Businesses Use Wargames to Battle Cyber-Criminals

How can organizations prepare themselves against an almost inevitable cyber-attack? All the technology in the world won’t be enough if an enterprise doesn’t have a comprehensive, well-thought-out plan to deal with a breach.

That’s where cyber-wargaming comes in. This incident-response simulation provides companies with a detailed approach for responding to a cyber-attack—to see how information is handled and decisions are made during a crisis.

Deloitte & Touche’s Risk Services recently held a demonstration of a sample wargame for the media. It featured a fictional retailer, You Living, undergoing a major cyber-attack. The goal of such simulations, according to the company, is to prepare business executives and government officials to “act decisively” and “stimulate executive dialog” about risks and “effective resilience strategies.”

Here’s the premise: You Living is expanding globally and is in the process of potentially acquiring three new companies. At the same time, it’s battling a key competitor: Xtreme Sales. The retailer uses a cloud-based mobile app that was built and is hosted by Mobile Analytics Solutions (MAS). Approximately 10 million You Living users are currently utilizing this app.

Then disaster strikes: You Living’s Website is hacked, and the purchase history of millions of its customers is posted online at www.iknowwhatyoubought.com. The site goes viral, and the attack makes the news—big time.  

The board is understandably alarmed, and the chairman asks the CEO to put together a team to handle the mess. The players in this unscripted scenario represent all the stakeholders who should be involved in a response to a real cyber-attack: the CEO, COO, CFO, CIO, CISO, CMO and legal counsel. This team must keep the chairman apprised of all events that occur following the breach.

One of the first questions the exec team asks the CISO is: Was our database breached, or was MAS’? To find out, the CIO must contact his counterpart at the cloud provider, and counsel must go over the contract and data-sharing agreement the firm has with MAS.

Moving Into Action

Then the team moves into action: The CISO hires a cyber-forensics team, while the CMO reaches out to a crisis public relations firm. The CFO sets up meetings with analysts to convince them that the company is on top of the problem.

Counsel contacts law enforcement agencies to see if they can shut down the rogue site. Unfortunately, it’s in a foreign country, so that’s going to be a problem. Counsel also alerts the company’s insurance company.

The CEO wants the team to come up with a plan to protect the brand and to keep customers coming to their stores and buying online. Should they offer incentives, he asks? He’s also worried about the company’s stock price, and wants suggestions for keeping it from sinking further.

The COO is concerned about employees and wants communications sent to them as quickly as possible to allay their fears. He also wants to provide an FAQ document telling employees how to respond to customers who are upset or angry.  

To complicate matters, the CISO announces that the database of their competitor, Xtreme Sales, has also been hacked, and it is blaming You Living for the breach—on the news. Plus, MAS’ CEO goes on TV and says the breach was not their fault—it was You Living’s.

At this point, no one knows for sure where the fault lies, so the CMO recommends not responding publicly to either accusation. He suggests holding some private, high-level conversations with the provider and the competitor. The CMO also wants the CEO to join a social media chat room to respond to customer and media questions.

The stock price is falling, traffic to the stores and online site is slowing down significantly, and social media comments are coming in fast and really furious. 

Then the chairman walks in and demands to know what the team is doing to solve the problem.

Every Executive’s Nightmare

This scenario sounds like every executive’s nightmare. Unfortunately, it’s happening more and more often.

“Cyber-incidents happen faster than anything most executives have dealt with before,” said Mary Galligan, director of Deloitte’s Cyber Risk Services practice. “Business decisions need to be made quickly, and the business side must be involved.”

“Cyber-security is increasingly a board- and CEO-level issue,” added Ed Powers, the national market offering leader for Deloitte’s Cyber Risk Services practice. “It goes beyond technology issues and impacts the whole organization.”

Though there’s no way for organizations to completely protect themselves from cyber-attacks, there are ways to plan for them in order to reduce the amount of damage they cause to customers, employees, partners, shareholders, the bottom line and the brand’s reputation.

One of those weapons is wargaming.