It’s an all too familiar occasion in all offices when the fire alarm sounds and an official announces it is a drill, followed by a collective sigh instead of engagement.
People slowly stand up, grab their coffees and smartphones, and shuffle toward the fire escape while chatting about their weekend plans.
It has become a compliance exercise that is rarely accompanied by any real sense of urgency or danger.
By Richard Ford, group chief technology officer at Integrity360
The first five minutes of a real emergency are critical, but when it comes to major cyberattacks there is no loud siren. There is often just a confused silence or a frantic phone call from an IT manager at 3am. Screens go black, or worse, display a ransom note with a countdown timer. Email stops working. Production lines halt.
Yet, many South African organisations still prepare for cyber catastrophes without laser focusing on cultivating the necessary “muscle memory” – a reality that mirrors sluggish fire drills. It isn’t uncommon for organisations to rely on a Cyber Incident Response Plan (CIRP) that involves digital PDF files stored on a server that, ironically, may be encrypted by hackers when it is most needed.
But even if there are more than sufficient redundancies (including paper copies, etc) of the CIRP available, the uncomfortable reality is that a crisis rarely politely waits for you to read the manual.
The Mike Tyson effect
Mike Tyson famously said: “Everyone has a plan until they get punched in the mouth”. In the context of cybersecurity, ransomware is that punch.
There are executives who believe they are prepared because they have purchased the technology. They have firewalls, endpoint protection, and backups.
But proper cyber resilience involves governance just as much as technical elements during a crisis. When the digital lights go out, the questions that fly around the boardroom are not about IP addresses or server patches.
The questions are: Do we pay the R50-million ransom? Is it legal to pay? Do we tell our customers immediately and risk a share price collapse, or do we wait and risk a leak? Who is actually in charge right now?
These are not questions you want to be debating for the first time while a criminal syndicate is watching your internal Slack channels.
Muscle memory over manuals
This is why we need to move to modern, immersive “table-top exercises” – not the static versions at a casual meeting which end up turning into polite meetings with biscuits. What is really needed is to move toward genuine wargaming with simulations that mimic a crisis.
The biggest mistake organisations can make during their first few simulations is treating it as an IT drill. They leave the C-suite out of it, assuming the “techies” will handle the recovery. This is a fatal error. A true simulation puts the CEO, the legal head, the HR director, and the communications lead in a room and subjects them to evolving pressure.
We need to test the human element. In a simulation, we need to inject realistic stressors, simulate news reporters calling for comment on a rumour. We need to simulate a leak of sensitive employee salary data, and the IT team going dark because they are overwhelmed.
We do this to build muscle memory. In a crisis, cognitive function drops. Panic leads to paralysis or rash decisions.
If an executive team has “played” this scenario three times before, they are much less likely to succumb to panic. They recognise the pattern. They know that the first report is usually wrong. They know who holds the legal authority to shut down operations. They act with the decisiveness of a pilot handling an engine failure, not a passenger screaming in the back.
The silence that kills
Often, the part of the simulation where organisations fail hardest is not the technical recovery, but the communication.
In the vacuum of information, rumour becomes fact. I have seen organisations technically recover their systems within 24 hours, but damage their reputation because they stayed silent for three days.
During a wargame, testing the “holding statement” is another great exercise. Training leaders to decide what to say to the public when they still don’t know the full extent of the breach pays dividends down the line. It is an excruciating balance between transparency and liability.
Practising this when your stock price isn’t actually crashing is the only way to ensure you get it right when it is.
A new standard for readiness
It is time to treat cyber drills with the same gravity we would treat a physical threat to our infrastructure. An unhackable, physical binder with a plan is not enough.
South African business leaders need to ask themselves: If our worst day happened tomorrow, would we be shuffling slowly with our coffees, hoping someone else knows the way to the exit? Or would we be moving with the precision of a team that has been here before?
The only way to know is to stop planning, and start playing the game.