Simulations and exercises are our bread and butter. It’s great to rehearse in a safe space, to test out crisis plans and teamworking before the real thing happens. But crises don’t come neatly diarised, in well-equipped conference rooms, so simulations can only be one element of your crisis preparedness efforts.
One principle we talk about in our wider crisis training and consultancy is that of prudent overreaction: treating a real-world incident from the outset as if it might be a full-blown crisis until proven otherwise, in order to dust off your plans and be ready if things do escalate. If they don’t: you’ve had a free exercise. If they do: you’re a step ahead in your response.
This week, we got to test our readiness, when my colleague turned up to our London HQ to find the office door forced open. We’d been the victim of a burglary over the weekend, and had some IT equipment stolen.
This was no bank heist, but when you work in our field, information security and operational readiness is obviously crucial. After we’d informed the police and established what had been taken, we used the experience to help test our own crisis plan and potential data breach protocol. Here’s four things we learned:
Information security is a cultural thing, not a tick in the box
We’ve put a lot of effort into bolstering our information security as a business over the last three years, at all layers of our infrastructure. So while devices can always be lost or stolen, we have done a good job to ensure the data we hold is protected and we can quickly and securely gather information on what has or hasn’t happened. One of the devices lost didn’t hold client data, but did have weak password management – something for us to tighten up on. While we’re not perfect, repeated guidance to everyone about securely disposing of physical client materials we hold gave us pretty good confidence this wasn’t at risk even with an intruder in the office.
Building a shared information picture: a channel to collaborate, a channel to communicate
Facts emerge piecemeal, and getting people together at the same time is tricky (the people we needed were in different cities, travelling, in and out of phone contact). We used Slack, our primary internal communication channel to create an ad hoc group to share information and notify each other, and a Google Doc template to collect known information, list actions and assignments, and record practical details (crime reference numbers etc). We also had a call with our data security team using the Google Doc as a shared agenda.
Given how we work, it’s tricky to arrange synchronous calls and meetings at the best of times; working asynchronously but collectively in this way helped to keep a common information picture in one place.
Scenario planning, particularly with a potential data breach, takes judgment
Data being lost or systems compromised, aren’t the black or white situations you might anticipate them to be – particularly if you have multiple layers of encryption and device management. In practice, it’s important to have the expertise in the incident response team to work through potential scenarios, but also quickly assess their likelihood and impact. You can then make the judgment calls on which hypotheticals need acting upon, based on that risk assessment.
It’s unsettling not to be able to rule scenarios in or out completely, but recovering effectively from the incident ultimately demands that you decide where to focus your effort.
Prudent overreaction helps you identify real world problems to fix, as you go
Prudently overreacting to this incident helped us put some of our own crisis templates and information security measures into practice, which highlighted the gaps and inefficiencies in some of our assumptions. Giving statements to police takes time; inventories are never as exhaustive as you think they are; guidance and templates live in too many places to lay hands on when you need them urgently. But whereas in a real crisis, we might have been all hands to the pump, this smaller-scale incident gave us the opportunity to notice and log some of those learning points as we encountered them, to refine things for the future.
I’ve certainly had better Monday mornings, but though we’re a couple of laptops down, we’ve gained something from the sorry experience: a more resilient team.