Investigations
Security
Capacity Building
Insights
About
Digital Threat Digest Insights Careers Let's talk

5 benefits of exercising your cyber Incident Response plan

Team

In an ideal world, the security controls you put in place are enough and threat actors have no interest in looking for new vulnerabilities to exploit or developing new approaches to access your systems.

Sadly, we’re probably more likely to come across a unicorn than have completely invincible defenses, so you’re better off investing in a pragmatic incident response plan. Effective planning means an effective response; minimising the impact of a cyber-attack on your operations, reputation and bottom line.

You only need to look at the cost of recent breaches to see what under-preparedness looks like. According to IBM’s 2023 Cost of a Data Breach Report, the average total cost of breaches has increased to $4.45 million USD (approx. £3.49 million), which is up a whopping 15.3% since we first published this article back in 2020. This number is calculated by adding up the costs of detection and escalation, lost business, notification and communication activities, and ex-post response. (Read more: Breaking down the cost of a cyber attack)

Thankfully, the same report found that organisations with "high levels of IR planning and testing with saved USD 1.49 million (approx. £1.1M) compared to those with low levels". So, what does that look like?

When we talk about planning, we’re not just talking about security testing, technical mitigations and employee education/awareness—you should absolutely do all of those. But, we’re also talking about having these plans in place:

For all your security controls and other mitigation measures, if something does go wrong, you’ll need to understand the impact on operations, employees, customers, suppliers and other stakeholders. You’ll need to know who is responsible for managing each aspect of the emergency response and the steps to take.

You’ll also need to know how your BC, CM and IR plans correlate in the context of a cyber security incident; especially because these plans are often written by different parts of the business.

How do you work that out?

Helmuth von Moltke the Elder, a Prussian field marshal highly regarded as a military strategist, believed that, “no plan survives first contact with the enemy”. Boxer, Mike Tyson said something similar that you may have heard before; “everyone has a plan until they get punched in the mouth”. Regardless of who said it, the meaning is clear: plans are useful until you have to put them into action in the real world.

That’s why testing/exercising plans is just as important as developing them. Tabletop exercises or simulated scenarios provide you with the opportunity to identify what works and what doesn’t.

5 benefits of exercising incident response plans

We’ve put together five of the benefits of exercising your cyber incident response plan:

Identify the areas that need work

This is an obvious one, but it makes the list anyway. Much like how conducting a fire drill for an office building will point out weaknesses in the process, putting your plans to the test in a simulated scenario allows you to find the gaps so you can address them in advance of an actual crisis. Perhaps letting the regulator know about a data breach was left off the Incident Response plan because it was assumed it was part of the Crisis Management plan. The regulator won’t mind which plan it’s included in, but it will mind if you don’t adhere to the requirements they set out.

Validation of the areas that do work

In an inversion of identifying gaps, it’s also really helpful to validate the parts of a plan that do work. In saying that, don’t set and forget – just because it works now, doesn’t mean it doesn’t need to be updated ever again. While that plan written in 2011 was great, a lot of things have changed since.

Preparing your people

You can only win a football game if you work as team. And working as a team requires practice. While you’re training, you will get an understanding of how the team works together, who has which strengths and who has which skills. When you conduct a facilitated simulated exercise of a cyber incident, you’ll find out if your team works well together and if you have the right set of skills to handle the crisis. When it comes to a cyber incident, you will need specialist skills, but it’s not only about the technical aspects; you’ll also need operational people and communications people to bring it all together. Do you already have the right people in-house? Have you just identified that an external consultant will need to be engaged to fill a specific skills gap?

Increased operational resilience

We know that a company’s capacity to recover rapidly, and with limited damage, from a crisis is directly associated with the quality of preparation. We also know that the more often you practice something, the better you get. In the short term, disruption to your operations can result in revenue loss and in the longer-term, reputational damage, which also affects the bottom line. The faster your organisation can recover from a cyber incident, the better. If you have exercised your plans, your team’s prior experience will enable faster (and more likely correct) decision making, which in turn aids in a speedier recovery.

Establish flexibility

While BC, CM and IR plans are generally written to handle a wide range of incidents, no crisis is exactly the same. When you have never handled a situation before it’s more likely you will stick to a set ‘script’ and wandering off piste is a scary thought. However, when you have experience handling a situation you become more flexible when someone throws a curveball.

It’s not just fingers-crossed

Hopefully, you won’t ever need to put any of these plans in place, but they are there if you do. It’s like insurance – you pay the premiums and hope you never actually have to make a claim, but you’re glad you have the option there should something go wrong. Don’t wait until you’re in the middle of a crisis before you wipe the dust off your meticulously prepared Business Continuity, Crisis Management and Incident Response plans; exercise them and make sure they are fit for purpose.

Our cyber security consultants have extensive experience in helping our clients exercise their plans and we can provide you with the same support. If you would like discuss how we can help you, please contact us.

This was originally published on 1 February 2021 and updated on 9 August 2023.