Let’s face it, when it comes to some realities it is best to not experience them at all. No one wants to experience a fire in their home or a devastating earthquake, tornado, tsunami, or pandemic. Similarly, no one wants their privacy stolen or the critical assets of their organization threatened. While we would like to avoid risks altogether, we know that they are part of reality; and while nothing tests our readiness quite like reality, we will perform better if we properly prepare. 

So, we prepare accordingly. We use risk management protocols to protect and defend against a variety of risks. An example of this is the auto-shutoff switches to our electrical breakers in our homes that prevent a surge in electricity which could cause a fire. We use seat belts to prevent injury from an auto accident. We also use incident response and recovery plans when risks do become reality. Conducting fire drills in schools, offices, and our homes help to prepare us if there is a fire and where we need to respond quickly to protect ourselves and others. We use documented playbooks and manuals sometimes when responding and recovering from a risk-turned-reality because emotions and anxieties can cloud judgement and impair decision making during the chaos of a crisis.  It is for similar reasons that we have cyber simulations; we prepare for a reality that we hope never occurs. We prepare because we know the occurrence is very possible, and perhaps, very probable in today’s world. 

Our understanding of the probability of a cyber risk occurring is similarly high. We know that it is common practice to talk about an inevitable hack, phishing attack, data ransom, or even network sabotage. We also know from security officers, risk managers, and administrators in our community that counties, government agencies, and organizations are not as prepared as they would like to be for the cyberattacks threatening their operations, stakeholders, critical assets, and overall brand. For a variety of reasons (including budget and staffing needs), counties may lack fully tested incident response procedures and fully detailed operationalized playbooks ready for use to mitigate cyber threats and to adequately respond to attacks before they become a crisis. 

There are likely many risks on this list that you feel highly confident about addressing if faced in reality. There are likely many as well that you are not very sure about your abilities to face effectively and that you may not even recognize. Finally, there are likely many others that you know for sure that you are not prepared to face with any level of confidence. 

In a recent cyber simulation we engaged in, 48 percent of participants said they have nothing in place to protect, defend, respond, and recover from a ransomware attack. Another 20 percent in the study said they had a defense defined, but it has not been tested. No one in the study felt highly prepared in their readiness to experience such a cyberattack. 

Collaboration is key to success when facing any of these risks – especially the riskiest of risks – ransomware. 

It is for this reason that the National Association of Counties (NACo) County Tech Xchange and the Professional Development Academy (PDA) have partnered to offer quarterly cyberattack simulations for leaders (https://www.naco.org/naco-cyberattack-simulation) – collaborating with one another in a highly facilitated, online program to increase readiness to address the riskiest of risks.   

The NACo Cyber Leadership Simulation

The overriding objective of any cyber simulation is to assess current risk management capabilities among individuals, teams, and key stakeholders. Most simulations assess how well that team of people can detect, defend, respond, and recover from a cyberattack. In addition to people, a well-planned simulation can also highlight readiness of planned processes and use of risk management technologies. In short, the purpose of a simulation is to assess current preparedness to develop action steps that will help close gaps from current state of readiness to a future ready state. That is exactly what these simulations accomplish. 

The objectives of each simulation are to: 

  1. Provide a certified test of incident management plans and associated cybersecurity and risk management playbook details aimed to detect, defend, respond, and recover from a cyber risk;
  2. Baseline current cybersecurity and risk management work capabilities relative to a cyber risk;
  3. Strengthen the leadership skills of incident managers leading the company through risk planning and incident resolution; 
  4. Improve the quality of the incident management plans and playbook details based on participant engagement in assessments, peer reviews, and best practice benchmarking; and 
  5. Develop immediate action improvement plans to strengthen people, process, and technical security controls.

Based on the request of the NACo CIO Forum and IT Steering Committee, cyber simulations have been scheduled quarterly, with each one being unique. Perhaps the best part, it’s FREE for you and your team. Click here to register.

Over 170 leaders collaborated starting in early March for the County Tech Xchange simulation. NACo and PDA encourage others to participate in the quarterly sessions – which are held online and facilitated by expert practitioners; and engagement is 100 percent free. Click here to learn more and enroll today. 

Contributed by: Luke Afeman | Professional Development Academy