Cyber Security Stress Testing

26

What is a cyber risk stress test?

The objective of a stress test is to determine the critical systems, people and locations needed to continue to serve customers and how best to protect and recover them.

Regardless of the cause, the point is to assume that organisations are not going to be without certain capabilities and resources. The idea behind a stress test is to determine the critical systems, people and locations they need to continue to serve their customers and how best to protect and recover them. This cyber scenario analysis and practice can help provide management with the information it needs to adjust risk profiles and response plans to better protect the enterprise.

Four reasons why organisations should conduct cyber risk stress tests

1.The actual cost of recovering from significant organisational disruptions, particularly in supplier networks, is up to 10 times more than what is typically allotted to cover them, according to Conrad. Increased dependence on cyber functions could mean even greater costs as a result.

2.Cyber attacks are considered a risk of high concern to doing business in several major economies, including economic heavyweights such as Germany, Japan, the U.S. and the U.K., according to the World Economic Forum’s Executive Opinion Survey 2015. If organisations do business internationally they will benefit.

3.Cyber risks are interconnected. A Business Continuity Institute survey found that more than 55 percent of supply chain disruptions were related to unplanned IT outages.

4.Organisations have valuable data to protect, even if they don’t realise it.  It’s not unusual for businesses that aren’t data-centric to think they have nothing to worry about. Cyber risks can have substantial effects at the operational levels of any business-production, logistics, availability of services and resources. Disruptions at those levels can do real damage to the revenues and reputation of a business.

 

Top tips for conducting a cyber risk stress test:

  • Identify a C-Suite sponsor, ensuring that all of the necessary resources are acquired. Organisations will benefit when the sponsor shares test results at the highest levels, including the board.
  • Make time for testing and validation. They will have systems that they are using day to day, but don’t necessarily understand their vulnerabilities.
  • Know their goal and ensure they identify the key people and functions that are critical to their business, prioritising the order in which they are addressed during incident response.
  • Make sure they have engaged with the right people. The main players in a cyber stress test are employees, who have oversight of critical operations and who can affect change.
  • Include some of their major suppliers in a stress test. This can help deepen the customers’ relationships with them and allow them both to gain insights into business continuity plans, and verify how they can work together.
  • Invest time in the testing. A full day or even two days is time well spent creating resilience across their business.
  • Be imaginative when developing scenarios for the test. The scenarios could cover a hacker gaining access to financial functions, human internal error that disrupts delivery of quality services or a systems crash at a primary supplier that halts production due to vital parts not being delivered to the organisation.

•Ensure that employees know how they will contribute to keeping the organisation running, or getting it back to expected productivity levels using a business continuity plan