Deloitte’s Cyber Risk Services group has launched new “cyber war-gaming and simulation services” that aim to unite those tasked with managing enterprise-wide responses to cyber-attacks.
According to Deloitte, its cyber threat war-gaming approach relies on thinking from the military and academia and incorporates lessons learned from war-game simulations conducted for multi-national companies, government entities, regulatory bodies and industry groups.
Deloitte co-authored the “After Action” report (PDF) for Quantum Dawn 2, a simulated systemic cyber attack on the U.S. financial system back in June 2013. More than 500 individuals and over 40 financial institutions participated in the excercise, which simulated a situation in which rogue code initiated a flood of erroneous trades and market oscillations that could lead to shutting down the market.
According to Deloitte, while many organizations conduct technical rehearsals of their incident response plans, that alone may not be enough.
Deloitte’s says its cyber threat war-gaming services go further than most incident response rehearsals and involve CEOs, CFOs, risk officers, talent officers, legal counsel, and corporate communications teams, as well as technical responders.
“Deloitte’s approach raises understanding and awareness of cyber threats among this wide range of responders, many of whom have typically had little exposure to IT security functions,” the company said.
Deloitte explained that its war-gaming services include a range of pre-packaged exercises and an inventory of threat scenarios and action components that can be customized to each organization’s risk profile.
“Business leaders are coming to accept that even with the best security defenses in place, cyber incidents will occur,” said Ed Powers, national managing principal of Deloitte’s Cyber Risk Services. “Although a well-constructed incident response manual is necessary, this alone does not create the reflexive judgment capability that organizations may need if a security incident becomes a true business crisis. War-gaming trains diverse teams of responders to act rapidly to reduce the business disruption and costs often associated with cyber incidents, as well as to minimize brand and reputation damage.”
“When a cyber attack threatens critical operations,” said Mary Galligan, a director in Deloitte’s Cyber Risk Services, “business leaders may need to make quick decisions to off-line core systems or applications. Executives may need to guide communications with media, customers, investors and regulators. Collaboration with law enforcement and industry peers may also be essential in limiting the exposure of critical infrastructure.” Galligan was formerly the FBI Special Agent in Charge of Cyber and Special Operations for the FBI’s New York office.
“Resilience,” notes Emily Mossburg, principal in charge of resilient services for Deloitte, “doesn’t start when an incident occurs. Preparedness for cyber attacks is a multi-layered challenge. It includes the design of infrastructure and applications, the building of necessary support relationships, and a broad, ongoing program to build a cyber-aware culture throughout the organization.”