Challenging Insecurity: A Roadmap to Cyber Confidence

Challenging Insecurity:
A ROADMAP TO
CYBER CONFIDENCE

2
CONTENTS
Editorial 03
How to Use Cyber Threat Intelligence to Make Good Decisions 06
When the Virtual and Physical Collide: The Need for a Joint Approach to Cyber and Physical Security 13
QA: Cyber Confidence and the Legal Risks Associated with a Cyber Security Incident 18
Shockwaves, Ripples and Dominoes: Identifying and Addressing Systemic Cyber Risks 22
“When it Hits the Fan, You Need a Plan”: Getting Incident Response Preparation Right 29
In Recovery: The First 24 Hours of a Ransomware Attack, and Beyond 34
QA: What Drives Over- and Under-Confidence in Cyber Security? 39
CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE
© S-RM INTELLIGENCE RISK MANAGEMENT 2021

EDITORIAL
3
This past year has reinforced the challenge of confidently
predicting the future. What we know for sure, though, is
that the future will feature difficult conversations between
organisations’ senior leadership and their information
security teams about the state of their cyber security. There
will be discussions about the size and composition of cyber
security budgets, avenues for innovation, and debates about
the effectiveness of ongoing programmes.
Because these cyber security discussions can be complex, it can
be difficult for stakeholders to feel confident in their decisions.
Indeed, a recent survey of US and UK cyber security professionals
found that 70% lacked confidence in their organisation’s security
posture.1
However, senior leadership teams make challenging
decisions all the time. There is no reason why they shouldn’t
have the same comfort discussing their cyber security posture
as they do other core elements of their business. So, what’s
holding people back? What is driving their insecurity?
This report shares our perspectives from our work with
hundreds of business and information security leaders. We
want to demystify the drivers of insecurity in the cyber security
realm. In so doing, we can map a path toward cyber confidence,
highlighting various areas that bring focus to decisions, increase
clarity around relevant risks, and raise the effectiveness of a
security programme along the way.
EDITORIAL:
SIMPLICITY,
VISIBILITY AND
FAMILIARITY
BY JAMIE SMITH, HEAD OF CYBER SECURITY
BILLY GOUVEIA, SENIOR MANAGING
DIRECTOR, CYBER SECURITY

4 EXPERIENCED A CYBER INCIDENT ? +44 (0)20 3657 0588 | +1 646 895 6538
SIMPLICITY: FOCUS THE DISCUSSION
The leaders of Berkshire Hathaway, Warren Buffett and Charlie Munger know a thing or two about making good decisions.
They wrote in a shareholder letter, ‘Simplicity has a way of improving performance through enabling us to better understand
what we are doing.’2
Sounds straightforward. Yet simplifying a decision can be easier said than done, particularly when it
comes to cyber security. Indeed, rather than encouraging simplicity, media and industry reporting often does the opposite
with commonplace headlines about the “complexity” and “ever-changing” nature of the cyber threat landscape. Whilst
some of this analysis is valid, it is hard for decisionmakers to discern what should demand their attention.
Similarly, the rise of cyber risks has dramatically increased demand for cyber services. In turn, billions of dollars of capital
has fuelled new companies, products and services.3
Yet amongst all this exciting innovation, many organisations end up
purchasing expensive security solutions which they then struggle to use. Under the pressures of relentless threat reporting
and unfamiliar technologies, it is unsurprising that leaders are concerned about buying ineffective solutions to problems
they don’t understand. Focusing on your organisation’s key security objectives is a good way to start introducing clarity and
simplicity to the discussion. Once you’ve established what it is you want to achieve, breaking each decision down into the
individual actions needed to actuate it becomes a far more straightforward process.
VISIBILITY: SURFACE KEY INFORMATION
The second component of confident decision-making is having the right information. Unsurprisingly, a recent survey of
US cyber security professionals found that the greatest factor in diminishing confidence in a security programme was poor
visibility into its effectiveness.4
The concerns include difficulties gaining visibility across an IT environment (e.g. where is
our data?), sorting through too much threat information (e.g. what is all this telling me?), and translating cyber risks into
business priorities (e.g. how do we protect the availability of our customer-facing systems?).
With executive teams already wary of growing cyber security budgets, a recent report surely raised eyebrows with the finding
that the amount of cyber security tools an organisation implements could actually have a negative impact on security.5
Organisations using more than 50 security tools ranked themselves 8% lower in their ability to detect an attack and 7% lower
in their ability to respond to an attack, than those with fewer tools. The findings confirm that there’s no technological silver-
bullet when it comes to cyber security. Rather, confidence will stem from focusing on the right information, not accessing as
much of it as you possibly can.
FAMILIARITY: PRACTICE DECISION MAKING
Deborah H. Gruenfeld, a Professor of Organisational Behaviour at Stanford, has written extensively on the subject of
confidence. Her writing explains how regular practice in a particular discipline not only builds confidence, but also improves
quality.6
So what does “practice” mean in the context of cyber security? It means decisionmakers regularly engaging in discussions
in a clear and informed way. It entails stakeholders with differing areas of expertise taking the time to understand their
counterparts’ roles and responsibilities. It includes communicating with each other frequently enough to establish trust and
credibility before decisions must be made. All these themes come together in cyber response exercises, which leadership
teams are increasingly undertaking as they seek to practice their response and raise their confidence to manage a cyber
incident.
1 “Cyber confidence: building a trustworthy security posture”, Nominet Cyber Security.
2 “Keeping Things Simple and Tuning out Folly”, FS, September 2015.
3 “2020 Roundup of Cybersecurity Forecasts and Market Estimates”, Forbes, April 2020.
4 “State of Enterprise Security Posture Report”, Cyber Security Insiders, 2020.
5 “IBM Study: Security Response Planning on the Rise, But Containing Attacks Remains an Issue”, IBM News Room, June 2020.
6 “How to Build Confidence”, Harvard Business Review, 29 April 2011.

