The detection of ransomware attacks continued to rise in 2019 and 2020. Even though many in local government and business are not at all convinced that they have in place adequate “incident response” (IR) plans, they see having an IR plan as the best way to prepare for a security issue. Many local governments and businesses continue to rely far too heavily on these dated plans. In addition, many continue to perceive an IR plan as more effective than holding crisis exercises. A common response was that when they had practice drills, nothing seems to happen, and the most critical personnel were often missing. The current crisis is only exacerbating long-standing problems relying on out of date software and uncoordinated training programs.
Certainly, there is a critical need for more in-house, updated training and, certainly, not just in the IT department but across the organization. As one CEO put it: “Dusting off the three-ring binder crisis plan does not cut it today …”. When a crisis hits, few are thinking of the plan (if it exists). What is needed are “real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.” Small, focused and frequent drills aimed at addressing specific risks should be a regular part of activities.
Unfortunately to government and business leaders the threat of attacks is not seen as a critical issue. Part of the problem, in many organizations, is that there is a misplaced confidence in the capabilities of the current cybersecurity system. Too often the very people who are called upon to respond in a crisis situation do not attend training sessions.
Increasingly staff working at home are creating more problems. Some in IT believe it is impossible to actively involve them. Unfortunately, both in local government and businesses there was no focus on the human elements in crisis response drills.
Very often, crisis response exercises end up being limited to technically oriented teams:
- Someone from the executive or policy areas was often lacking.
- Exercises would be run without including communication functions
- Many neglect to involve final users
- Very few have been running exercises related to the current Corvid crisis
Security and IT needs to focus on people in their organizations and avoid relying too much on more technology investments. Far too many IT managers seem to think that the best way to prepare for a crisis is to buy more tech. Furthermore, many of these same managers seem more concerned about protecting themselves legally than conducting exercises and drills to train people.
If business or service continuity (whether local government or business) is critical, it is exercises and drills that will make the difference not a selection of power point slides. As the current Coronavirus continues to impact local governments and businesses, it is clear more innovative responses are needed.