Background
A key UK regulator wanted to review their cyber recovery capability to understand how prepared they were for a major cyber-attack on their organisation and what they could do to improve their capabilities in this area. Wavestone was engaged to drive this work over a 9-month period.
What did Wavestone deliver?
Wavestone began by assessing the current maturity of their cyber-attack recovery capability. We met with various senior leadership teams to understand how different teams were organised, what current crisis management processes looked like and how they planned to maintain critical business activities as well as recover critical systems, applications and workstations in the event of a major cyber-attack (e.g. one similar to WannaCry).
After presenting back our findings, we set out to create a roadmap to improve their cyber recovery preparedness. Critical to this activity was identifying what their most critical business activities and outcomes were i.e. those without which they could not function. This helped steer the cyber recovery roadmap, allowing us to segment the implementation activities into 3 key areas:
-
- Crisis management and communications (e.g. crisis response plans)
- Working without IT (e.g. what do you do if you do not have BAU IT or data?)
- Rebuilding IT (e.g. workstation reconstruction)
When reviewing with the leadership team, a key piece of feedback was to provide implementation options for budgetary and resource planning. As such, we broke down the roadmap in terms of estimated costings, timings and contribution to preparedness (i.e. how much did we think carrying out a certain project, e.g. digital vault design, actually improved their cyber recovery preparedness). This provided more informed decision-making and helped for the next phase of planning (roadmap implementation).
Challenges
- Covering all areas of the organisation – given that cyber-attacks typically impact all areas of an organisation, we needed to ensure that their cyber recovery strategy also covered the full scope of their organisation whilst still allowing for prioritisation and coordination between different divisions. We addressed this challenge by holding workshops with every divisional team, maintaining close contact with the project manager and ratifying the work with the executive team.
- Providing an actionable roadmap – too often, clients are provided with implementation plans that fail to consider any constraints. To overcome this, we segmented the implementation roadmap into pragmatic implementation steps, considering estimated costings, timings and contribution to preparedness. Step 1 projects were lower investment but absolute priorities to improving cyber recovery preparedness, step 2 projects built on capabilities which would be established in step 1. Step 3 projects required significantly more investment but would provide a well-embedded recovery capability.
Results
- Current cyber recovery capability assessed
- Critical business activities captured across all divisions
- Cyber business insurance reviewed and working without IT approach created
- Implementation roadmap with clear investment options defined (including estimated pricing and priorities)
It has been a pleasure with working with you and your Wavestone team too. You have brought some much needed expertise and thinking to the work we have undertaken with you and I appreciate both the professionalism and collaborative nature of the way you have worked with us.
Head of Department, UK Regulator
