How does an IT crisis exercise work?

Nine out of ten companies were affected by cyber attacks in 2020 and 2021. The resulting economic damage amounts to around 200 billion euros and is therefore more than twice as high as in the same period the year before. It is clear that active protection of cyber infrastructures and the associated continuous identification of security gaps are necessary for every company. However, setting up protective mechanisms alone is no guarantee that companies will not fall victim to cyber attacks. In order to minimize the possible damage, it is therefore advisable to prepare for possible hacker attacks and to train employees to react quickly and determinedly in the event of a cyber attack.

IT crisis drills for quick response

The ability to react quickly is regularly trained in IT crisis exercises and gradually acquired by the employees. Together with selected experts, the processes are analyzed, tested, evaluated and continuously optimized according to the “Plan – Do – Check – Act” process cycle.

Preparation phase: “Plan”

In the preparatory phase, the existing procedures, processes and basic technical requirements in the company are to be tested and analyzed. This creates a common understanding of the initial situation in the entire team. The framework conditions (including the complexity of the exercise, date, duration and location) are discussed at a first kick-off meeting. An IT crisis team is put together and the goals and task packages of the crisis exercise are defined. The concrete steps are then worked out using a realistic exercise scenario.

IT Crisis Exercise Scenarios

In the context of emergency planning, specifically developed scenarios from sectors or companies can be taken as suggestions. Technical developments and current threat scenarios should also be part of the exercises:

  • In the “Ransomware Scenario” , some data was already partially encrypted by the company at the time the exercise started. The attackers contacted the customer and demanded a ransom to decrypt the data. The emergency team should now prevent further spread and initiate all necessary recovery measures so that a transition to normal operation can take place in a timely manner. The exercise also focuses on the necessary communication with employees and stakeholders.
  • In the “power failure scenario” , a large-scale, sustained power failure is simulated. In this situation, the emergency team should develop possible measures for maintaining the critical processes and maintain emergency operations for as long as possible.
  • In the ” failure scenario ” the main service provider that operates the customer’s data center fails for an undefined period of time. The emergency team should enable emergency operation of critical business processes and a resumption of normal operations as quickly as possible.
  • The cloud service (e.g. Microsoft 365) fails for an indefinite period in the “cloud infrastructure” scenario . The emergency team should analyze what options exist to be able to run in emergency mode.
  • A fire on the company premises is simulated in the “Location scenario ”. The emergency team should analyze the situation, evaluate alternative options, coordinate the transition to the alternative location as efficiently as possible and develop a solution to resume operations.

Implementation phase: “Do”

In the implementation phase, the plan from the preparatory phase is implemented step by step and moderated and controlled by the expert. During the exercise, which usually lasts four hours, the participants are confronted with realistic emergency situations as well as reactions and decision-making processes. Ideally, the emergency team adapts flexibly to new developments and findings: By identifying strengths and weaknesses, additional measures can be derived, ongoing processes can be sharpened and employees are trained on current events. In order for the exercise to achieve the desired learning effect, the intensity and complexity of the exercise process can be adjusted if necessary.

Evaluation phase: “Check”

The crisis exercise carried out is evaluated and summarized and recommendations for action are derived from the knowledge gained. The aim of this phase is to identify potential for improvement, to structure it and, in the next step, to act according to the recommendations for action.

Implementation phase: “Act”

If requested by the company, the expert can support the revision of the existing measures and the conceptual design of the emergency and crisis management plans. In the implementation phase, the focus is on the following points:

  • Necessary organizational and technical follow-up actions
  • Necessary optimizations in crisis communication (internal processes, structures and content)
  • Establishment of working groups (“ Lessons learned workshops”)

This extensive preparation for a possible emergency, which of course hopefully will not occur, enables companies to react in a targeted and, above all, quick manner if an emergency situation does arise. During an ongoing attack, even the coolest head will not be able to spontaneously make all the right decisions. Therefore, such an exercise including detailed documentation is strongly recommended.

Are you thinking about conducting IT crisis exercises in your company? CyberCompare will be happy to support and advise you on this. Just send us an email and we will find the optimal solution for you.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.