Shall we play a game?
The suits at the PricewaterhouseCoopers consulting firm have figured out how to convince their corporate clients to take cybersecurity seriously: They built a hacking simulator. It has the strategic rigor of chess and the feel of a turn-based card game like “Magic: The Gathering.”
On Wednesday, news reporters got a sneak peak at “Game of Threats,” the unique computer game PwC presents to all types of executives at banks, retailers and others. It’s simple, intuitive and downright fun.
Normally, PwC ushers its client’s executives into a room and splits them into two groups. Half play as hackers on the offensive. The other half is the unsuspecting Acme Corporation.
Each side gets playing cards with special abilities. For example, hackers can send scam emails laced with malware. But the company can train employees to avoid clicking on fishy emails. Hackers might use malware to lock employees out of their computers. But the company can restart its entire computer network.
The challenge is that money is limited and you can only make one decision per turn. Do you build up your team of experts? Invest in better tools? Or respond to the present circumstances? The wrong move might let hackers steal your company’s valuable intellectual property.
With 12 rounds of only 60 seconds each, you get fast-paced gameplay that mimics the stress of a real-life data breach. Sony and Home Depot didn’t get the luxury of time and perfect information last year. Neither do you.
“What this is at its heart is a critical decision-making game,” said Craig Stronberg, a consultant at the firm who designed the game.
PwC isn’t normally thought of as a cybersecurity firm. But that expertise is in high demand nowadays, and PwC has a dedicated staff of computer specialists, ex-military and hackers. Stronberg, for example, was a Defense Intelligence Agency analyst at the Pentagon.
The idea here is to give company managers — especially those with little technical expertise — better perspective. That’s why they play as both sides. The game is played for up to eight hours at a time by finance auditors, compliance employees and other boardroom executives, so they each get a taste of the battle their cybersecurity team faces everyday.
All companies are under some kind of cyberattack. They range from low-level scam emails seeking employee access to coordinated attacks that bring down corporate websites. And 2014 showed how much damage they can do when they break in.
Last year, hackers stole more than 60 million credit cards from Albertson’s, Home Depot, Michaels, Neiman Marcus, P.F. Chang’s, Staples and SuperValu. Chinese hacker spies took business plans from power plants. Russian hackers broke into oil and gas companies. North Korean hackers destroyed computers at Sony Pictures.
“We’re at the point where CEOs are unbelievably concerned,” said David Burg, PwC’s top cybersecurity consultant. He cited a recent survey that showed more chief executives worry about cybersecurity than shifts in consumer spending.
Data from the Ponemon Institute shows the amount companies spend on cybersecurity has risen in recent years. But PwC thinks most companies don’t spend enough or misplace resources.
Hence, its war games. Players learn every time the hacking team wins, or Acme Corp. runs out of money, or is forced to host a press conference to admit it lost customer data.
The game penalizes Acme Corp. if it talks publicly too quickly without assessing the facts. But Acme gets a boost for eventual honesty. Sound like real life?
PwC said the top computer security executives at major banks were scheduled to play a few rounds on Thursday in New York City. But don’t expect to play this on your laptop or tablet anytime soon. PwC is keeping this one for clients only.