Cyber Training, Incident Management and Exercises

"Thankfully, we now live in a world where it is accepted that data breaches happen and organisations are more comfortable disclosing that they have been victim to an attack. However, with this welcome move away from victim blaming, organisations are now being judged more on how well they manage a breach.”

Brian Honan in Computer Weekly


PlanB Consulting has extensive experience in helping organisations be prepared for responding to cyber incidents. Read more about our approach below.

Cyber Incident Management and Reputation Gap Analysis

You may have spent a lot of time and money in ensuring that your organisation does not suffer from a cyber breach, but we know that no system is 100% secure. As per Brian Honan's quote above “your organisation will be judged on how you respond to any breach rather than whether you have had one in the first place”. So, how you manage an incident will be key to whether you are perceived to have managed it well or not. 

The SUNBURST hack in 2020 of the SolarWinds Orion Software and the compromise of 18,000 organisation's systems' including many USA Government organisations, shows that all organisations are vulnerable to a cyber breach.

The response to a cyber incident by large organisations such as Equifax, Marriot and Travelex are good examples of how not to manage a data breach. Many of the mistakes they made in their response could have been avoided by training, preparation and exercising.

To avoid your organisation making the same mistakes, PlanB Consulting can audit your organisation and assess your level of preparation.

Our gap analysis covers the following 6 areas:

  1. Risks  - Does your organisation understand what you have to lose during a data breach, including what is your critical data (crown jewels). Has a comprehensive risk assessment and audit been carried out on the organisation's cyber risks and vulnerabilities? 
  2. Technical Response - Are there plans and playbooks in place for dealing with the different cyber incidents the organisation could face. Does the organisation understand its recovery capabilities? Is there internally the skills and knowledge for dealing with a cyber incident? Have recovery and disaster recovery plans been tested?
  3. Crisis Management  - Does the organisations have crisis communications plans and procedures in place. Are these in line with good practice and do they take into account how the organisation would deal with different types of cyber incidents?
  4. Communications and Reputation Management.  Has the organisation got comprehensive communications plans in place? Do these plans cater for different types of cyber incidents? Do plans take into account dark website preparations and use of domains?
  5.  Third Parties - does the organisation have relationships or contracts with appropriate third parties which could fill in-house knowledge gaps and provide external expertise?
  6. Exercises and Training - What is the level of cyber knowledge of those who would respond to a cyber incident and what training they have had? when were existing plans last exercised and have cyber scenarios been exercised?

PlanB Consulting can carry out a full review of your level of preparation, maturity level if required and then produce a gap analysis which details the suggested work you should carry out.

To book an audit click here

Cyber Exercises

You are going to be hacked: Have a plan,” said Josef Demarest, of the FBI. "You should also test and exercise that plan". 

Latest cyber blog: What lessons can we learn from Marriott’s response to its Cyber Breach?

The hack of British Airways, Marriott, Travelex, Equifax and their responses have again highlighted the need for companies both large and small to be prepared for managing the external response to a hack of their systems. PlanB Consulting offers a wide range of different exercises for organisations to explore and practice their response to a cyber attack. This has included a full SIMEX (Simulated Exercise / Command Post exercise) for a Private Bank to Table Top Exercises for government organisations, emergency services and a number of fintech organisations.

In planning the scenario, we will plan it to be different from the standard business continuity or crisis management scenarios. The exercise will involve strategic response, be challenging and have media interest. The scenario will be credible and tie-in with current real incidents. Our exercise will involve the following:

  1. Strategic decisions, such as:
    1. When to tell stakeholders and customers there has been a possible breach. Different countries and USA states have different statutory reporting requirements and so the team will have to take this into account. Understanding the reporting requirements of GDPR.
    2. Whether to turn off systems if you suspect they have been compromised.
    3. Involvement of law enforcement.
    4. When to engage with the media.
    5. How to respond to any ransom demands.
  2. Communications with a wide variety of stakeholders.
    1. Managing the response to the media.
    2. Managing stakeholders across a number of time zones if applicable.
  3. Notification of various bodies governing data protection in countries you have operations in.
  4. Putting out guidance to stakeholders if personal data has been lost.
  5. Managing speculation and rumour.
  6. Managing the interface between those responding technically and those managing the incident and communications.
  7. Liaison with law enforcement and managing the forensic elements of the breach.

Read our blog post on Ten Lessons from a Cyber Attack Response Exercise

“The amount of time spent planning, preparing, communicating, rehearsing and exercising will have a direct bearing on your ability to survive, overcome and eventually benefit from cyber-attack. If little time is spent preparing and planning, the consequences will be severe and potentially long-lasting.”

Anon Senior Security Leader hit by a very high-profile breach at top ten global brand

Cyber Briefings for Senior Managers / C Suite

PlanB Consulting has carried out cyber briefings for a number of different organisations ensuring that their senior manager understands the threat, their existing level of resilience and some of the issues they will face during a cyber incident. These have varied from one hour to a half-day training session.