A ROADMAP TO CYBER
CONFIDENCE
Our overarching goal with this report is to help
leadership and security teams build confidence
in their cyber security posture. To this end,
we have brought together a range of articles,
interviews and analyses, all structured around
a series of straightforward guiding questions.
They are designed to prompt our readers to
assess the level of simplicity, visibility and
familiarity they maintain in their cyber security
programmes.
These questions serve as a simple but powerful
framework for leadership and security teams
to assess their cyber confidence. Accompanied
by engaging analysis and practical insights,
we hope this report will encourage faster,
better decisions that help organisations
prepare to face tomorrow’s cyber security risk
environment.
1. Do you understand the threat picture?
Can you see your adversaries clearly?
2. Are you focusing on the right risks?
3. Do your mitigation measures align
with those risks?
4. Does your response plan reflect the most
likely threat scenarios? Is it tried and tested?
5. Do you have a roadmap to recovery in
the event of an incident?

3. Do your mitigation
measures align with
those risks?
2. Are you focusing
on the right risks?
HOW TO USE CYBER
THREAT INTELLIGENCE TO
MAKE GOOD DECISIONS
BY JAMES JACKSON, SENIOR ASSOCIATE
5. Do you have a roadmap to
recovery in the event of an
incident?
4. Does your response plan
reflect the most likely threat
scenarios? Is it tried and
tested?
1. Do you
understand the
threat picture?
Can you see your
adversaries clearly?

This would not be their fault. The landscape of cyber threat intelligence is confused right now, and it is exceedingly
difficult to cut through the noise and work out how to add value to your cyber security initiatives. Part of the reason
for this, is that the industry seems to have prioritised selling flashy subscriptions over helping organisations identify
and understand their intelligence objectives.
LESSONS FROM WORLD WAR II
It’s often useful to remember that when we think about modern cyber security, we really only have the last twenty
years to look back on. And life functioned quite well long before computers were even an abstract concept. Because
of this, more or less everything we do in cyber security has been borrowed from techniques and practices society
has been developing for millennia.
When it comes specifically to discussions of cyber threat intelligence, consider the rapid developments achieved
in signals intelligence during World War II. This was an environment of major technological change facilitated in
large part by the use of radio, which accomplished far more than simply being used as a tool for communication. It
led to the development of Radio Detection And Ranging (RADAR) and was even used as a navigational aid. Its use
revolutionised warfare and this can be observed most powerfully through the intelligence and counter-intelligence
operations that spanned across the war effort, all revolving around the use of radio.
For instance, using two directional antennas you can quite trivially locate the source of a broadcast, so even if you
couldn’t understand what someone was saying over the broadcast (due to their use of codes or ciphers), you could
still identify where someone was saying it from. That is incredibly useful if part of what you want to know is where
armies are and how they’re moving around a territory.
POST-TERRITORIAL THREATS
One of the major differences, however, between the signal intelligence of WWII and the cyber threat intelligence
of today is territory. When you’re interacting with tangible physical threats it’s generally easier to understand if an
identified entity poses a risk or not. If they are shooting at you or crossing territorial lines, then they likely don’t have
your best interests at heart. The rules of engagement are clear and well understood.
On the surface of it, we don’t have this luxury in the cyber world. It is borderless and abstract. However, just like we
are able to analyse a seemingly random collection of radio waves and identify a threat based upon their source and
location, we also routinely use technical information to attribute cyber threat actors to a country using IP addresses,
the timing of their activities, and even the tactics, techniques, and procedures unique to a particular country or
known group. They may not align strictly to modern geopolitical boundaries and territories, but the theory is identical
and it relies on an understanding of territory; you need to understand what you’re protecting and where the attacks
might be coming from before you can reap the value of any threat intelligence.
Ask someone what “cyber threat intelligence” is and they will probably point you in the
direction of a shiny piece of software that costs a lot of money. Ask them what it does, and
they’ll likely tell you that it searches the dark web, provides real time threat information,
and helps prevent incidents before they happen. It all sounds really impressive – and
in many ways it is – but, ask that same person what they are trying to achieve with their
threat intelligence programme, or even how they measure its success, and the crickets
will start to chirp.

“YOU NEED TO
UNDERSTAND WHAT
YOU’RE PROTECTING
AND WHERE THE
ATTACKS MIGHT
BE COMING FROM
BEFORE YOU CAN
REAP THE VALUE
OF ANY THREAT
INTELLIGENCE.”
DROP THE BUZZWORDS
So, how can this idea help us in the here and now? Here is
the trick: forget about the fancy technology for a moment,
drop the buzzwords – don’t worry about the dark web or
artificial intelligence or blockchain – let’s start by calling
“cyber threat intelligence” what it really is: intelligence.
As a general subject area, often
the objective of intelligence is
to help answer the following
questions:
1. How do I know if someone is
doing something I do not like?
2. What is the most effective
action I can take to minimise
the impact of someone doing
something I do not like?
3. What happened, why, and
how?
Now, perhaps unlike traditional intelligence areas,
companies in the cyber world are swarmed with
data from telemetry systems, user behaviours,
technical analyses, vulnerability databases, and
technical news bulletins. They have too much
information, and, seeking to capitalise on this
data asset, cyber teams are typically requested
to “derive intelligence” from this bulk of raw
information.
It’s a big job, and there’s a significant risk that you
may not realise a return on your investment spent
doing it. We’ve witnessed first-hand, companies
undertaking bold initiatives to collect and analyse
vast datasets only to be encumbered by the
volume of manual work required to shape it into
something usable.
So, rather than trying to pre-emptively mine
your data for nuggets of truth you suspect exist,
try prospecting the territory first and work out
beforehand what decisions you would like to be
data-driven within your organisation.
HOW TO USE CYBER THREAT INTELLIGENCE TO MAKE GOOD DECISIONS

9 EXPERIENCED A CYBER INCIDENT ? +44 (0)20 3657 0588 | +1 646 895 6538 9
INTEGRATING THREAT INTELLIGENCE INTO THE DECISION-MAKING PROCESS
Day to day, any manager or executive will be faced with a multitude of decisions. These decisions can typically be divided into the
following categories:
1. OPERATIONAL DECISIONS
These are made daily to ensure that
things work as expected and any faults
are quickly identified and remediated.
An example might be to block an
application that is demonstrating
suspicious behaviour similar to a
known malware type.
2. TACTICAL DECISIONS
These are made less frequently and
often have a medium impact, such
as a decision to protect your external
perimeter by prohibiting the use of
Remote Desktop Protocol (RDP) over
the internet (a common cause of
breaches).
3. STRATEGIC DECISIONS
These are made rarely and have long-
term impacts, such as a decision to
migrate all business services onto
Cloud infrastructure.

