Over the past several years, I’ve had the pleasure of working with many financial institutions (FIs) reviewing and testing both their Incident Response Plan (IRP) for Cyber Security and Business Continuity/Disaster Recovery Plans (BC/DRP). I am pleased to say that most FIs have plans in place to deal with unplanned outages, whether cyber or disaster related. However, the effectiveness of those plans to truly protect the FI and its customers is highly dependent on testing the plan at various levels.
One of the challenges of testing is keeping people involved and excited about the testing process. Getting them to show up for the tests, and more importantly, to follow up and modify their portion of the plan based on the test results.
I want to share with you an approach that I have used to instill excitement for team members into the testing process and break the monotony and boredom associated with testing. This approach has been utilized in many FIs, at conferences, and at the Graduate School of Banking. It is currently being conducted at our Jack Henry Cybersecurity Forums, which is a free session hosted by Jack Henry for FIs across the country.
The key elements making this approach unique include interaction, collaboration, education, humor, and drama. I will highlight critical areas where you can customize your exercise to capture the best results. The exercise works best when representatives from each business unit attend along with the executive team, and requires a strong facilitator and advanced planning. Below is the process for executing the mock exercise:
Once the scenario and scope are decided on, it is now time to portray the event through the narrative – the storyline the drill participants will follow. It should include dates and times, and portray interactions with employees, customers, vendors, etc. The idea is to make the storyline as close to an actual event as possible. The narrative should be delivered in phases and after each phase, allow time for team members to address the situation. This will assist in maintaining the participants interest throughout the exercise because everyone loves a story. Also, since participants will have to anticipate what the next steps and challenges will be, a mystic atmosphere will be generated which holds the interest of participants.
I would also suggest using pictures and videos to enhance the realism of the scenario and magnify the emotional experience of the participants. Think: tornado/hurricane pictures, cyber attackers, screenshots resulting from ransomware attack.
For example, if the scenario is a cyber-attack in which customer and employee data was extricated from the FI and is now being sold on the dark web, a few challenge questions would be:
The typical flow would be to provide a phase of the narrative and then present a challenge question. Once the challenge question is presented, allow time for the groups to collaborate and develop a response.
In addition to identifying the participants, also determine roles to be played out by someone: an angry customer, a supporting vendor or support agency, a news reporter. Have the role players confront employees as they would in a real situation. Believe it or not, this type of confrontation helps set the stage for how a real event would unfold while driving emotion into the equation. This is another element that makes this approach more exciting and interactive – the dramatization of the event.
For some of the decisions made, have a group spokesperson share the results to the larger group so everyone is aware and can provide additional feedback. Someone within the group should also be documenting the responses to the challenge questions and use the results to improve the overall BCP or IRP.
Below is the flow that the exercise should be conducted by:
In summary, the key to effective testing is ensuring participation by the key stakeholders on an ongoing basis. There should always be an attempt to determine better and different methods of igniting the testing exercise to keep participants involved. And remember, build and test your plan to get through an actual event, not just to satisfy the examiners.
Looking for free resources to help you bolster your cybersecurity strategies? Visit the ProfitStars Cybersecurity Awareness Resource Center today for tips and helpful sight to elevate your #FIcybersavvy!
Like this article? Subscribe to the Strategically Speaking blog to gain access to weekly articles from our industry leaders right from your inbox!
Stay up to date with the latest people-inspired innovation at Jack Henry.
Learn more about people-inspired innovation at Jack Henry.
Who We Serve
What We Offer
Who We Are