According to recent research conducted by Semperis, there’s a genuine gap between feeling prepared and actually being prepared when an incident hits. And when the lights go out those plans often burn as quickly as the crisis. Courtney Guss, Director of Crisis Response at Semperis, spoke about corporate preparedness or lack thereof.
97% of companies say they train regularly for crises. Yet, 76% of them still ‘got hit hard’. When you define ‘train regularly’, this usually translates to a once a year exercise, if that. On top of that is over engineered, irrelevant scenarios training for a manufacturing breach when you’re a retail corporate, the math ain’t mathin’. As a result of banal or obsolete training, people in the training lose interest.
“… it’s not necessarily what you see in the news or what you read in a magazine. So it's really important to look at your, threat landscape and to look at your risk management strategy.” Guss adds.
Many organisations recycle last year’s playbook, attempting to brush up on outdated scenarios and passè assumptions.
There's a lot of pressure from leadership, when they see things in the news and they say, we need to do a scenario on ransomware because that's what they're seeing.
It’s organisation specific risks (not headlines) that should shape a response practice. Yet, dormancy and fear of the unknown keep most companies stuck.
A common domino effect that Guss comes across in her field is when the crisis hits, the communication goes down hill. Forget the tools, if the network goes down most people can’t contact key peers, that’s a problem. The simple act of ‘who do I call, or who’s number do I have to call’? This becomes an ordeal, derailing restoration efforts and at times resulting to DM’ing someone on LinkedIn. Guss has seen critical hours lost just trying to scrape together phone numbers from scattered platforms and contacts.
It turns out the best way to build credibility isn’t a perfect playbook, but repeated, uncomfortable, and sometimes ‘failed’ practice. You need to practice like you play. Not enough companies rehearse under pressure or with incomplete information.
When the crisis hits, those who’ve only had a rudimentary training, often crumble.
“The best practice scenarios and the best exercise scenarios are the ones where we don't do well.” Guss explains.
Consumers have zero patience for outages.
“That ripple effect, I think oftentimes the technical teams don't recognise and the business teams don't always understand how to respond because they don't typically work in a crisis setting.” Guss warned.
Stakeholders demand answers, immediately or they’ll vent frustrations on Twitter. Consumers are more unforgiving nowadays.
If Guss had to attribute why organisations stall, the reason would be due to overwhelm.
“A lot of it can feel really overwhelming. And organisations oftentimes get discouraged and they're not sure where to start.” Guss commented.
Ditch the annual large exercise for small frequent drills. Quarterly is the minimum; monthly is the goal. Use relevant, recent threats tailored to your sector and business priorities. Have an out of band communication plan. Print the phonebook, store it offline, keep it current. Establish business driven recovery priorities. Know which systems must come up first and how long downtime is acceptable. Practice the backup plans, and have clear decision triggers for when Plan A isn’t working and then subsequently resort to Plan B.