• What behaviours and characteristics
does the application exhibit?
• Are these behaviours similar to any
known malware types, and how do we
know this?
• What would be the business impact of
blocking the application if it turned out
to be legitimate?
• What is the most effective way to block
the application, and are there any
technical limitations?

• What confidence do we have that we
have detected all instances of this
application across our environment?
• What is the likely profile of the threat
actor operating the application?
• What is the likelihood that blocking the
application could notify the threat actor
and prompt additional or escalating
attacks?
• How do we know that the presence of
this application is not symptomatic of a
vulnerability in our systems?
• How confident are we that we have
identified the root cause of the
issue, and do we need to initiate any
compensating activities, such as threat
hunting?
BLOCK A POTENTIALLY MALICIOUS APPLICATION
• What will the impact of this change be on
our users?
• Do we possess acceptable alternative
technologies to facilitate remote
working?
• What are the risks of continuing to
use RDP, and have we identified any
imminent threats?
• How have our industry peers addressed
the issue of external RDP use?
• Do we possess the expertise – either
in-house or externally – to accomplish
this task?
• Will there be key points throughout this
migration where we may be especially
vulnerable, and how will we mitigate
these risks?
10
Each of these decisions have deep relevance to cyber security, and must be informed by asking and answering questions.
The table below details some examples of the questions we should be asking before making a decision. How we answer
these questions is the process of generating intelligence.
PROHIBIT THE ORGANISATION’S USE OF RDP
MIGRATE BUSINESS SERVICES INTO THE CLOUD
HOW TO USE CYBER THREAT INTELLIGENCE TO MAKE GOOD DECISIONS

Answering each of these questions requires access to
sources of information. At the operational level, these
sources usually include systems such as:
• Event and audit data from your devices
• Network metadata
• Alerts from security products, such as your
anti-malware systems
• Telemetry data from your external perimeter
• Open source information
• Internal work products and expertise
The first challenge of any organisation is always to
collect and capture meaningful information from these
sources – think asset management (you cannot capture
what you don’t know about!) and central log databases.
Then, they must structure these queries in ways that
align to the questions they will naturally ask when
making operational decisions. This can be done to great
effect by simply workshopping the decisions you may be
required to make and filling them in, as with the table
on page 11.
However, as we move further towards tactical and
strategic decisions, our focus shifts towards assessing
trends across various data sources, and then
supplementing this with industry specific knowledge –
suchaschangesordevelopmentsintheregulatory,legal,
and commercial environments. Filling this knowledge
gap requires talking to people and understanding
where your intelligence sits against your industry peers
and competitors.
This is one of the toughest challenges with intelligence,
and it is often the bit that many organisations fail to
get right – not least of all because everyone is scared
of sharing information that may be sensitive, or used
for malicious effect, or somehow fall afoul of legal or
regulatory constraints. These issues are best navigated
in the same way as with operational issues – map out
what decisions you would like to make, figure out what
information you need to reach those decisions, and
then detail a plan for how you will identify and collect
the information you require.
BACK TO BASICS
Initiatives such as this are not something you can
purchase as-a-service through an intelligence third
party. They require you to develop and maintain
relationships and think carefully about the value of
intelligence to your organisation. This is why, at the end
of the day, we encourage the organisations we work
with to get back to basics, think about what you want to
accomplish, and remember… we are all very much still at
war. The same intelligence principles remain, it’s just a
different kind of battlefield.
1. Establish communication channels for
your technical engineers to discuss issues
with other companies.
2. Encourage participation and speaking at
conferences or other group events.
3. Agree on an external information sharing
scheme for specific elements of relevant
data.
4. Communicate with your regulators and
local computer security incident response
teams (CSIRTs) to understand how they
may be able to contribute.
TIPS FOR HOW TO
CREATE A CYBER
THREAT INTELLIGENCE
PROGRAMME:

Applying the insights from your
intelligence feeds to your cyber
security programme
Understand why you have an intelligence programme and what
it is designed to do; are you trying to reduce the number of
incidents, unlock value from an internal data asset, or contribute
to your industry’s cyber ecosystem?
Intelligence should always inform decisions. Map out the
decisions you will be frequently required to make; this will help
you understand the data you will need access to and assess
where you may address any perceived gaps.
Resist the urge to purchase technologies that claim to solve your
intelligence requirements. Focus on identifying what issues you
hope to solve and how any new platforms or technologies might
slot into that vision.
Talk to people, whether that’s your regulators, your industry
peers, your staff, or external experts. Not only will they offer
a unique perspective about how they have overcome similar
challenges,buttheymayalsobeausefulsourceofbenchmarking
data.
Build relationships with the people you talk to and agree on
intelligence sharing protocols. Networks such as these will
often be far superior to any intelligence you can derive from a
technology solution, and will be more focused on the issues that
you are actually trying to solve.
Key Takeaways:

13
measures align with
those risks?
WHEN THE VIRTUAL
AND PHYSICAL
COLLIDE: THE NEED
FOR A JOINT APPROACH
TO CYBER AND
PHYSICAL SECURITY
BY MONA DAMIAN, SENIOR ANALYST AND HARRIET MARTIN,
ASSOCIATE DIRECTOR
1. Do you understand
the threat picture?
Can you see your
5. Do you have a
roadmap to recovery
in the event of an
incident?
4. Does your response
plan reflect the most likely
threat scenarios? Is it tried
and tested?2. Are you
focusing on the
right risks?

