Cybersecurity: A Better Way to Test Readiness than Experiencing Reality
Let’s face it, when it comes to some realities it is best to not experience them at all. No one wants to experience a fire in their home or a devastating earthquake, tornado, tsunami, or pandemic. Similarly, no one wants their privacy stolen or the critical assets of their organization threatened. While we would like to avoid risks altogether, we know that they are part of reality; and while nothing tests our readiness quite like reality, we will perform better if we properly prepare.
So, we prepare accordingly. We use risk management protocols to protect and defend against a variety of risks. An example of this is the auto-shutoff switches to our electrical breakers in our homes that prevent a surge in electricity which could cause a fire. We use seat belts to prevent injury from an auto accident. We also use incident response and recovery plans when risks do become reality. Conducting fire drills in schools, offices, and our homes help to prepare us if there is a fire and where we need to respond quickly to protect ourselves and others. We use documented playbooks and manuals sometimes when responding and recovering from a risk-turned-reality because emotions and anxieties can cloud judgement and impair decision making during the chaos of a crisis. It is for similar reasons that we have cyber simulations; we prepare for a reality that we hope never occurs. We prepare because we know the occurrence is very possible, and perhaps, very probable in today’s world.
Our understanding of the probability of a cyber risk occurring is similarly high. We know that it is common practice to talk about an inevitable hack, phishing attack, data ransom, or even network sabotage. We also know from security officers, risk managers, and administrators in our community that counties, government agencies, and organizations are not as prepared as they would like to be for the cyberattacks threatening their operations, stakeholders, critical assets, and overall brand. For a variety of reasons (budget, staffing), counties lack fully tested incident response procedures and fully detailed operationalized playbooks ready for use to mitigate cyber threats and to adequately respond to attacks before they become a crisis. Consider the following list of threats. Are you prepared?