Edgar Dale's time-honored cone-of-experience cites that an average person remembers 10 percent of what he reads, and around 20 percent of what he sees. But, if one is made to experience a simulation, he remembers a great deal more, and the information is retained over a longer span of time, creating a profound impact on one’s outlook.
This is the underlying philosophy that led EY India to develop the Cyber Resilience War Game. A ‘gamified’ approach that stress tests an organization’s incident response plans and identifies strengths and weaknesses of their communications, protocols, and cyber disaster preparedness.
EY has successfully completed these Cyber War Games with top 79 CEOs, as well as in-house sessions for CXOs of leading companies across sectors like e-commerce, technology, telecom and consumer products.
In the war game simulation, it is more often the CEO, COO or CFO who takes up the role of a ‘Crisis Officer’ though unprepared in directing the response management. It is only post the War Game, organizations realize the importance of having undergone such a detailed simulation and to ascertain their level of preparedness to face such an issue in real life.
“What we do is that we target the senior management in a company – at the CXO level, heads of the audit committee, and board members,” said Burgess Cooper, Partner, Information Security, EY India.
Findings from the War Game: Surprise Surprise!
A very simple example would be: Who do you contact when you know that your company is under a cyber-attack?
“We’ve run this war game for many CEOs & CFOs, and we got five or six different answers. Some of them said they’d contact their CISOs; some said CIOs, if they didn’t have a CISO; some said the CMO – as he handles the marketing side; some cited legal counsel, while others said they’d contact corporate communication,” said Cooper.
The test shows that the response to the first question varies across the board. There’s a dearth in recognizing the first action plan.
The test then puts the individual through various other scenarios. For instance, what would you do if the hacker asks for ransom? What would you do if the suppliers asked you to stop supplying? Or if the bank stops authenticating transactions.
“We keep on increasing the bar, adding more and more challenges to the simulation. We capture all the responses, and the unique thing is that we capture these inputs real time on a mind map,” he added.
And the simulation brought out some startling facts.
“What we realized is that when we put top corporates in one board room, they still couldn’t come up with one unified response,” said Cooper.
Now, picture this attack on an e-commerce company at 7:30 PM, how would they be able to respond? This served as a great learning experience for the company, as they were able to realize that they needed to get their entire cyber security response in place.
The test revealed interesting takeaways for e-commerce companies. A key question that needs to be addressed in the advent of a cyber-attack is if the suppliers ask you: How do we check the authenticity of the customer? Should we stop supplying? Most CFOs said “yes, we should stop supplying.”
One CFO of a leading e-commerce company said “Dhanda band nahi hona chahiye” (“We shouldn’t stop trading”). It's a great deal more complicated than that, dear CFO. Remember the time when the NYSE was brought down to its knees due to a percieved hack? Keeping the organization's wheels rolling is imperative, but not at the cost of losing its crown jewels.
The war game puts the company through 13 to 14 different kinds of cyber-attacks including DDoS attacks, defacing, data loss, embedded malware or ransomware. It walks participants through simulations of how they should have responded in each scenario.
Many companies EY engaged with concluded that they would have to improve their overall cyber-security response, which includes improving policies and procedures around incident response and strategy for combating a full-scale cyber-attack.