Sage Advice - Cybersecurity Blog

Conducting a Cyber-Crime Exercise in a Smaller Enterprise

cyber-crime-exercise.jpgWhen we talk about designing a great cyber-crime exercise, we always say that you need eight things to make it work. That sounds like good advice for a larger company, but what if you are in a smaller organization, say one with less than 300 employees? Can you still do this type of exercise? The answer is a resounding “yes!” A well-designed cyber exercise CAN be conducted in a smaller organization; it just takes a little readjusting of the eight basic things to make it all work.

#1. Senior Management Support

This is essential regardless of your company’s size. Right off the bat, senior management needs to understand that this exercise is likely to produce many learnings and issues that will need to be resolved after the exercise is over. It will also present topics that, in all likelihood, they haven’t thought about or understood deeply. This could easily make people feel uncomfortable, and leave them with quite a few unanswered questions at the end of the experience. Getting senior management support – and understanding – might be even more critical in a smaller organization.

Consider engaging your Board of Directors in the exercise. They have a very close relationship with the organization and will likely be intimately involved in any breach. Definitely bring them into the approval process, and, if it makes sense for your organization, maybe bring them into the actual exercise itself.

As you explore the topic, you will likely also need to provide some cover for the Technology and Information Security staff so the exercise doesn’t turn into a blame game or a witch hunt. Senior management may be able to help with this, too.

#2. A Willing Technology and Information Security Department

The Technology and Information Security departments need to be active planners in the exercise. At a minimum, you will likely need a couple of technology-oriented folks to help you design the exercise. You need someone who understands the infrastructure, the applications, the network, and how your different locations or departments use information. You need someone to help determine the cause of the scenario breach and how it can unfold over time. Ideally, they shouldn’t be players on the response team (those who are being exercised), however, in smaller organizations you may not have that luxury. In that case, they may need to pull double duty (design team member and player), and you may need to remind them to “forget” all the information the design team created once the exercise begins.

#3. The Right Exercise Type

I would suggest doing an Advanced Tabletop exercise. Advanced Tabletop exercises have a Simulation Team, a group that interacts with your players as “the outside world” and someone to “bounce” answers off of. For a cyber-crime exercise, we recommend four Simulators, two from the technology side and two from the business side. The players going through the experience need to have someone to interact with to solve their problems. This works by having the exercise player receive new information (an “exercise inject,” usually on a piece of paper) and, to solve the problem, they need to speak to a Simulator. The Simulator engages the player on the issues, who may not agree with the answer. In other words, the Simulation Team member causes your exercise player to think more deeply about a response, making them rethink their plan and response. Because of that, the exercise player will have a deeper and more valuable experience. In a smaller company, you may not be able to spare four people to act as Simulators, but try to get as many as you can. The more you can make your players think deeply about their plans, the better the experience – and the plans – will be.

#4. A Design Team that Addresses the Technology AND the Business Issues

We always recommend two design teams: An IT/Information Security Design Team and a Business Unit Design Team. A smaller organization, though, may not have the luxury of enough people to do both justice. You can have one design team that understands both the technology side and the business side, but you will still need to lay down the IT/InfoSec storyline before developing the business side injects.

The IT team might be comprised of a couple of people who deeply understand the infrastructure, applications, and network environment. The business team needs to have a strong understanding of the mission-critical business processes as well as their recovery time objective (RTO).[1] In some smaller companies, the IT “team” may be one person; likewise, the business “team” may be a single person. In rarer cases, there might be one team whose members understand both the IT and business sides of a scenario, in which case they can “change their stripes” mid-way through the design process, first acting as IT designers and then business designers.

Whether you are able to pull together two separate teams or have to work with one team whose members will pull double duty, the first task is to do a deep dive on the technology narrative and development of the timeline of issues that happened before the exercise’s scenario date. The IT team will need to provide a very detailed timeline of what will be happening during the exercise. Once the technology breach timeline has been set, the business team (or the same people) can turn its attention to business-impact injects.

The business-side design focus should include issues that affect key lines of business, communications, and mission-critical activities. The injects they create should tell the story of the IT problem from the business’s perspective. As a last check before the exercise, go back and make sure the IT story and the business story still line up.

#5. Interwoven Narrative and Injects

The exercise story is told through exercise injects, and the injects must “dance” or “talk” with the cyber narrative. The exercise players have to tease the information apart, work with the Simulators to figure out what’s going on, and then improvise a plan. When they develop that plan, then the Simulators have to adapt to the new plan, and, in some cases, create new injects “on the fly” to make it all work. The narrative and the injects are constantly ebbing and flowing together to tell the entire story. This need to have the narrative and the injects be fluid during the exercise doesn’t change for a smaller company. In this case, it might be easier to keep track of changes and approaches with a smaller group of participants.

