In this bulletin, Charlie reflects on taking part in a cyber security wargame and shares ten key lessons organisations should consider when preparing for and responding to a serious cyber incident.

On Tuesday, I took part in the latest Databarracks wargame at the People’s History Museum in Manchester. The purpose of the wargame was to provide a learning experience for Databarracks customers and prospective customers. The scenario involved a cyber attack on the retail company Marshall and Stone and featured a number of vignettes in which the situation evolved and the delegates had to decide how they would respond to each new development.

What is different about this one is that, unlike most seminars, where there is a table discussion followed by feedback to the wider group, in this simulation each participant feeds back individually on their phone after discussing the different views at the table. Once their response is submitted, AI scores it. This makes the session very interactive and personal.

The following were 10 of the learning points from the session:

1. Has your organisation agreed who is authorised to disconnect systems in order to contain a potential breach and stop attackers from carrying out further action? In a fast-moving cyber incident, minutes count, and you do not want to be trying to locate senior managers at 8pm on a Saturday night to obtain authorisation to disconnect systems or take down the organisation’s network.
2. Have you thought through what your organisation’s “minimum viable company” is, and ensured that the key IT systems underpinning it are segregated from the rest of the environment and suitably backed up so that the organisation cannot lose all its systems simultaneously?
3. When deciding whether to pay a ransom, you should, among other factors, take into account your organisation’s values and whether they can help guide the decision.
4. Do you understand what manual workarounds are in place and can be enacted if systems are unavailable? Can your organisation operate manually, or is that not possible?
5. Do you understand the data you hold and the impact its loss would have on the individuals concerned? This could range from inconvenience or possible identity theft to putting people’s lives in danger.
6. SaaS providers may cut off access to their systems during an incident. You should have discussions with them in advance about how they would respond.
7. Do you know how long it will take to rebuild your systems and what the recovery priorities are?
8. Do not forget the people aspect, and make sure you rotate staff and put measures in place to prevent burnout.
9. A serious cyber incident takes months, if not years, to recover from.
10. Ensure you have cyber insurance.

These learning points are fairly standard, but I think it is useful to be reminded of them every so often!