Lessons learned from tabletop cyber crisis exercise NOZON 2024
What do you do if your institution's systems are hacked? During NOZON weeks in March, many institutions realistically tested their preparedness for a cyber crisis with a tabletop cyber crisis exercise. What did they learn?
During the NOZON return day in April, institutions shared their experience of the cyber crisis exercise they conducted in March. We also asked institutions to let us know what lessons they learned during the exercise via an online questionnaire. You can read the most important lessons below.
Make sure you have an up-to-date Business Continuity Plan
It seems like an open door, but the exercises show how important it is that your Business Continuity Plan (BCP) is well-developed and up-to-date: make sure your processes and crisis procedures are correct and that the right people (and their current contact details) are in the plan.
Want to update your institution's BCP, but don't know where to start? SURF's Security Expertise Centre will support institutions with BCP templates and workshops. Keep an eye on the website for this.
Appoint a liaison for translation technical component
Designate a single liaison between the operational-technical layer and the crisis management team (CMT). Often, this is now a person who already has one or more roles in the crisis procedure. To make a good translation between the operational-technical layer and the CMT, it is necessary that this person focuses only on this. Work this into your BC plan.
Involve the works council / participation council in the exercise
Involve someone from the works council or participation council in the preparation of your exercise. These are pre-eminently people who know what is going on in the wider organisation, making your exercise more realistic. In addition, the works council or participation council is an important stakeholder, especially during a long-term crisis. So it is also good for them to start thinking about their role in a crisis.
What else stood out
- Institutions put a lot of time into making the exercise feel as realistic as possible. From a simulated visit from the local RTV broadcaster to developing a media simulator of sorts, in which they emulated Microsoft Teams and their social channels, for example. But also by looking closely at current vulnerabilities in their own systems. Everything was pulled out of the closet.
- It was also nice to see how participants practised with different exercise objectives: testing crisis procedures and/or practising with roles in the CMT, or just technical testing of a system.
- Several organisations incorporated a physical and a digital crisis into one scenario to practise from multiple security/integrated security areas.
Also doing a tabletop cyber crisis exercise?
Were you unable to participate in this edition of NOZON? No problem. With the manual below, you can get started yourself at any time. You will find several crisis exercises you can organise.