How do you exercise a cyber incident response plan?

Dec 7, 2023 | Cyber Incident Exercising

A new Cyber Incident Exercising scheme has been launched by the National Cyber Security Centre (NCSC).

The new Industry Assurance scheme has been created to help organisations practise their response to a cyber attack.

IASME is one of two delivery partners for the scheme and will manage the assessment, onboarding, monitoring and offboarding of providers assured under the Cyber Incident Exercising scheme on behalf of the NCSC. The assurance process confirms that the provider meets the NCSC’s rigorous standards for high quality cyber incident exercising, with sufficient skills and experience of running cyber exercises such as table top and live play exercises.

The scheme is aimed at incidents that fall into category 3, 4 and 5 of the UK’s Cyber Attack categorisation system.

How do you exercise a cyber incident response plan?

Organisations that have good cyber incident response plans are best placed to respond to cyber attacks and can get back up and running again quicker than those without. The NCSC Cyber Incident Exercising scheme allows organisations to test their incident response plans and make improvements before a cyber attack occurs.

Planning the response to incidents helps organisations be more coordinated and controlled in the most stressful of times. You’ll never be able to predict every cyber incident that might happen, but practising your response builds up “cyber muscle memory” and means you remove the element of surprise in an emergency situation. Most of the mistakes that get made in an incident response are around command, control and communication, so stress testing your plans through practising your response gives you an environment to make mistakes and continually improve.

How do you practise the plan?

There are a couple of ways to get started. It could be as simple as ringfencing time in a team meeting to ask the question “what would we do if we were hit by a cyber incident?” to the more formal approaches of tabletop exercises or live-play exercises where a technical attack is simulated in real time.

The NCSC provides a free tool ‘Exercise in a Box’ that enables teams to work through various scenarios and test their plans and check they are still valid. Alternatively, a provider assured under the Cyber Incident Exercising scheme can design and facilitate tailored table top or technically simulated exercises that allow teams to practise and improve their responses.

Table-Top exercises are discussion-based sessions where participants talk about their roles and responsibilities, activities and key decision points (following their organisation’s incident response plan) in relation to a pre-agreed scenario.

Live-Play exercises are more in-depth sessions in which participants execute their roles and responsibilities to respond to events in a real world cyber scenario. Activities take place in close to real-time, providing a realistic simulation of a cyber event. Live play exercises are best suited to mature organisations looking for in-depth validation of plans.

There are a multitude of scenarios that might be applicable to your organisation. An NCSC assured provider will make sure any scenario is appropriate for your organisation’s size and complexity and will take account of what your most important digital assets are.  So, if you’re an online retail business, think about the impact of losing your online payment platform, or if you routinely deal with sensitive personal data, what would happen if your system was locked and data stolen for ransom?

No matter how prepared you are, you will never be able to plan for every permutation of what might go wrong. Having a plan is always useful and in most cases, obligatory for accreditations and standards, but the process of planning and regularly testing whether the plan is still relevant, is most beneficial.