A typical agenda could include:

  1. The cyber incident landscape and review of recent incidents
  2. Understanding the different types of cyber threats
  3. Understanding your risk profile  - what do you have to lose?
  4. The role of the crisis management team/gold team / strategic team in managing an incident
  5. Crisis communications during a cyber incident
  6. Reporting the incident and GDPR requirements

"The training went well and was well received" - comment after a cyber briefing for the senior management team of a private banking and wealth management organisation.

All sessions are tailored to the needs of the organisation and the particular topics they want to cover.

Example of the type of case studies used in the cyber incident landscape 'What lessons can we learn from Marriott’s response to their Cyber Breach?' and 'Equifax UK - How not to manage the communications of a cyber breach'

Cyber Incident Management and Response Training for Teams

PlanB Consulting carried out its first Cyber Incident Management and Response Training course, in May 2017. The audience was the Business Continuity Coordinators of a Local Authority. Since this occasion, we have carried out a large number of cyber incident management training courses in both the public and private sector. All three courses have been different and bespoke to the client's requirement. PlanB Consulting has also developed a two day public training course 'Managing and Preparing for Cyber Incidents' which is marketed and delivered by sister company Business Continuity Training. Details of their course and the dates of the training are available here.

The course can cover a wide variety of different subjects:

  • Cyber Incident landscape and recent case studies
  • Understanding the different types of cyber threats including targeted and untargeted attacks
  • Preparing for a possible attack
  • Developing an incident response 
  • Decision making during incidents
  • Development of incident responses, including playbooks
  • Reporting cyber incidents and GDPR
  • Cyber insurance and third party support
  • Detecting, containing and responding to an attack
  • Managing the response alongside 'techies' - what information they want from you
  • Development a crisis communications strategy
  • Developing and running cyber exercises.

Recent blog post on the subject: 'What is the difference between a cyber and "normal" incident?'

Responding to Cyber Incidents, Plan Writing and Developing Playbooks

PlanB Consulting can help you develop the following:

  • Cyber incident management playbooks for specific cyber incidents such as ransomware, data breach or DDOs attack
  • Help develop playbooks which can help executive decision making, where decision are needed at short notice such as during a ransomware attack whether to disconnect all external internet connections.
  • Response Plans for managing the executive level response to a cyber incident.
  • Crisis Communications Plan including the preparation needed prior to a cyber incident.
  • Developing a cyber exposure risk assessment to understand your worst-case exposure if all organisation systems are compromised. 

Recent blog posts on the subject: 'What is a playbook and do you need one?' and an example decision playbook can be found here

PlanB Consulting's Model for Cyber Incident Response

The following diagram shows our model for incident response. Notice that only one quarter (red) is assigned to the technical response.


The four areas of response are:

  1. The IT Incident Technical Response covers the initial detection of the incident, triage and the first response to the incident. It includes containing the cyber security incident, eradicating the cause of the incident and gathering and preserving evidence. Finally, it covers recovering systems, data and connectivity and returning the system to normal operation.

  2. We believe at PlanB Consulting that the success or failure of your incident response is determined by the attitude of your stakeholders. If they think you did a good job in responding, then you were successful and if they dint your response fails. This is why a key part of responding to a cyber incident is the Reputation and Stakeholder Management. This requires preparation carried out in advance, a robust incident management plan and playbooks for dealing with specific incidents.

  3. With GDPR there are now designated time at which an organisation must report a cyber breach to the Information Commissioner's Office (ICO). They no longer have the luxury of being able to do a thorough investigation, identify the data which has been compromised and determine a list of effected stakeholders. The reporting to the ICO is the minimum report requirements and different agencies have different regulatory and statutory reporting. There is also the requirement of reporting the incident to the Police. We believe that you should have a robust plan in place dealing your organisations for dealing with Statutory and Regulatory Reporting, including GDPR, and that the plan should be exercised.

  4. Lastly, existing Business Continuity and Continuity of Operation's plans should also be used during a cyber breach. They should contain useful information on which system to restore first, which part of the organisation needs to be recovered first and how quickly. This can be found by looking at the organisation’s BIA and looking for each activity’s RTO, and their underpinning IT systems. The organisation should also have a manual workaround for an IT and telecoms failure, which can be used if external connections have been disconnected, or if staff have been told not to use their PC or laptops to access the organisation’s systems. 

Alongside the response area, the origination must have a robust incident management structure in place to manage the response to the incident.

Feedback from recent Cyber Training

Stuart Wadley Ports and Harbours - Rated Course: "Excellent" Comment: "Excellent Delivery, engaging and thought provoking"

Denise Bell HR - Rated Course: "Very good" Comment: "Liked the practical, no-nonsense approach"