Arts & Business Northern Ireland is a charitable organization that forges creative partnerships between the private and cultural sectors. The company helps artistic organisations work more closely with the commercial sector – be they from performance arts, literature, films, libraries or museums.

Like many small- to medium-sized enterprises (SMEs), A&B NI hasn’t historically had a tremendous budget to focus on cyber security. With the media awash with stories of frightening cyber attacks and data breaches, it can be confusing to know where to start. A&B NI recently partnered with Vertical Structure to help them understand where to begin.

“Cyber security can be intimidating, but the sad reality is that charities are just as much of a target for bad actors,” says Vertical Structure’s director of cyber security Simon Whittaker. “Unfortunately, hackers don’t discriminate.”

Simon always advises that organisations make use of the many free tools that are available. “We want businesses to be able to help themselves first,” he says.

To that end, Vertical Structure has launched a new workshop whereby they assist organisations to walk through the government’s Exercise in a Box.

Exercise in a Box is a completely free set of online tools produced by the NCSC (National Cyber Security Centre) that “helps organisations find out how resilient they are to cyber attacks, and enables them to practice responses in a safe environment”.

Simon says, “Companies can walk themselves through NCSCS’s tool at any time. But in our experience, we’ve found that many businesses need a bit of help and direction to make the most of this tool. They can benefit from the advice that we can deliver around the tool.”

Simon Whittaker and Lukasz Mrozowski, cyber security consultant, hosted a workshop for A&B NI to run through the ‘Business continuity / disaster recovery’ exercise. There are several other exercises available, but this was deemed a good starting point.

A&B NI’s IT manager attended the workshop, alongside CEO Mary Nagele. The tool includes conversational prompts as well as technical questions, so it works most effectively when key staff are in the room.

Simon set the scene by discussing how cyber security has changed in the past few years. “There’s been an evolution of hackers in the past five years or so. They’re not just criminals anymore – they’re ruthless businesspeople. Hacking is an organised crime.”

He went on, “Small and large organisations say the same thing: 95 per cent of cyber problems stem from users clicking on links. Once an attacker gets into your system, the average time before detection has been reported to range from 14 days, according to Trustwave, increasing to as much as 78 days, as reported by Mondiant.

“Either way, with a hacker spending that much time on your network, a lot of damage can be done.”

The exercise is designed to be rooted in reality – it demonstrates to organisations what it will be like if they get compromised by cyber attackers – thereby illuminating where any vulnerabilities lie.

The exercise included a Q&A round that covered topics such as:

• ID’ing fake / phishing emails – how employees know a risky message isn’t safe
• What do employees do with such emails? Is there a formal process? Do employees feel comfortable raising alerts?
• Access to network, e.g., who can install new apps?
• Virus protection software – when and how updates are handled
• Legacy systems such as CRM, accounting, operations system – and how and when they are updated with security patches
• Data backups – how, when, and who monitors them
• Agreeing software expenditures with board and ensuring board members understand the critical nature of cyber protection
• Striking a balance between risk and reasonable expenditure – because no SME can spend their whole IT budget on cyber protection

Mary Nagele, CEO of A&B NI said, “This was a really practical exercise that gave us the tools to help detect and respond to phishing attacks. It also identified potential vulnerabilities around current back-up solutions and supported us in developing procedures around what to do should a cyber-attack occur.

“Although this can be terrifyingly illuminating, it’s so much better than having to figure it out in a real-life scenario! This was definitely time well spent!”

Simon added, “While this scenario involved a lot of discussion, there are also Exercise in a Box workshops that are more practical or technical in nature.” One such workshop is detailed below.*

Companies interested in booking any of the Exercise in a Box workshops are invited to visit www.verticalstructure.com.

Other Exercise in a Box Workshops

Technical Scenario -- Main challenge

There is a compromised machine communicating on your network. Your goal is to locate the compromised machine and stop the communication.

Extra challenges

1. View the network traffic and provide your facilitator with the hidden three word code
2. Access the compromised machine remotely and provide your facilitator with the second three word secret

The time each challenge was completed should be recorded by the facilitator in the tool.

The exercise is finished either, when the team has stopped the Simulator or the facilitator has chosen to end the exercise. The facilitator should ensure the relevant time inputs have been correctly entered in the tool before gathering the participants for the exercise wrap up session. The Simulation exercise summary phase will guide the team through questions to understand the successes and lessons learned during the exercise.