Prepare for a Cyber Breach at Your Conference Table

By Thomas DeMayo, Partner and Robert Gaines, Director

The statement “It is not a matter of if, but when, a cyber breach will occur” has held true as cyber incidents continue to escalate in severity and sophistication. While a major cybersecurity incident will always be stressful, ensuring stakeholders understand their roles and have defined responses should shift from what would inherently be a chaotic and unorchestrated sequence of events into a controlled and managed response. 

Tabletop Exercises

A tabletop exercise takes the pieces of paper on which your incident response plan is inked and turns it into a simulated exercise where the players rehearse their roles. Like a well-crafted play, everyone has a part that – when joined together – tells a story. If well written, it can be a story of success and triumph.  

Tabletop exercises use real-world threat scenarios to simulate a security incident and provide an opportunity to identify potential risks and vulnerabilities within an organization’s processes, systems and personnel that drive the overall response. For example, the exercise may simulate a Ransomware event that locks down systems requiring the activation of the Business Continuity Plan and the exfiltration of data, requiring breach reporting obligations to regulatory parties and individuals. This approach ensures that an organization’s incident response plans are up-to-date and effective, and they provide management with an excellent tool to evaluate the organization’s response readiness. 

Evaluation outcomes are used to adjust items such as end-user training, supplementary training for first responders, modification of security controls or implementation of new security tools.

Incident Players

For a tabletop exercise to be effective, it needs to involve multiple stakeholders. The leader and orchestrator of the tabletop exercise needs to design the scenarios to facilitate communication and coordination among different teams and departments from incident identification to resolution. Communication breakdowns can have a catastrophic impact on time-sensitive issues and, in our experience, are one of the key factors that will drive the successful management of an incident.  

Because incident communication is performed at different levels within the organization, testing should also be performed and evaluated at different operational levels:

• Board/Executive – The Board and senior management play an essential role in any major incident. They are the commanders making key decisions that will have outcomes that will impact not only the business’ bottom line but also the underlying reputation and trust of the business. Participants are Board members, C-Suite executives and the CISO, CIO or CTO.
  
  
• Managerial – The management level drives the operational response to incidents through decision-making and coordination with responsible departments, vendors and third parties. Participants generally include management from IT, Security, Risk and Operations departments, as well as key vendors where possible.
  
  
• Operational – The front-line responders facilitate the procedural incident response activity coordination, triage, escalation communications and alignment with the incident response plan procedures. Participants typically include first responders, security and technology subject matter experts and their managers.

Best Practice: Cyber Response Testing

Many industries and regulatory bodies such as the Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry (PCI) and New York State Department of Financial Services (NYDFS) require organizations to have incident response plans in place and that they be tested regularly. In addition, many insurance companies require proof of testing before they provide coverage for cybersecurity incidents, with many policies stipulating annual testing as a component of insurance renewal. Annual testing is a recommended best practice, as the tabletop exercises should be an element of any institution’s annual security and risk assessment review process.

Many organizations have also invested in either in-house security operation teams or a third-party SOC-as-a-Service to drive the technical components of the plan. While different from a table-top exercise, exercises can be developed to test the tools and responses of these teams. Such exercises help validate that the Security Operations Team’s tools and processes are correctly tuned to detect attacks and ensure a timely response.

Contact Us

At PKF O’Connor Davies, we have a team of cybersecurity and business continuity specialists who can help you design and conduct a tabletop exercise or test the security tools and teams in which you have invested. If you have any questions, please contact your client service team or either of the following:

Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
Cybersecurity and Privacy Advisory
tdemayo@pkfod.com | 646.449.6353

Robert Gaines, CISSP, CECI, CCFI, CIPP/US
Director
Cybersecurity and Privacy Advisory
rgaines@pkfod.com | 425.518.1974