CSC is prepared for trouble

The details of the exercise are not public information, but I would like to share my thoughts on some lessons learned from the exercise with everyone who is concerned about and responsible for the functional capacity of their organization and Finland as a whole in the event of cyber incidents.

The aim of the TIETO20 exercise was to practice, identify and deal with cyber threats, but also practicing to recover and restore operations. The exercise was directed to companies providing critical services for the society

The exercise tested the abilities of the participants in terms of continuity management, incident response, and crisis communications. The Finnish National Emergency Supply Agency website has more information about the exercise.

Participating in this cyber exercise, as well as experiences in real-world situations, once again reminded us of the need to prepare for risks in advance in order to ensure adequate security. When an incident is already underway, it is often far too late to avoid damage. Once data has been leaked, it can rarely be recovered. The same applies to damage in reputation and trust.

When a security breach, data leak or a serious interruption of service is in progress, the focus must of course be on resolving the incident at hand. At that moment there is no time to create new processes or develop built-in security for services.

With data security incidents, identifying the entire event chain is often very complicated as there often are many parties and components involved. Crisis communications and crisis management in particular are also very challenging tasks. Actions taken during incidents are often hurried and based on inadequate information. Instead of information, you often get noise and sometimes even disinformation.

When a crisis is already at hand, you typically can’t prevent it anymore. At that point, the focus must be on preventing further damage as much as possible. The most important and effective efforts to avoid crises and reduce damage are made in advance. The quiet and indispensable work that data security, information management, development projects, contract managers and communications do to secure operations is our best protection against cyber incidents. Security authorities have an important role to play, but they cannot protect us from cyber incidents alone, and the greatest responsibility lies with individual organizations and people. A well-known saying that security is only as strong as the weakest link is very much true.

When resources and schedules are tight, the security of services is easily compromised. Security is mostly quite an abstract objective and the benefits of proper security are manifested in the fact that harmful events will not happen again in the future.

Security rarely comes at no cost. Usually it has some kind of price, which is reflected in money, schedules and, in the worst-case scenario, a decline in service flexibility and availability. Security measures that reduce risks include security agreements, security audits and certifications, facility security, testing for vulnerabilities, hardening services, monitoring services, safety instructions, and a commitment to security by the leadership.

An essential foundation of security is also security training and security awareness. Having people commit to security requires not only knowledge and an understanding of risks, but also honest respect for people with different roles and backgrounds. Listening is a two-way street. My rule of thumb is that people part always counts for more than half in data security.

I was placed in a very nice and professional team for the TIETO20 exercise. We managed to define the responsibilities and tasks well and I think that we worked very effectively, even though the exercise was a flood of cyber events. I believe that the key to our success was the entire team committing to security and that we all had knowledge and experience of how to act effectively and responsibly in crisis situations.

In the event of cyber threats, it is important that we have security instructions, defined roles and technical solutions for detecting threats and responding to incidents. These should be determined ahead of time, before encountering a serious cyber threat.

At CSC, we have been rehearsing for cyber threats for several years. For example, CSC has worked together on cyber exercises with our European research network GÈANT.

CSC’s ISO 27001 information security certification also requires cyber training. Practice is also included in several data security requirements of the central government. Exercises are often a more effective way of improving security than just instructions and agreements, even though they are important functions as well.

I think that we could start practicing more and carrying out exercises more often with CSC’s stakeholders. For a long time now, there has been talk about cyber training among the data security officers at universities, and it would be important to move this initiative along. Several higher education institutions have good expertise on cyber exercises.

We are also happy to cooperate in the form of cyber exercises with our other customers and stakeholders, as far as possible.

Urpo Kaila
Urpo Kaila is the Head of Security at CSC