In August 2020, news broke that a Tesla employee had been approached by criminals to deploy malware at the company’s
Nevada Gigafactory. The recruitment of an insider by criminals is a traditional threat and one which is being exploited by cyber
adversaries. The incident prompts security professionals to reexamine their threat models and emphasises the importance of
a common approach to managing cyber and physical security.
Best practice mandates that cyber and physical security go hand in hand. In order to secure operations and meet objectives,
an organisation requires effective structures and processes, strong governance and risk management, and a joined-up
approach to cyber and physical risk mitigation. In this article, we discuss the overlap between cyber and physical security,
and the importance of consolidated security management, governance and advocacy in protecting an organisation’s critical
systems, networks and data.
GAINING THE INSIDE TRACK
The FBI ultimately arrested a Russian national for attempting to ‘recruit an employee of a company to introduce malicious
software into the company’s computer network’.1
Egor Igorevich Kriuchkov and his associates sought to introduce malware
to Tesla’s network, extract data, and extort ransom money by offering the employee USD 1 million to install the malware.
While not stated in the court documents, the malware was most likely a form of ransomware designed to encrypt a victim’s IT
systems, which is popular with cybercriminals practising extortion schemes today. The operation failed when the employee
instead reported the incident.
High earnings from extortion have provided ransomware operators with the resources and confidence to develop and test
different techniques to target a company’s networks. However, instead of re-inventing the wheel, the group behind the
attempted attack on Tesla chose to exploit traditional physical access control vulnerabilities. Exploiting physical security
weaknesses is a tactic previously exercised by nation states. Up until now, cybercriminals have been less known for leveraging
physical vulnerabilities in an organisation’s defences. A notorious example of nation states exploiting physical access
loopholes is the deployment of the Stuxnet malware – developed by Israel and the US – at Iran’s Natanz nuclear facility in
2007.2
The malware was deployed onto the Iranian computer system via USB by a Dutch-recruited insider. The echoes of that
attack are felt in the Tesla case, where a USB was one of the potential vectors designed to carry the suspected ransomware.
IT OFTEN COMES DOWN TO ACCESS
Two other recent incidents exemplify how the insider threat or employee access – whether physical or digital – can create
information security risks. E-commerce giant Shopify and grocery delivery service Instacart were both forced to investigate
security breaches after individuals with access permissions chose to access restricted customer data. In the case of Instacart,
the perpetrators were two employees of a contract company who accessed customer profiles without permission.3
In the case
of Shopify, law enforcement were alerted after two employees sought to obtain customer transaction details, access beyond
their mandate.4
LEAST PRIVILEGE ACCESS: WHO SHOULD BE ALLOWED WHERE?
The principle of least privilege is a security concept which advocates limiting the privileges of any user,
account, programme or process to the minimum privileges required to perform their designated function.
The principle of least privilege has its clear counterpart in physical security. Here, best practice mandates
that employees should have access only to the sites and areas necessary for them to carry out their
designated duties.
In the cybersphere, this principle is equally important to safeguard an organisation’s systems and networks.
It is applied most commonly to administrative rights by limiting those to users with an explicit need for
admin privileges. The principle of least privilege aims to reduce the opportunity for threat actors to access
critical systems and data by compromising low-level user accounts or devices.

of data breaches
involve an insider
threat.
Source: 2019 Verizon Insider Threat Report
The cases on page 16 highlight how employee access controls –
whether physical access or digital access to a network or privileged
data systems – can be abused by malicious insiders for personal
gain or leveraged by external threat actors. According to the
2019 Verizon Insider Threat Report, 57% of database breaches
involved an insider threat within an organisation.5
The Tesla case
demonstrates how traditional physical security vulnerabilities can
be exploited by cyber threat actors using an insider as a proxy.
Additionally, social engineering exercises highlight how threat
actors might exploit digital defences to turn employees into
“access points” when targeting a company’s assets. In a recent Red
Teaming exercise for a client, S-RM used open source intelligence
to build bespoke phishing attacks and gain control over key
employee mailboxes. Our social engineering experts subsequently
used this information, along with careful physical reconnaissance,
to successfully gain access to several client offices. Once inside,
the team planted drop devices to maintain access to the client’s
internal networks. This facilitated further attacks, such as gaining
administrative control and exfiltrating sensitive corporate data.
BREAKING DOWN THE SILOES
Adversaries will continue to exploit known threat pathways – both
digital and physical – which serves as an important reminder
that cyber and physical security are two sides of the same coin,
too often treated in siloes. When physical and cyber security risk
management is split amongst security professionals and functions
within an organisation, the likelihood of inadequate oversight,
alignment and advocacy leading to critical security vulnerabilities
increases significantly. Collaborative practices between cyber and
physical security professionals play a critical role in securing any
organisation’s information systems and infrastructure.
“THE ACCESS THAT YOU
GIVE EMPLOYEES CAN BE
ABUSED BY MALICIOUS
INSIDERS FOR PERSONAL
GAIN OR LEVERAGED BY
EXTERNAL THREAT ACTORS.”
57%
1. https://www.justice.gov/opa/pr/russian-national-arrested-conspiracy-
introduce-malware-nevada-companys-computer-network
2. https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-
the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html
3. https://www.zdnet.com/article/instacart-discloses-security-incident-
caused-by-two-contractors/
4. https://www.zdnet.com/article/shopify-discloses-security-incident-
caused-by-two-rogue-employees/
5. https://enterprise.verizon.com/resources/reports/insider-threat-
report/
WHEN THE VIRTUAL AND PHYSICAL COLLIDE: THE NEED FOR A JOINT APPROACH TO CYBER AND PHYSICAL SECURITY

16
Risk, governance and operational security are equally important.
Formally constituted, well thought-out policy and plans are the
backbone to good physical and cyber security. In addition, the
interface between physical and cyber security must be formalised and
cohesively and practically applied. This will ensure an organisation’s
security controls are able to contain the consequences if a serious risk
manifests and ensure organisations are less likely to be blindsided by
any new threat or change in the threat landscape.
Penetration tests to encompass both physical and cyber testing. Cyber
penetration tests check networks for information security lapses
(such as exposed RDP ports) and physical penetration tests identify
where physical access controls to a site or facility are inadequate.
Penetration tests must be holistic, allowing an organisation to adjust
practices based on both physical and information gaps, and based on
an informed consensus of risk.
Centralising knowledge gained from risk assessments. Cyber and
physical security vulnerabilities should be accounted for in an overall
risk assessment and risk register. Only with a thorough risk assessment
in place can an organisation be informed about known and reasonably
likely threats, identify an effective overall risk management strategy
and build resilience.
Align incident response plans. Often cyber and physical security
issues combine in complex ways, meaning any security incident and
subsequent investigation will require close cooperation by cyber
and physical security professionals. There is often a physical security
investigation and a cyber incident containment and remediation to
deal with, and here, the traditional approach of creating incident
response plans in siloes is inefficient and inappropriate. Recognising
the overlap and shared planning and resourcing is required for an
effective investigation into any security incident.
Building a just culture. Personnel are a known residual weakness
when protecting an organisation’s assets from attack. It is therefore
paramount to build a good security culture at all levels of the
business which invites active participation into a company’s defence.
Developing a culture that encourages collaboration, not punishment,
should be the desired end state for risk management professionals.
Key Takeaways:
Integrating physical and cyber
security practices

“WHEN YOU’RE UNDER ATTACK, DON’T
LOSE SIGHT OF THE BIG PICTURE.”

