10 CISOs simulated a cyberattack on their organisation

OPINION

Cyber attackers are increasingly exploiting moments when organisational defences are at their weakest—typically after hours or during periods of reduced staffing, such as a public holiday.

While employees power down for the day, threat actors ramp up, launching carefully timed ransomware attacks designed to avoid early detection.

What may seem like a quiet period for business can quickly escalate into a costly security crisis, exposing critical gaps in incident response and communication.

To make matters worse, the company’s employees are completely disconnected from the office outside of business hours and haven’t listed an emergency contact number on the company’s phone voicemail or website.

On Monday, they return to the office to find multiple voicemails from news outlets and law enforcement that attempted to contact them with news of the breach, following posts a ransomware gang had made on the dark web.

Is this scenario far-fetched? Not so much.

I hosted a tabletop exercise with CISOs from many household-name Australian businesses for the purpose of role-playing a cyberattack on their organisation and testing out their response.

Here’s what they learned:

24/7 communication channels are key

In the scenario presented above, the first indication of a problem was a media outlet becoming aware of exfiltrated data being advertised on the dark web, with this happening late on a Friday afternoon.

The media outlet then attempted to alert the organisation about the exposed data.

But, as we discovered during the tabletop exercise, many organisations lack a clear process for receiving and routing such notifications, often listing only general contact numbers that aren’t monitored around the clock.

In this kind of situation, it’s essential for an organisation to have a way to quickly receive the message, check that it’s real, and take fast action both inside the company and with the public to reduce damage to systems and reputation.

It is common knowledge that hackers time their attacks to reduce the chance of early detection: 69% of organisations in Australia and New Zealand were hit with ransomware on a weekend or holiday, according to Semperis’ 2024 Ransomware Holiday Risk Report.

As the scenario evolved, several other issues emerged, leading many attending CISOs to realise their current cyber incident response plans fell short.

When to halt operations (and not)

During the initial phase of incident response, accurately determining the scope of compromise and selecting the most appropriate course of action at the organisational level can be highly complex.

Participants expressed differing views on whether an immediate disconnection from the internet is advisable upon breach detection, highlighting the risk trade-offs involved when acting without full visibility into the attack’s reach and potential impact.

This question was hotly debated, and there was consensus that the needs of the business should be the overarching determinant.

The organisation in this fictitious scenario provided technology to support critical national infrastructure – fibre optics networks and electrical systems for major power stations and data centres – so it had to maintain those services while it worked to counter the attack.

This meant it was put in the unenviable position of having to continue operating, knowing its systems had been compromised.

The importance of emergency internal communication systems

In the event of a cyberattack, your primary systems – including email, collaboration tools, and identity infrastructure – may be compromised or unreliable.

That's why having secure, out-of-band communication channels is not optional, but essential.

While apps like WhatsApp and Signal are commonly used in emergencies, they are not designed for enterprise-grade incident response.

Notably, the FBI has cautioned against using Signal for sensitive coordination during cyberattacks due to concerns around security, accountability, and lack of centralised management.

These tools may also expose communications to monitoring or tampering by adversaries if endpoints are already compromised.

Equally important is the need for procedures to ensure that participant lists are updated to reflect changes in roles and responsibilities, which occur frequently in many organisations.

Underestimating downtime from attacks is costly

Participants also indicated that their cyber incident response plans generally did not anticipate outages persisting for more than a few days at most, whereas, in reality, many organisations are impacted for weeks or months following a cyberattack.

The costs associated with excessive downtime can be devastating, with every hour costing potentially hundreds of thousands, or even millions of dollars, depending on the company, prompting many CISOs to rethink their incident response plans and add extra contingency.

A common conundrum: To pay or not to pay?

In the event of a ransomware attack, the question of whether to pay or not to pay was hotly debated.

There was consensus that paying was wrong, but this was not ruled out if it was the only possible means of saving the business.

Statistics gathered by Semperis found 78 per cent of companies hit with ransomware paid the ransom, and 74 per cent of companies have actually paid multiple ransoms in their time.

For 16 per cent of the companies that paid, doing so was a “life or death” decision necessary to save their businesses.

In saying so, paying the ransom is always a gamble, and never guarantees a return to normal business operations, with the research revealing that 35 per cent of companies who paid their ransom either did not receive decryption keys or received corrupted keys.

The takeaway

It is inevitable that every organisation will experience a major operational incident, caused by a cyberattack.

Therefore, organisations must prioritise investment in operational resilience.

This means rebalancing resources, focusing on response and recovery across all business functions and including people, process and technology.

Having a crisis management platform that is completely isolated from the corporate network allows you to control the response, from internal and external communications, to legal, business continuity, and the technical response, while providing a real-time status and audit trail on preparedness.

You can’t prevent every incident or crisis, but you can control how you respond.

Simon Hodgkinson is a strategic advisor to cybersecurity firm Semperis. He was formerly chief information security officer (CISO) at BP.