Key Lessons Learned in Cyber Incident Exercising

It has long been accepted that not all cyberattacks are preventable.

Organisations can adopt the strictest controls, deploy advanced security tools, and prioritise regular staff training, but attackers still manage to get through.

This doesn't mean their security posture is weak or that they are failing; it simply means the odds have tipped in the favour of attackers. There are too many entry points, each with its own challenges, to achieve complete security. Attackers will eventually succeed.

Given this position, it's now widely accepted that incident response planning has become a critical component of an organisation's defensive architecture.

Incident response planning helps organisations prepare for incidents, allowing them to identify how certain cyber events could impact their operations and then work to limit those damages. The planning helps organisations pre-agree on the roles and responsibilities of team members to mitigate an attack, understand who needs to be contacted in the event of a cyber incident, identify how specific scenarios could impact their data, customers, and operations, and take steps to reduce their exposure to attacks.

However, pulling together a plan that gathers dust on a shelf is not enough. For organisations to understand how effective their plan is, they must also exercise it. This is where Cyber Incident Exercising (CIE) becomes increasingly valuable.

Cyber Incident Exercising

Cyber Incident Exercising enables organisations to test the effectiveness of their incident response plans during a simulated cyber event with the assistance of a dedicated expert.

The sessions help organisations improve their preparedness to handle real-world threats, enabling teams to practise their roles, identify gaps in processes or technology and enhance coordination across departments and external partners. The ultimate goal is to drive cyber resilience and improve recovery timelines.

One of the key benefits of CIE is that the sessions enable organisations to identify gaps in their security posture, which could leave them vulnerable.

These gaps are difficult to identify during planning stages, as they often only become apparent unexpectedly during practical rehearsals or under the scrutiny of a dedicated expert.

However, once they are identified, they provide organisations with actionable intelligence to improve their resilience and enhance their security controls.

So, what are the key gaps that often come up during CIE, and what can organisations learn from them?

Overconfidence: the plan will work

One of the issues that continually surfaces during CIE is the overconfidence that an organisation's incident response plan, in theory, will work in practice.

Expectations rarely align with reality, and organisations must be prepared for this.

A core purpose of CIE is to identify and address overlooked vulnerabilities, taking steps to mitigate them.

The goal is not to undermine confidence, but to test and validate it, ensuring the existing controls and processes are truly robust enough to enable recovery from an attack.

This often means that existing plans will need to be modified, processes will need to be changed, and controls will need to be updated to rectify issues that surface as a result of overconfidence.

This shouldn't cause friction among team members.

Everyone should work towards the shared goal of improving security and recognise that with every issue identified and addressed, the organisation makes strides towards resilience.

Unprepared for the unexpected

When developing incident response plans, many organisations focus on scenarios they already understand and feel confident managing. Rarely do they introduce unpredictable elements that expose vulnerabilities or reflect poorly on IT and security teams in the eyes of leadership.

However, this mindset leaves organisations only securing against past threats and not future-proofing their incident response.

CIE encourages organisations to step outside their comfort zones under the guidance of a cybersecurity expert who possesses firsthand insights into the surprises that often arise during incidents.

By simulating a range of attacks, CIE helps test the flexibility and resilience of the response plan.

It also ensures that when surprise events occur, and they always do, the organisation still has the ability to act, and recover, without being thrown into an immobilised frenzy.

No contingency plans when communication is down

Whether it's Outlook, Gmail, Teams or another messaging app, almost every corporate communication uses a unified approach with their other business software.

But what happens when these communications channels or the infrastructure they rely on are compromised?

This is often a surprise question that comes up during CIE, which organisations are completely unprepared for and have no contingency plans for.

Cyber attacks routinely lock staff out of the corporate network or their accounts, so having access to a communications application or email is never guaranteed. Furthermore, when attackers are still on an organisation's network during an attack, email may not be the safest option.

As a result, during incident response planning, organisations must consider establishing alternative communication lines that can be used during cyber events.

Cyber is seen as an IT / security problem

CIE is about raising awareness of cyber events across different levels within an organisation. One issue commonly unearthed is that cyber is still being treated as a problem for IT and security only.

This is very misguided and leaves organisations in a volatile position.  

Cyberattacks routinely disrupt enterprise operations and threaten the solvency of businesses. This makes them a business-wide issue and a key focus for leadership teams.

During CIE, a variety of roles must be present, so everyone understands their responsibilities during an attack.

This enables all job roles to understand how an attack could impact the business and practice the role they will play in supporting mitigation or communication in the aftermath of the incident.

Typically, an organisation's schedule of CIE sessions should include exercises involving the CEO and CFO, representatives from marketing, HR, security, and IT, as well as the department head most relevant to the simulated scenario.

Dismissing the debrief

At the end of a CIE session, organisations will be given a debrief report by their Cyber Incident Exercise Provider, which details the findings of the simulation, discusses gaps that were discovered, and provides recommendations on how they can be addressed.

Organisations should prioritise these actions and update their incident response plans accordingly.

Ignoring this feedback risks leaving vulnerabilities unaddressed, whereas acting on it can provide a blueprint for effective recovery from future incidents.

Not all attacks can be prevented today, but they can be prepared for.

This is where CIE plays a key role in simulating cyber incidents for organisations, helping them prepare for them, exercising their response to mitigate damage and identifying gaps that could leave them vulnerable.

By conducting regular CIE sessions, organisations can enhance their ability to withstand cyber threats, close gaps in defences and significantly improve their capacity to respond to and recover from attacks.