QA
ROSS MCKEAN
Ross has over 20 years’
experience advising on
data protection, privacy and
cybersecurity law and chairs
the UK Data Protection and
Cyber Response practice.
He advises clients across
a wide range of sectors,
notably those in the financial
services, defence and
technology sectors.
In this interview, Ross shares his insights on what factors influence the extent
of cyber confidence among CISOs and leadership teams, and provides
some guidance on how best to prioritise cyber security amid a multitude of
competing strategic imperatives and market forces.
S-RM: Do you think that organisations, in general, are
over- or under-confident when it comes to how well
their cyber security posture mitigates the legal risks
associated with a cyber-attack?
ROSS: Some organisations are probably suffering from overconfidence and
some have probably got it about right. It depends in part on whether the
organisation has actually suffered a cyber-attack or has institutional knowledge
of it – for example, through non-executive directors or directors who have joined
from other businesses which have gone through the mill of a cyber-attack. If
you have experienced a cyber-attack first hand, then you’re more likely to have
a deeper understanding of the risks and the types of controls that you need to
have in place to be able to make a realistic assessment of cyber risk.
Many organisations know that cyber is a challenge. It’s often reported as a top 10
or even top 5 board concern. But fewer organisations really understand the risk.
Beyond being worried about cyber and knowing what the business is spending
on IT controls and external third parties, many boards do not know whether they
have the “right” cyber security posture for their business or indeed how to assess
whether they do or not.
S-RM: And what do you think contributes to that feeling
of uncertainty?
ROSS: Two things. One is complexity. It really is quite difficult to make a valid
assessment of the likelihood that your organisation will be subject to a damaging
cyber-attack and also the type of cyber-attack, because they come in all shapes
and sizes. Some organisations get attacked all the time with phishing emails, etc.
That’s not necessarily going to be an existential threat to the business, whereas
a full-blown successful ransomware attack, extortion attack or data exfiltration
are much more serious.
Cyber Confidence and the
Legal Risks Associated with
a Cyber Security Incident
Featuring Ross McKean,
Partner, DLA Piper

It’s not easy to assess whether your organisation is likely to be at risk from cyber attacks. Many take the view
that if they do not process personal data or consumer data then they are unlikely to be an attractive target.
Regrettably that isn’t the case as demonstrated by the rise of ransomware attacks which have successfully
targeted all sorts of organisations.
In addition to the complexity of assessing the likelihood of your organisation being victim to an attack,
assessing what controls are “right” for your organisation to defend against attacks is also complicated. That
can lead to over-reliance on technology solutions and cyber insurance as they are easier to understand than
process, governance and training exercises – though these are equally, if not more important to successfully
defend against cyber attacks.
The second point I’d make is the prevalence of background noise. There’s been a lot of that in 2020, which
has been an exceptional and extraordinary year. Cyber risk is just another concern that organisations have
had to add to an already very long list of risks and challenges, which means that in some cases there just isn’t
necessarily the bandwidth for boards and organisations to explore in detail whether their cyber posture is
optimised or not.
S-RM: Through your experience, what have you observed to be some of the
most common oversights made by leadership and security teams when it
comes to the way they build and maintain their cyber security programmes?
ROSS: It’s a common challenge that, because of the complexity of cyber, shiny technology and cyber insurance
are often viewed as an attractive solution to a complex problem. We frequently see organisations that have
been investing a lot of money in technology, but haven’t necessarily invested as much time and effort in
stitching those technologies together, because it’s harder to do. Similarly, we also see organisations buy cyber
insurance without really understanding whether the cover is right for their organisation. Frequently it isn’t.
Another thing that is often overlooked is the importance of training cyber response teams and making sure
the organisation has got the right third parties in place (be they cyber forensics, communications consultants
or law firms), and ensuring that they have rehearsed cyber response. Some organisations do this very well,
particularly if they’ve been hit before, but others don’t. They have a cyber policy because they have to have
one, and they pay their CISO and tech team a larger amount every year to keep them safe, and they may have
appointed some external third parties to help in the event of a crisis: these are all important steps. But if you
don’t actually practice stitching all of those controls and protections together (for example, in red teaming
exercises, tabletop exercises and war games) then the first time you use the controls, is also the first time you’re
“WE FREQUENTLY SEE ORGANISATIONS THAT HAVE BEEN
INVESTING A LOT OF MONEY IN TECHNOLOGY, BUT HAVEN’T
INVESTED AS MUCH IN STITCHING THOSE TECHNOLOGIES
TOGETHER, BECAUSE IT’S HARDER TO DO.”
QA: BUILDING CYBER CONFIDENCE MITIGATING THE LEGAL RISKS ASSOCIATED WITH A CYBER SECURITY INCIDENT

