In recent days computers from the University of Twente had been encrypted, confidential data had been stolen and we were being blackmailed. At least: that was the scenario of a crisis exercise that we participated in. In reality, fortunately nothing was wrong.
We participated in the exercise to find out to what extent we are prepared if such a cyber crisis really occurs and to practice how we can best respond. It was sweating. Our IT staff had to look for traces of the hack and try to repair or limit the damage. Management came under time pressure for important choices (for example: do we pay the hackers to get our data back?). And the communication department had to inform all affected employees and at the same time prevent damage to the image in the press. To make the exercise as realistic as possible, network infections were actually simulated, as was (social) media attention, contact with the hacker, questions from employees and messages from service providers.
The exercise was a success. All colleagues involved participated very intensively and seriously, so that we could see how a real crisis would go. The emergency plan was well executed and the decision-making method applied and that provided peace, there was no panic.
At the same time it became clear how much such exercises are needed. When you think about the consequences of such a hack, there are always issues that we need to improve in infrastructure and processes. In the coming period we will continue to evaluate and implement improvements.
About the exercise
Firms pay a lot of attention to fire safety, first aid and other preparation for emergency situations. As we become more and more dependent on digital systems, it becomes even more important to also pay attention to cyber security. We hope to improve this with these kinds of exercises. This cyber crisis exercise, called OZON, was organized by SURF, the ICT cooperation organization for educational and research institutions. Around 50 institutions and 1200 people throughout the Netherlands participated.