How companies can recognise and deal with a cyber incident

Sign up for a free Exercise in a Box session

Experts warn that cyber criminals are dangerous and inventive and it is therefore important to look for new ways for them to be stopped.

One such measure is Exercise in a Box, a free online tool developed by the National Cyber Security Centre (NCSC), to help businesses find out how resilient they are to attacks and enable them to practise their response in a safe environment.

The Scottish Business Resilience Centre (SBRC) recently won the tender from the Scottish Government to deliver free Exercise in a Box sessions to organisations.

The nine-month programme is being run by SBRC's cyber team, supported by Police Scotland and other stakeholders, with organisations participating through a blended model of tabletop meetings and online sessions.

The programme is primarily aimed at small and medium sized enterprises (SMEs), charities, local government and emergency services.

Declan Doyle, head of ethical hacking at SBRC, says: “Exercise in a box is really about going back to basics, with pen and paper involved. It walks participants through a cyber incident scenario and looks at how they deal with it.”

He adds that SBRC had Ciaran Martin, the first CEO of NCSC who stepped down from his role this year, on a recent webinar. Martin said that large organisations often run unrealistic cyber incident scenarios, whereas they would be better to focus on situations that could actually arise.

“The scenarios in Exercise in a Box are very realistic,” says Doyle. “For example, one of the talking points covers an organisation taking a call from an employer who has fallen for a phishing email.

We talk through what everyone should do in such a situation. This would include checking whether there is remote access to people's emails, or if a communications strategy in place if the organisation was hit with a ransomware attack.”

SBRC ran Exercise in a Box internally to test it out and CEO Jude McCorry said she learned valuable lessons.

McCorry says: “My perception, that is probably shared by many others, is that dealing with cyber crime is something for technical people within the organisation. I realised it is for everyone – cyber could be called a team sport.”

She says that Martin made the valid point of saying there should never be a blame game if a cyber crime incident occurs. Instead, people should feel able to alert colleagues and managers to the issue and discuss it openly to resolve the situation as quickly as possible.

“This is the type of conversation that people across an organisation need to be involved in,” explains McCorry. “We're not asking people to fully grasp the technical aspects of cyber crime.

Exercise in a Box helps everyone understand the basics. It's designed to make people think about what they would do if a breach occurs. A CEO's job is to know what is happening and how to keep the business going.”

The next stage for Exercise in a Box is to continue to encourage people to take part, with a target of attracting 250 organisations within nine months.

Doyle says: “We want every organisation, regardless of how big or small they are, or what sector they are in, to use this valuable tool created by NSCS. It is an exercise that can be done over lunchtime and is really beneficial. We inform people of the sorts of questions they should be asking themselves about cyber security. We're not about trying to sell services; it's about helping the community.”

The Exercise in a Box sessions are free and are being targeted at organisations in different parts of Scotland.

Such is the demand for Exercise in a Box that October sessions are full, but bookings are being taken for November and dates will be rolled out for the months that follow. For more information, visit the website.