getting to know the team, and all their strengths and weaknesses. That then becomes yet another headwind to dealing
successfully with a cyber-attack. It’s key to have a policy, it’s key to have all of these controls, but I would encourage
organisations to regularly practice.
And when you do practice, don’t do so just within silos. Many CISO teams do tabletop exercises quite regularly. It’s part
of the culture now, so I’d say there’s good maturity across many sectors for red teaming and war gaming within the CISO
team. What’s less common though, is testing your response more widely and getting your lawyers involved, or your
communications team and other internal and external stakeholders. Best practice is having a war game where you bring
all of those different stakeholders together at least once a year. In this way, you can test how everyone works together,
which means that when you have to respond to a real event, you’ve got trusted advisors around the table. You already
know them, you’ve already run through the practice, and so you’ve normalised the risk.
It’s never fun as the victim of a cyber attack, but it’s much less stressful if you’ve tested your team and controls before you
have to deal with a real cyber attack, versus trying to cobble together a team on the Sunday of a bank holiday weekend,
which seems to be when it always happens.
S-RM: How would you suggest that organisations balance the need to mitigate the
legal risks of a cyber-attack with the operational and financial risks of a breach? How
do they prioritise?
ROSS: It’s a great question, but a really difficult one to answer because organisations operate in very competitive markets.
Cyber controls are expensive, technology is expensive and cyber forensics firms are expensive. Lawyers aren’t cheap
either. In other words, cyber security costs money and you’re spending money on a contingency that may never happen.
So it’s not easy for CISO teams, technology teams, and chief risk officers to justify the right budget for cyber.
There isn’t an algorithm (yet) to answer the question: ‘How much should I be spending on cyber?’ But you can get some
data points that might help structure your thinking around this question.
For example, peer benchmarking, i.e. looking at information about what your peer firms – particularly competitors –
are spending on cyber can be helpful. It’s also very helpful to see what firms are spending after they’ve been attacked,
because it will likely be a lot more than what they were spending before they were attacked. And the answer as to what
you should be spending is probably between the two.
It’s difficult in these extraordinary times to get budget for what is a cost to the business. So you should look at the
space between what many firms are spending as a minimum, which is where they think they can justify the spend
(they’ve probably deferred some investments, they might have some old servers that are no longer in support, they may
not have endpoint security because it’s expensive, they may not quite have got around to implementing multi-factor
authentication), and the sums paid by those who have experienced the worst of a cyber incident.
“BEST PRACTICE IS HAVING A WAR GAME WHERE YOU
BRING ALL THE DIFFERENT STAKEHOLDERS TOGETHER AT
LEAST ONCE A YEAR.”

Data on fine payments is also valuable, i.e. looking at what fines have been imposed on organisations historically. And
keep in mind the emerging class action threats. Ask yourself: ‘How much could we as an organisation suffer if we’re
subject to a successful cyber-attack, and then off the back of that, a class action threat.’ Doing so will help those within
CISO teams to justify a higher spend on proactive assurance.
There is no scientific answer, but hopefully this has given our readers some ideas of the data points they can use to inform
the answer to the question: ‘How much should I be spending on cybersecurity?’
S-RM: As businesses grow, be it organically or through MA, how should they adapt
their cybersecurity posture accordingly? And how does their legal risk exposure
change with that growth?
ROSS: As businesses grow there tends to be a lag between what they should be spending on cyber (as their cyber
exposure grows) and what they do spend on cyber.
Growing internationally or even within an existing market, is complex and expensive. And at the moment, businesses are
in a very volatile, challenging market internationally. They face ongoing pressure to be first to market or to beat off the
competition to acquire assets or other businesses in short order. But getting cybersecurity right takes time and therefore
organisations often don’t get it absolutely right when they are forced to rush products and services to market or rush
through an acquisition to remain competitive.
I think that’s simply an economic reality, but it’s still something to be aware of, for CISOs, CROs and the C-suite more
generally. Particularly so if you’re moving into sectors that are data-rich, and/or which have historically been more prone
to cyber-attacks. The commercial priority will be getting into market and getting market share. Ensuring you have full
cyber security won’t be the number one concern. So there is a tension and I think that organisations just need to be alive
to that tension and ensure that this lag is not too great because it can come back to bite you. I won’t name names but
there have now been several sizeable regulatory fines imposed on both sides of the Atlantic on purchaser’s of businesses
which turn out to have been breached due to rushed or substandard cyber due diligence. These fines plus follow-on
claims for compensation and reputational damage can quickly turn a successful acquisition into a problem child.
QA: BUILDING CYBER CONFIDENCE MITIGATING THE LEGAL RISKS ASSOCIATED WITH A CYBER SECURITY INCIDENT
For additional insights from Ross, tune into Episode 8 of
S-RM Insider, available wherever you get your podcasts.

SHOCKWAVES, RIPPLES
AND DOMINOES:
IDENTIFYING
ADDRESSING
SYSTEMIC CYBER
RISKS
BY LENOY BARKAI, ASSOCIATE DIRECTOR, AND
ANDREW SHAUGHNESSY, ASSOCIATE
2. Are you
focusing on the
right risks?
the threat picture?
Can you see your
5. Do you have a
roadmap to recovery
in the event of an
incident?
and tested?
3. Do your
mitigation
measures align
with those risks?

A SHOCK TO THE SYSTEM
When government officials in Wuhan confirmed in late 2019 that they were treating dozens of patients infected
by an unfamiliar virus, few predicted that the entire world would be facing the health and economic challenges
that we now confront. There is no greater, more striking example today of the manifestation of systemic risk than
the COVID-19 pandemic. A seemingly isolated incident, in a seemingly remote location, created a ripple effect
that devastated healthcare systems and crippled even the most resilient of economies. Some have described
it as a “black swan” event, but the fact is that the risk – the systemic risk – of a pandemic has been structurally
building for decades.
COVID-19 can help us unpack what kinds of structures are prone to systemic risks. The cybersphere is certainly
one of them. Here, we explore these parallels and discuss approaches to identifying and mitigating systemic
cyber risk within and across organisations.
WHAT ARE WE ACTUALLY TALKING ABOUT?
Traditionally found in the lexicon of financial sector analyses, “systemic risk” has been variously defined as the
risk of ‘a breakdown of the entire system’ 1
, ‘the risk connected to the complete failure of a business, a sector, an
industry’2
, and ‘the probability that cumulative losses will occur from an event that ignites a series of successive
losses along a chain’,3
to cite but a few. According to the World Economic Forum, systemic cyber risk is ‘the risk
that a cyber event… at an individual component of a critical infrastructure ecosystem will cause significant delay,
denial, breakdown, disruption or loss, such that services are impacted not only in the originating component
but consequences also cascade into related… ecosystem components.’4
Across many policy advisory groups and think tanks, “systemic risk” in cyber security has largely been used to
describe the potential for a cyber incident, or series of incidents, to create global shockwaves of a devastating
nature. However, it can also be a useful exercise to examine systemic risk through a much narrower lens –
focusing on what it could look like within a single business, or between clusters of interdependent organisations
or industries.
So, what does this look like in practice? If we consider that a “chain-reaction” is a defining property of systemic
risk, then a good place to start is looking at what links that chain is made of when we think of cyber risk.
“INTERNAL AND THIRD-PARTY CYBER-
DEPENDENCES CAN BE HIGHLY OPAQUE.”

