How to use scenario testing to check your business response to security threats

January 22nd, 2020
How to use scenario testing to check your business response to security threats

How to use scenario testing to check your business response to security threats - blog feature image (900x300)

As part of the penetration test to identify system vulnerabilities to external cyber attacks, the NCSC (National Cyber Security Council) has developed a series of scenarios for you to use within your business.

These are designed to help you imagine situations where your data could be accessed without authorisation or otherwise compromised. You can then work out what you would do if the scenario happened in real life, so you’re prepared in any eventuality.

Here are eight scenarios you may want to consider:

1. Lost laptop

Companies are offering flexible or remote working more and more, which means there’s an increased risk to devices being lost. Even senior staff might make the mistake of leaving a laptop on a busy train or leaving it unattended to pop to the buffet car.

If a laptop is lost or stolen, what steps can you take to keep data as safe as possible?

  • The person whose laptop it is needs to report the loss to the office as soon as possible.
  • Always encrypt user devices so that if they are stolen or lost the data is unusable.
  • Consider having software that can delete all the data, and log out of all sessions remotely.
  • Ensure you use strong passwords and consider simple laptop locks if you’re regularly using devices in public spaces like coffee shops.

2. Unauthorised device connected to internal network

Devices that don’t have permission to use your internal networks can sometimes connect without you granting access.

In this scenario, think about how you prevent this from happening. What security systems do you have in place? Do you restrict what users can do on their devices, or ask for additional authentication?

Include what provisions you have for guests to access your wifi, and include any BYOD (bring your own device) that employees use to access the network, as well as any IoT connected devices.

3. Compromised DMZ host

A DMZ (demilitarized zone) is a subnet which separates your trusted local area network (LAN) from untrusted networks, to keep your most important data secure as it limits a cyber criminal’s access to internal servers. It also limits access from public internet.

However, a DMZ can be compromised, so it’s important to take steps to prevent that happening. Consider having an additional firewall in place, making it harder for a hacker to get in. Again, restrict who has access to your internal network and what information they can see.

Hackers can use a spoof IP to pretend to be another device on a network, so have something in place to prevent this, and to plan in case a spoof is successful. And think about how you’ll secure your data if the DMZ IS compromised.

4. A phishing attack that leads to a ransomware infection

Understand how well you are protected against phishing emails, and how you could recover from a ransomware infection. This includes things like preventing malware damage, avoiding phishing attacks and backing up your data.

Go through your strategy if there IS a ransomware infection.

  • How will you secure or restore your data, and what processes do you have in place to ensure business as usual?
  • How will you communicate with your employees and customers while the infection is dealt with?

How to use scenario testing to check your business response to security threats - quote image

5. Mobile phone theft and response

In this scenario, the NCSC asks you to explore how you would be protected from a thief who steals a mobile phone and tries to use it to extract confidential information.

Consider how you keep devices safe and ensure that passwords keep data secure. Make sure all employees are trained on what to do if their phones are stolen or lost.

As with the laptop, make sure that data is compromised as little as possible. Have a policy in place for passwords, and if staff use their own mobiles, make sure they’re protected too.

6. Being attacked from an unknown Wi-Fi network

Here, everyone in your organisation needs to understand the risks of connecting to an unknown Wi-Fi network while they’re out and about, whether that’s at a client’s office or on public transport. It’s also important to be aware of the risks of running outdated software.

Again, work through how you and your employees keep smartphones and tablets safe and ensure that everyone is protecting data with the use of strong passwords. This scenario helps you to avoid phishing attacks and prevent malware damage.

7. Insider threat resulting in a data breach

The NCSC asks you to reflect on how your organisation would respond to an insider threat, specifically a user allowing unauthorised third parties access to sensitive information.

To do this, think through how you identify and understand a suspected data breach, how you control file sharing, including removable media, and the process for responding and communicating in response to a data breach.

8. Apple malware

Understand the risks of using third-party software, and as you work through this scenario, discuss how your organisation would respond to the compromise of a third-party software supplier.

  • How will you manage any disruption to your business if a supplier is compromised?
  • How do you identify and control unauthorised access to your network, and what controls are in place for engaging with any third-party suppliers of services?


ATG helps businesses to work through these scenarios and can also support you with any potential risks that are specific to your company or industry.

We are able to offer advice on improving your security systems and how to educate your staff to be more aware of risks too, so why not give our team a call today