Keeping Your Communications Systems Safe Takes Practice
You’ve worked with your security team to make sure communications software and systems are protected. You’ve probably created a set of policies and procedures, and assigned staffing, for additional protection. Daily you hear news about cyberattacks, data breaches, or ransomware, and think you’ve prepared well for such events. But have you?
That question is hard to answer, given that you can never know when an attack will happen, how bad it will be, and what resources your IT organization will need to address the problem. How does protecting communications software and systems factor into the rising costs of preventing and responding to attacks?
Can you plan for worst case?
What is the worst-case scenario? Professional hackers have good imaginations, so trying to predict what they might do could prove fruitless — chewing up your budget while draining staff resources. Rather than planning for the worst you might imagine, a better defense is to plan for “routine” emergencies.
Routine emergencies are difficult and challenging, but they’re also relatively predictable. This means you can prepare for them in advance with incident management, business continuity, and disaster recovery plans.
Planning an Attack Exercise
Don’t wait for an actual attack or crisis to put your plans into action. Be sure to run attack exercises, whether managed internally or by a outside consultant, too. These will allow staff to adapt to situations at hand and find new solutions if necessary.
When planning for a security attack exercise, consider:
- Management support — this may be hard to obtain because an attack exercise will interrupt business operations
- IT — needs to be an active planner in the exercise
- Design teams — Assign one team to the security design and one to create the exercise. These teams should work independently, and not communicate with each. You don’t want either team to be able to the other’s actions in advance
- Departmental involvement — Lines of business, human resources, communications, facilities, security, and any other department that might be affected by an attack should participate in the security design team
- Attack simulation — Assign a team to create and manage the attack. This could be a PC-based event or a full-scale attack that creates volumes of security problems
The biggest challenge is how the exercise will affect your operations, reputation, and customers. From a communications perspective:
- If you’re using VoIP services, you may lose your unified communications and contact center communications
- The exercise may disrupt 911 and hotline services
- Conferencing bridges may not work.
In addition, your company website may go down, the enterprise network may become unavailable and access to applications and information such as HR data, employee contacts, and vendor lists cut off.
Keeping Communications Open
Being able to communicate during the exercise is important, even if your VoIP services become unavailable. To keep communications flowing, consider setting up mobile services and possible outsource some communications functions, including emergency notifications.
Through the simulated attack, you might discover unexpected gaps in your security response plan. You might learn that some resources that you expected to use aren’t available and must be provided by a third party.
No matter how well prepared you think key players and executive management might be for an attack, you never really know if you’re ready to handle a crisis effectively. An attack exercise will let you know.