What happens to BCM when the cyber response isn’t exercised?
16 May 2017
I recently reviewed the Business Continuity Management (BCM) and crisis management programme of an organisation with operations across the UK. As I did so, I was asked to keep an eye on how they may cope if they were compromised by a cyber-attack.
As part of the review, they requested a cyber crisis exercise – this isn’t typical but it was the right thing for them to do. Exercises are one of the few ways to get a genuine view of how effective a company would stand up against a real incident, without the suffering.
The upshot of this story is that I now believe that running an exercise should be part of every review. I find it hard to give confidence to senior management that the BCM and crisis management capability is strong if the organisation hasn’t actually seen what happens when they work the plan against a realistic scenario, even if we were only pretending.
Often, organisations get reassurance because they have a policy, governance, Business Impact Analyses (BIAs), roles and responsibilities, plans, and strategies. But during an exercise you get a real sense of how these parts relate to each other, how the individuals work as a team and where the strengths or gaps lie.
In this case, when we looked specifically at how this organisation’s plans might support a cyber response, the planning documents looked thorough, they had been endorsed by top management, the process owner spoke confidently about the contents, and appropriate planning had taken place. There were a few areas to focus on but their capability – on paper - looked good.
If the review had stopped there the results could have been positive; you know, except for the fact we’d have had to point out they’d never been exercised.
We then worked with the client and designed a cyber scenario that would impact their payment systems. It was then that things got real! From the outset, it was clear the majority of the BCM and crisis management plan was not going to be helpful. The team members were unsure of their roles, there was no strategy for dealing with communications, stakeholders, customers, the media etc., the leadership team’s priorities were not clear and more surprisingly the plan was not even opened…so after all the planning work, for a cyber incident, it served no purpose.
The potential issues here were two-fold. First, of course, the planning needed a significant amount of work to bring it into line with current business requirements. But second, if it hadn’t been for the fact that the BCM leader was the one insisting on the exercise, I would be concerned that this kind of issue could undermine their major incident/crisis management programme, and cause (or promote) an unhelpful silo between traditional BCM and crisis management and cyber responses.
The point of this post isn’t relevant just to cyber - though in this Business Continuity Awareness Week where the theme is ‘cyber’ it’s a useful real-world example – it isn’t reasonable to take assurance from a plan that looks good, and ticks all the boxes from a Standard.
After all, you wouldn’t sign off on your plumber installing a new boiler without checking that hot water flows.
So what is my plea?
- Ensure your plans are exercised regularly; more than once a year and update your plans accordingly,
- Include an exercise as part of every review,
- Ensure your cyber response programme is fully integrated into the overall crisis management response, including planning and training,
- Focus on making sure your exercises consider key risks to your organisation: and be open to the notion that an annual exercise may not be enough in any given year,
- If some members of your response team are unfamiliar with cyber, embed a series of exercises or training sessions to help build confidence across teams and individuals (including deputies).
This cyber-focussed Business Continuity Awareness Week gives us a new reason to go and talk to our colleagues dealing with cyber issues; and to remove any silos that might exist, and any gaps that have crept into our planning.
Let’s make the most of it.