Practice and rehearsal
The C-TOC is designed to bring to life what it feels like to live through a cyber attack because, according to Barlow, experience shows that learning cyber incident response requires practice and rehearsal “to the point that it is muscle memory” in much the same way athletes become the best at what they do.
“This is essential because cyber defenders are up against a human adversary and they have to learn to make decisions faster because that is the only way they are going to win, and the only way to do that is to practice and rehearse ahead of an incident,” he said.
Most organisations typically invest in detecting attacks and defending networks, but experience has shown, said Barlow, that it is equally important for companies to learn how to be resilient after a breach has occurred so they can get the business up and running as quickly as possible.
“Because we can make our simulations so real, we are able to separate what works from what doesn’t,” he said, adding that the importance of speed in incident response is shown by a study done with the Ponemon Institute that shows incidents that take longer than 30 days to contain, typically cost nearly £790,000 more than those contained within 30 days.
Another Ponemon Institute study shows that having an incident response team in place is one of the largest cost-saving factors in the cost of a breach, yet less than 25% of professionals surveyed globally say their company has a coordinated incident response plan applied across the organisation.
“This is one of the biggest issues of our time, yet only a quarter of companies have a plan, let alone practice and rehearse it,” said Barlow.
Nick Coleman, global head of cyber security intelligence at IBM, who is based in the UK, said that according to the government’s 2018 cyber breaches survey, the proportion of companies that have incident management processes in place is below that global average at just 13%.
“This is despite the fact 75% of UK firms polled said cyber security was an important issue and 43% said that they had experienced a cyber attack,” he said, adding that there appears to be a real need for the C-TOC experience to help companies understand exactly what they are up against.
“Within hours, organisations under attack have to find the pattern. They have to understand if it hits the threshold of needing to report to regulatory authorities, while at the same time responding to the issue and dealing with customers and the media” Nick Coleman, IBM
“Within hours, organisations under attack have to find the pattern,” said Coleman. “They have to understand if it hits the threshold of needing to report to regulatory authorities, while at the same time responding to the issue and dealing with customers and the media.
“This is where it becomes a management issue of leadership and command as well as balancing the business with the technical. Managing the business with what is technically available, can be one of the biggest challenges.”
During the European tour, Coleman said real-world organisations like NHS Digital, Oxford University and some financial services information sharing and analysis centres – FS Isacs – will have the opportunity to experience how they can help their organisations and communities.
Running through an attack simulation, Benjamin Poernomo, C-TOC chief of operations, said one of the main aims is to teach people to move into an incident command structure, a concept built out of the fire service that ensures there is always someone in command so that decision making is never halted.
“The other purpose of bombarding participants with information requiring decisions under pressure is to flood people’s brains with the fight or flight hormone cortisol so they understand that the only way to make good decisions under pressure is if they have practices and rehearsed established run books or procedures,” he said.