
To find a data-security partner, if you don’t already have one, ask your IT team or seek recommendations from friendly companies. You might also find leads on business continuity websites.
Your Physical Security Consultant
Do any outside firms advise your organization on the physical security of the premises? If so, they might have something valuable to add, especially if your scenario involves someone trying to leave the premises with physical data, such as paper documents or a flash drive containing confidential information. Also, the security of evidence may be relevant and that often falls under physical security.
How to contact them:
Contact your on-site security team or vendor. If your building manager is responsible for security, contact the management company to provide an introduction. No matter who you contact, tell them what you’re doing, and ask them if they can help. If they can’t help, they may give you a referral to an individual or organization that can.
People are sometimes reluctant to involve their insurers out of a worry that the insurer might learn of weaknesses in their security setup and raise their rates. There is basically no reason not to be open with your insurer. If you ever do make a claim, they will conduct an investigation into it and will find any weaknesses or issues which may impact your claim status. On the other hand, there are good reasons to be forthcoming with your insurance company and to involve them in your cyber exercise. For one thing, if you are ever involved in a real incident, you should notify them right away even if you are not sure you will be making a claim. Many insurance companies require that you notify them within a certain time of an incident, such as within 24 hours. If this is not done, the claim can be denied (it has happened to companies).After notifying them, you can take your time deciding whether to file a claim.
In terms of cyber exercises, your insurance company potentially has a lot to offer. They likely have a lot of experience working with organizations in protecting data and might have some good suggestions on how your company can safeguard its information, react to different scenarios, and secure resources to provide support during an event – similar to security firms. Insurance companies are incented to help you prevent occurrences.
How to contact them:
Contact your insurance agent. Explain what you’re trying to accomplish. They may have to check with the home office and get you a contact, but the agent is the best place to start.
Your PR and Communications Firm
To be clear, what we’re talking about here is not a marketing-oriented public relations firm. We’re talking about a company with experience in reputation protection and the media-facing side of crisis management.
Does your company have a relationship with such a firm? If so, a representative from the PR shop should attend your cyber exercise, if possible. They can give you good advice on how different aspects of your scenario might impact your company’s reputation and how to handle them.
If you don’t have a PR firm with experience in crisis management but want one, try asking your contacts at friendly companies or scouting the business continuity websites. Alternately, if you see a firm crop up in the news and like the way they handle somebody else’s hot potato, you might see if they’re available to help with yours.
If you have not planned an exercise, include it on your BC roadmap. Given the likelihood of an event occurring, you must be prepared to act, especially as costs associated with cyber events rise and reputations are on the line. The varied nature of the cyber attack scenarios is itself a reason to use third parties, but remember that when you’re using a third party it will take a bit more time to coordinate schedules and resources.
The last point to make is an important one: If you want all of these people to come to your mock cyberattack party, you have to give them reasonable advance notice. As soon as you schedule the exercise, reach out to everyone you would like to attend. Basically, this should be the first thing you do after deciding to hold an exercise. A good lead time is six months. The minimal respectable lead time is probably one month. Most likely, people will be happy to work with you. But the more advance notice they have, the happier they’ll be.
How Can We Help?
MHA consultants are skilled in all kinds of exercises and training. Want to see if MHA is available to attend your company’s cyber exercises and help you strengthen your business continuity plan? It’s something we’ve done many times for other organizations. Maybe we can help yours as well. To learn more, contact us.