Blog - Testing Incident Response Plans: Drills & Simulations

Picture This:  

It’s December, and you’ve just wrapped up your company-wide security awareness training campaign for October and finished reviewing the Incident Response plan with time to spare before the Holidays – you can finally kick back and take that lunch break you’ve been dreaming about – until your phone rings. It’s the public relations team – and they’ve got some exciting news: your company just made the news a couple of days ago for its latest flagship endeavor – six months before the deal’s scheduled to be announced – and is on WikiLeaks.  

But you’ve got a plan – you’re ready for this… right?  

The Cost of Dysfunction  

As Mike Tyson once said, “Everyone has a plan until they get punched in the face”, and a cyber incident can hit hard, hit fast, and leave you spinning. According to IBM, the global average cost of a data breach in 2023 was $4.45 million  (a 15.3% increase in cost since 2020) and took 277 days to identify and contain. Surveys conducted by IronNet found that respondents experienced four attacks on their organization, with a fifth experiencing six or more yearly – and 80% had an incident severe enough to merit a board meeting. 

What Can You Do?  

While you can’t dodge every punch, the planning, training, and rehearsal efforts you put into practice now will pay dividends down the road. Here are a few things you might consider implementing now to respond effectively later:  

• Review (and revise) the cyber incident response plan regularly 

• Having a completed plan doesn’t mean you’ve got a foolproof plan – the business environment, technology stack, structure, business processes, key stakeholders, and communication channels are subject to change – and there’s always something one can do to improve existing practices.  

• Print and share your incident response plan with key personnel 

• During an incident, some folks may not have easy (or any) access to digital copies of the incident response plan. Time is a critical factor in the impact of an event and your ability to recover. Determining which executives and SMEs should carry a hard copy tucked away into a laptop bag or briefcase. An alternative could be having a digital copy set to “offline access” mode on a secure company-approved SharePoint or cloud storage site. 

• Provide role-based training for your incident teams 

• In all likelihood, your employees aren’t responding to incidents 24/7/365 (and we sincerely hope not!), which means they have other responsibilities in their primary roles. The less time we spend practicing a skill, the less likely it is to come back as easy or effective as it once did – training can help keep your team fresh and ready for quick action. Furthermore, everyone comes with different levels of experience and knowledge – continuous role-based training helps everyone improve and cover skill gaps if another member isn’t available.  

• Identify and track key performance indicators (KPIs) 

• We’ve all heard the saying, “You can’t prove a negative in security,” which is why tracking our available information is all the more critical, especially in incident response programs. Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR), among many others, provide metrics by which you can evaluate the effectiveness of your program and demonstrate the value of what you’ve built with your team to senior management.  

• Conduct a simulation (a realistic “dress rehearsal”) and make corresponding plan enhancements from learnings 

• When it comes down to it, policies, training, and some numbers only go so far. One of the biggest things your team can do to improve your chances of handling an incident well is to rehearse through an incident response simulation. 

Tabletop Incident Response Simulations  

While incidents often come with significant cost, there’s a silver lining to what we know – IBM’s 2023 study found that organizations with incident response planning and testing experienced 33.9% less cost than their counterparts, or $1.49 million. Unfortunately, according to an article published in the Wall Street Journal found that “only 23% of survey participants test their incident response plan twice a year or more.”   

Cyber Incident Response tabletop exercises and more complex simulations involving triggers that involve the technical and Security Operations teams are tailored to your organization with your specific concerns in mind. When the stakes are high, you must know who you’re working with, how to communicate clearly and effectively, and how to respond and follow through as a team. Tabletop simulations and facilitated discussions are a great way to see firsthand how effective your plan is and where you might have opportunities to improve – before you get hit by a serious threat. Nobody wants to learn the hard way. We have also found that these exercises can vary and are not all created equal. At Reveal Risk, we continuously strive to enhance innovative ways to add realism. A successful engagement will often yield feedback to the tune of “I know that was a simulation, but my heart was beating like it was really happening!”)  

At Reveal Risk, we recognize the pivotal role that having a robust incident response program plays in developing cybersecurity resilience. Our experienced team of cybersecurity experts is ready to assist you through comprehensive testing and actionable intelligence on how you can take your security to the next level on a budget and schedule that works for you. Email us at info@RevealRisk.com or fill out the contact form on our website here.