Cyber Security and Cyber Resilience are now consistently scoring highly, frequently number 1, on the list of CEO/CIO concerns in businesses of all sizes and industries. High profile, highly damaging security breaches have gained massive notoriety due to the growing importance of, and dependency upon, information technology. Companies like Apple, Sharjah Bank, Sony, Aramco and the NHS have recently taken huge hits to their day-to-day operations or their brand reliability due to breaches or ransomware.
Recent surveys in a number of middle-eastern nations found that:
- 75% of large organisations suffered a staff-related security breach during 2015
- Just over 50% of the worst cases were caused by human error
- On average, the companies who came under attack took between 14 and 31 days to recover
- Fully half of those targeted did not even realise that they were under attack
- Only 38% of organisations said that they were prepared for a cyber attack
Unlike in a Hollywood movie, a hacker breaking in to steal data is typically not someone with highly advanced equipment pulling off a specific heist. Modern hackers will send an infected e-mail to hundreds of thousands of people with the hope that even just one will click an infected link. This simple numbers game has led to a huge number of breaches resulting in the theft of or damage to vast quantities of data.
Human error is responsible for most data breaches, and is the main factor behind the majority of the worst data breaches of all time. A company whose employees handle digital data is risking its entire reputation and profitability in the hands of those employees, and on the belief that those employees will make good decision.
Businesses from all industries are beginning to provide staff with cyber security training, though it is frequently insufficient and does not always adequately inform them about good practice. This is, unfortunately, a lot like teaching someone to drive a taxi but not telling them any of the rules of the road. They can, in theory, pilot the craft perfectly well. However, they put themselves and others at risk with their inability to match this theory with a real-world scenario. As with most skills, Cyber Security and Cyber Resilience must be practiced as well as preached.
Effective training in this manner is all about Attitude (awareness, understanding, commitment), Behavior (doing what is necessary), and Culture (stop and think). You can have the best policy in the world but a user ignoring these and taking home a USB stick with sensitive data poses a risk. This is why a unique brand of training is required.
We introduce Game-based Business Simulation, which drives learning by example home. These are interactive workshops in which teams of employees work on challenging issues within a simulated environment. We make teams experience and practice real life problems and challenges within the realm of cyber-security.
Though each participant brings in their own knowledge and experience, they are able to work together to explore and experiment in a safe environment in order to discover what needs to be changed and applied in their day to day work in order to make them more cyber-resilient.
Within these simulations, the participants must work together to set up the Information Security Management systems and policies for that particular situation, which includes identifying information security strategy, policy, process, procedures, roles & responsibilities.
They then conduct the Risk Management process and, like the real world, have to invest in controls within limited budgets. As a result, the team can decide to invest in improved systems, software, policy or procedures.
The simulation then tests the team’s design in light of their decisions, and a series of realistic cyber-security events follow which are closely modelled on both common and uncommon real-world examples. These events are unannounced – they must be detected, recognised and then dealt with by the team.
To respond to these events, the team have a range of solutions. Some may cause delays, some may be expensive, or yet more may be unpopular for a variety of reasons. It is up to the team to find the right balance between the project and the security.
After each round of the simulation, the team are shown their project progress in terms of Security, Time and Cost. We undergo a reflection round with the team in which we facilitate discussions between the team for lessons learned.
Case Study: Large Organisation in UAE, Team Reflections
- Each function within the Organization is responsible towards security – It is not the responsibility of the Security team or the Managers alone.
- Active involvement and participation of business stakeholders as well as IT is critical to the success of Information Security implementation and improvement.
- Communication and feedback is necessary for recognising and dealing with security issues.
- The Organization needs to work towards a cyber resilient culture which addresses the impact of not following policy & procedures can be
- Security policy, processes and procedures need to be periodically revisited to ensure they are fit-for-use and fit-for-purpose.
- Objectives and critical assets need to clearly identified, classified and quantified keeping in mind the intrinsic value of the assets
- Decisions for investing in controls need to have the right balance between the project (opening the exhibition on time) and security (minimizing risks and impact)
- Impact of not recognizing, detecting and reporting security events and incidents as intended.
- All partner and supplier capabilities in the end-to-end chain need to be aligned with the Organizations Security Objectives.
With each reflection point the team discussed the improvements required at their Organization. Action items were documented for implementing improvements to their Cyber Resilience capabilities. The lessons learned from the business simulation were then translated by the to the day to day work processes in the teams.
As we embark on our journey to transform our cybersecurity capabilities, we must remember the real pitfalls which compromise cyber-resilience are a lack of real-world experience and decision-making. Game-based Simulations allow employees to develop these skills and therefore drastically increase their resilience and effectiveness in real-world scenarios.
To know more reach us at firstname.lastname@example.org