#6. Make it Public – “Out” the Perpetrator

Reputation is everything; this is even truer in a smaller organization. One of the key aspects of a cyber-crime narrative is the potential damage to the reputation of the company. As the exercise designer, you want to damage that reputation so the players have to handle the ramifications. In order to do that in this scenario, you have to expose the company and the situation at some point during the exercise. We recommend doing this early in the exercise by having the “perpetrator” post the story on a social media platform such as Twitter. (NOTE: Of course, you do NOT post a real Tweet. This would be done via “exercise magic.”)

To add a sense of reality, consider shooting a video from the “perpetrator,” which could be made using a smartphone camera video function. Have the presenter wear a mask or disguise him or her in such a way that they resemble many hacker videos, such as those done by Anonymous[2]. These kinds of videos make the experience for the exercise players far more realistic. It doesn’t take a big A/V department to create something very realistic for your purpose.

#7. A Well-Honed After-Action Report

Due to the political issues with this type of exercise scenario, the After-Action Report (AAR) needs to be written carefully, perhaps even more so in a smaller organization. It needs to present what was discovered in a very positive light. After all, now that you know what doesn’t work or what you don’t have, you can fix it. The AAR will likely be viewed by executives, Boards, auditors, and others. You might consider preparing several versions of this report:

  • Executive Summary for executives: A short summary of the findings and observations [3].
  • Detailed AAR: A report for the teams that need to resolve the issues.
  • Special section reports: Specific reports for particular departments to highlight findings and what they need to do to correct them.
  • Regulatory/audit version: A report that’s somewhere in-between a short Executive Summary and a detailed AAR.

 #8. Careful Exercise Follow-up

This exercise will likely reveal many, many issues, and, no doubt, many of them will be identified as “Urgent!” Large and small companies know they can’t fix everything at once. You need a careful plan of attack to get through all of the likely action items. Here are a few things to think about, no matter the size of your company:

  • Get the report in front of the right people for acknowledgement and support.
  • Develop a detailed punch list and prioritize. Get the right people to agree on the priorities.
  • Strike while the iron is hot. Executives and business leaders want to resolve these issues and funding may become more available for this than anything else.


For smaller businesses, the risk of experiencing a data breach could be cataclysmic. Your executives and Board members are likely very aware of the effect that a data breach can have on organization’s reputation. If the future is anything like the past, cyber incidents are not going away anytime soon. Life will continue to be even more complicated. Plan your next exercise to be a cyber exercise. Focus it on the impact of a breach and how your organization will deal with it. Based on the probability of a cyber event, you had better get going!

[1] “Recovery time objective” (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

[2] Anonymous YouTube channel

[3] When writing AARs we never use the word ‘recommendations,’ but rather use ‘observations.’ Many of our clients are in regulated industries and the word “recommendation” implies that they must do what we are saying, which gives them no opportunity to modify the observation for their particular situation.

Regina Phelps is an internationally recognized thought leader in the field of emergency management, pandemic and contingency planning. Since 1982, she has provided consultation and speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions (EMSS), a consulting and training firm. EMSS is 100% woman owned firm. A partial listing of clients include: Northern Trust, LexisNexis, Whole Foods Market, McAfee, Duke University, the World Bank, International Finance Corporation, Microsoft, Liberty Mutual, AEGON, Wellmark, Stanford University, VISA, Principal Financial, Caltech Institute, Wells Fargo, Sentry Insurance, MasterCard, PG&E, International Paper and American Express.  She is the author of  Cyber Breach: What if your defenses fail? Designing an exercise to map a ready strategy and was a speaker at the 2016 CyberCrime Symposium.

Confidently Respond To and Investigate Cyber-Attacks

The threat landscape is constantly evolving and cyber-attacks are increasing in scale and scope. It’s just a matter of time as far as when you’ll be faced with a breach event. Following a breach, a forensic investigation can help you understand what happened, plan remediation, and enhance your existing controls to further minimize the likelihood of a similar incident in the future.   Our Cyber Forensics Readiness Program will prepare your Incident Responders and IT personnel to quickly and cost-effectively capture and maintain evidence in a forensically sound manner.

Learn More

Topics: CyberCrime Symposium, Incident Response

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More