Anatomy of a cyber risks stress test

Given that cyber exposures are now seen as inevitable, it only makes sense for businesses to invest in resilience. The fundamentals of resilience are protecting profitability through business continuity and incident response planning. The best way to assess that resilience is to see how quickly and effectively your business can react to any given scenario. That's what cyber risks stress tests are all about.

While we always aim to prevent a cyber issue, a cyber risks stress test assumes the worst and considers how a business would respond if an incident has already occurred. Regardless of the cause, the point is to assume you're not going to be without certain capabilities and resources. The idea behind a stress test is to determine the critical systems, people and locations you need to continue to serve your customers and how best to protect and recover them. This cyber scenario analysis and practice can help provide management with the information it needs to adjust risk profiles and response plans to better protect the enterprise.

Why you should conduct cyber stress tests

• The actual cost of recovering from significant business disruptions, particularly in supplier networks, is up to 10 times more than what is typically allotted to cover them. Increased dependence on cyber functions could mean even greater costs.
• Cyber attacks are considered a risk of high concern to doing business in several major economies, including economic heavyweights such as Germany, Japan, the U.S. and the U.K., according to the World Economic Forum's Executive Opinion Survey 2015.
• Cyber risks are interconnected. A Business Continuity Institute survey found that more than 55 percent of supply chain disruptions were related to unplanned IT or telecom outages.
• Because you have valuable data to protect, even if you don't realize it. It's not unusual for businesses that aren't data-centric to think they have nothing to worry about. Cyber risks can have substantial effects at the operational levels of any business-production, logistics, availability of services and resources. Disruptions at those levels can do real damage to the revenues and reputation of a business.

How to conduct cyber stress tests

Have a C-Suite sponsor. There's no point in doing a stress test if the findings won't be acted upon to help improve business resilience. A C-Suite executive should be identified as the "sponsor" of the test and make sure all of the necessary resources are acquired. The business will benefit when the sponsor shares test results at the highest levels, including with the board.

Seek out expertise. A large company will likely have in-house risk officers or even a hybrid cyber risks officer who is capable of organizing a stress test. If that expertise isn't under your roof, seek out an expert who has combined knowledge of holistic and cyber risks management.

Know your goal. The brass ring of the stress test is minimizing impact of a potential cyber event. This involves identifying the key people and functions that are mission critical to the business, and prioritizing the order in which they are addressed during incident response, according to pre-agreed recovery time objectives (RTOs).

Make sure the right people are in the room. The main players in a cyber stress test are employees who have oversight of critical operations and who can affect change by relating findings up the ladder to seek buy-in to solutions. One smart idea: include some of your major suppliers in a stress test. This can help deepen your relationships with them and allow you both to gain insights into business continuity plans, and verify how you can rebound together.

Consider what employees are doing every day. "There's a lot of room for testing and validation," says Matthew Lewis, Associate Director, NCC Group, an information assurance firm in the UK. "You have systems that people are using day to day, but you don't necessarily understand their vulnerabilities. For example, a phishing attack can be mounted against most organizations that use email. Using a non-malicious link, you can simulate an attack to see how many employees would click on it. This gives you a view of what your exposure might be."

Invest time. You don't often get a group of this caliber focused on a common goal and spending time together. A full day or even two days is time well spent creating resilience across the company.

Be imaginative. The organizer of the test and exercises should be urged to put multiple bold scenarios before the group. For example, the overall test could include a scenario where a hacker gains access to financial functions. Another scenario could involve a human error internally that disrupts delivery of quality services. A third could be a systems crash at a primary supplier that halts production because vital parts are not delivered to the business.

Forewarned is forearmed. For the test to produce usable results, everyone involved must figure out how they will contribute to keeping the business running-or getting it back up to expected productivity levels-without access to the connectivity they have on a normal day. This is the core of the challenge: when the "disruption" begins, how completely do participants understand and enact the business continuity plan? How effectively are they communicating during the crisis? And how well does the plan hold up? Did it cost more than anticipated in terms of delays or cash flow?

Act on the findings. You should expect to find room for improvement in your business continuity and incident response plans. That's okay-that's why you undertook this exercise in the first place. The value of the test to the business is what you do with what you've learned-strengthening weak points in the plans and improving the ability of employees to execute them. In the end, that is how you proactively increase resilience to cyber risks.

Key takeaways

• A cyber stress test can identify weak points in business continuity and incident response plans.
• Organized properly, a cyber stress will have a C-Suite "sponsor" who can elevate findings to the board level for action, and drive mitigation changes at the operational level.
• Along with protecting data, bold scenario planning requires the test to include consideration of the broader impacts of a potential business blackout cyber event.
• You'll find room for improvement in how you respond to cyber risks-and that's the point of building resilience.