Intra-organisational risk. In this scenario, an isolated cyber incident
impacting a system or network within one part of an organisation leads
to a total failure of an organisation’s critical infrastructure. Consider
the potential impact of just a single employee clicking on a malicious
link embedded in a phishing email. This may allow the threat actor to
deploy a remote access trojan, granting them a level of control over the
infected computer. From this initial access point, the hacker is able to
move laterally through the organisation’s network and ultimately execute
a ransomware attack that encrypts all company data and brings business
to a standstill.
Inter-organisational risk. Here, an organisation is critically impacted
by a cyber incident occurring at a third-party service provider or along
its supply chain. Consider the implications of the likes of Amazon Web
Services (AWS) experiencing a general outage: the more than one million
companies5
who rely on AWS for their cloud-computing infrastructure
could be impacted. A prolonged outage could see dependent AWS
customers go out of business.
THE DEFINING FEATURES OF SYSTEMIC RISK
Sociologist Charles Perrow attributes organisational failure to two
structural factors: complexity and tight coupling.6
Here, complexity refers
to systems that are interconnected in ways not immediately obvious or
visible. Opaque systems make it harder to diagnose issues and to predict
the impact of an incident arising in one part of the system on the rest of it.
The linkages between the component parts are obscure. Tight coupling
refers to the close integration of different components of a system. The
tighter the integration across a system, the harder it is to prevent any
single incident from cascading through it.
COVID-19 presents both characteristics as it travels through a highly
interconnected and tightly integrated globalised system. Similarly,
consider the subprime mortgage meltdown that spurred the 2008
financial crisis. Mortgage-backed securities are financial products that
are made up by bundling together several home loans. The bundling and
re-bundling of subprime loans in the run-up to the financial crisis made
it increasingly difficult to see what these products were made of and
challenging to identify the risk of their imminent collapse. Furthermore,
the highly interconnected nature of the financial industry meant that
when Lehman Brothers fell as a result, the other banks were lined up like
dominoes.7
companies rely on AWS
for their cloud computing
infrastructure.
1,000,000 +
SHOCKWAVES, RIPPLES AND DOMINOES: IDENTIFYING ADDRESSING SYSTEMIC CYBER RISKS

The cybersphere is similarly prone to these two structural features. An organisation’s internal and third-party
cyber-dependences can be highly opaque, and the threat landscape noisy and confusing. And we live in a
world that has never been more tightly coupled in terms of our connectivity (both logically and geographically).
This coupling has only increased since the onset of COVID-19 and continues to accelerate at a breakneck pace.
It is therefore imperative that the systemic risks baked into an organisation’s internal structures and supply
chain be clearly identified, the connections mapped out, the interdependencies accounted for. But how?
BACK TO BASICS: A RISK-BASED APPROACH TO CYBER SECURITY
Enough talk of global meltdowns and organisational failure. Systemic risks abound in the cybersphere, but
they can be managed.
The first step is to identify them. Doing so within the confines of your own organisation is one thing, but
assessing systemic risk across a long supply chain is a more daunting task. Keeping in mind that systemic risk
is the risk of a total meltdown, a good place to start is identifying your own organisation’s key points of critical
failure. We can think of critical failure across two categories:
Critical activities. Forget cyber security for a minute. What does your business need to do on an
ongoing basis to continue to survive and thrive? Now, work your way backwards to map out all the
various dependencies that emanate from these basic, critical activities. Who does your business rely
on (internally/externally) to do them? If they were subject to a cyber-attack, can you trace the chain
of events all the way back to your business-critical functions?
Critical exposure. Which people, third parties, partners or clients (even if not business-critical
functionally) have sufficient access to your networks and/or data to present a systemic vulnerability?
For example, if they were hacked, could the threat actors gain access to your networks and/or data.
Completing this exercise will allow you to trace, identify and then rank your internal and external dependencies.
In other words, it will reduce unnecessary complexity from the equation and clarify your areas of vulnerability.
Already, you’re addressing the first of the two structural factors that contribute to systemic risk.
Now, build some resilience into these structures to reduce how tightly coupled these critical dependencies are.
Foundational cyber risk mitigation techniques can be applied here. Generally speaking, cyber risk treatment
covers three broad categories:
Reduction: This includes
implementing cyber security
controls to alter, reduce or
eliminate a risk. For example,
implementing endpoint
protection or classifying your
data. While these controls
may result in a reduction of
operational efficiency in the
short-run, they will lead to
greater resilience in the longer
term.
Transference: Also known as
risk assignment, this takes the
form of having another entity
assume the risk and is usually
achieved through insurance.
Acceptance: Here, the negative
impact of the risk is accepted
by the organisation. This is a
common response to minor
risks or ones where the cost of
implementing the mitigation
outweighs the potential
impact.

“A GOOD PLACE TO START IS IDENTIFYING YOUR OWN
ORGANISATION’S KEY POINTS OF CRITICAL FAILURE.”

Returning to the example above, our team recently worked closely with a software company that had moved
the bulk of its operations to various cloud platforms. Their product was hosted on AWS and their office network
existed solely for the purpose of accessing the internet. Our cyber risk assessment indicated that a sustained AWS
outage presented a systemic risk to the organisation through the following:
1. First, the availability of their product would be disrupted.
2. Second, we discovered that many of their critical third parties also relied on AWS.
In developing a mitigation roadmap for the organisation, we segmented our risk management approach into the
three categories of reduction, transference, and acceptance described above. We therefore made the following
recommendations:
“CONTROLS MAY RESULT IN A REDUCTION
OF OPERATIONAL EFFICIENCY IN THE SHORT-RUN,
BUT WILL LEAD TO GREATER RESILIENCE IN THE
LONGER TERM.”
We suggested that they reduce this risk by implementing redundancy between the company’s AWS zones
and testing their business continuity and disaster recovery plans. This mitigated the impact of a partial AWS
failure; in other words, it created some space between a partial AWS failure and total business failure.
We recommended transferring some of the risk through the purchase of an insurance policy to lessen the
financial impact of an incident in terms of lost revenue. Again, insurance here serves to partially decouple a
cyber incident from an organisation’s critical need to fund its activities.
Finally, the organisation accepted a certain level of systemic risk. To implement additional controls to further
reduce the risk of a total AWS failure would require maintaining so much redundant infrastructure that their
product would not be commercially viable.
1. ‘Systemic Risk Management in Finance’, CFA Institute, Available at: https://www.cfainstitute.org/en/advocacy/issues/systemic-risk
2. ‘Systemic Risk vs. Systematic Risk: What’s the Difference?’, Investopedia, Available at: https://www.investopedia.com/ask/answers/09/systemic-systematic-risk.asp
3. Kaufnam, G. ‘Bank failures, systemic risk, and bank regulation’, The Cato Journal, February 1996.
4. ‘Understanding Systemic Cyber Risk’, World Economic Forum, October 2016.
5. ‘Who’s Using Amazon Web Services? [2020 Update]’, Contino, 28 January 2020. Available at: https://www.contino.io/insights/whos-using-aws
6. Charles Perrow, Normal Accidents: Living with High-Risk Technologies, 1984
7. ‘Warren Buffett: In the 10 years since financial panic, we’ve learned we’re ‘all dominoes’ spaced closely together’, CNBC, 10 September 2018. Available at: https://www.cnbc.com/2018/09/10/warren-buffett-2008-financial-crisis-
showed-we-are-all-dominoes.html
Indeed, not all systemic risks can be mitigated. But by reducing complexity, introducing clarity, mapping out
dependencies and building slack into the system, they can be reduced. And with the right controls and preparation
in place, should they manifest, they can be managed.

Ranking your third parties for cyber risk
How much access does the third party have to your
network?
Answer 2 key questions:
1. How much access will the third party inherently have?
Many Managed Service Providers (MSP) inherently
require network access to carry out their function.
2. How much access does a third party need to fulfil
their function?
Third parties may sometimes request excessive
access simply for the purpose of expediency.
What data types will be accessible to the third party?
Different data types have different operational,
reputational and legal implications associated with their
theft or exposure. Make sure to consider:
1. The value of the accessible data to your business.
Examples of highly valuable data include Intellectual
Property (IP) as well as data essential to business
continuity.
2. The regulatory value of that data.
Standards such as the California Consumer Privacy
Act (CCPA) or General Data Protection Regulation
(GDPR) levy hefty fines against organisations that do
not manage and protect covered data.
3. The reputational value of that data.
Exposing your customers’ PII and/or sensitive
financial or healthcare information can result in a
devastating loss of trust, tarnishing your brand for an
extended period.
How business-critical is the third party?
It is important to ask how the loss of a given third party
would impact your business, and ensure that business-
critical third parties present robust cyber security
postures, because:
1. A cyber-attack against a business-critical third party
can lead to significant operational disruption for your
organisation.
2. Replacing business-critical third parties (should they
fail your cyber due diligence) is likely to be more
onerous than replacing the more “nice-to-have”
service providers.
Key Takeaways:
In combination,
these three elements
(access, data-types and
business-criticality)
can be weighted in line
with your business’s
priorities and used to
group third parties into
buckets comprising
high, medium, and low
priority for cyber due
diligence.

“WHEN IT HITS THE FAN,
YOU NEED A PLAN”:
GETTING INCIDENT RESPONSE
PREPARATION RIGHT
BY DANIEL CAPLIN, ASSOCIATE DIRECTOR
2. Are you
focusing on the
right risks?
the threat picture?
Can you see your
measures align with
those risks?
5. Do you have a roadmap to
recovery in the event of an
incident?4. Does your
response plan reflect
the most likely
threat scenarios? Is
it tried and tested?

TOO MUCH ADVICE, TOO LITTLE FOCUS
The million-dollar question is how should you prepare? Received wisdom from regulators, cyber security firms and
governments alike is that a central pillar of any preparations should be to create and rehearse an incident response
plan. Experts will go on to claim that a well-established incident plan will reduce the impact – and ultimately the
costs – of attacks when they happen.
However, a confusing array of different plan templates, guidance and advice await those looking to understand
what a good incident plan should contain. The variety comes because there is no one-size-fits-all approach.
Unfortunately, this means that when incidents happen, even those with plans may not use them. Over hundreds of
incidents, S-RM’s incident response team rarely sees victims using their plans (if they have one). Now don’t get us
wrong, this isn’t because plans aren’t useful! It’s because most organisations do at least one of the following three
things with their plans:
Overcomplicate: Diligent plan owners often fall into the trap of trying to provide detailed guidance for every
scenario. This almost always goes out the window in the “fog of war”, except for the most mature, well-resourced and
well-rehearsed response teams.
Tick the boxes: Another common pitfall is to create a plan which follows a “best practice” checklist, but fails to be
actually relevant to the organisation and the practicalities of real incidents. This may help you pass an audit, satisfy a
regulator or put a nice stamp on those pesky third party due diligence questionnaires – but it won’t help you respond
to an incident when it happens.
File and forget: Many organisations write their plan and then let it gather virtual dust for 18 months until an incident
hits. Organisations grow and change without these plans being updated. Also, no one can remember where they are
kept.
Those of you up to date with the cyber security industry’s spiel will have heard the increasingly popular maxim ‘it’s
not a matter of if you will experience a cyber-attack, but when’. As much as this may seem like scaremongering,
there’s a grain of truth to it. Most cyber defence experts when pushed are forced to admit that, at least for the
moment, the bad guys are winning the arms race in cyber. The reasons for this are varied, including increasing
information and tool sharing between cybercriminals, increasing complexity of organisations’ IT environments
making it more challenging for security teams, and a skills shortage in the cyber security job market, amongst
others. The long and short of it is that you need to be prepared for the worst, and that means having confidence
in your planning, capabilities and the team that you will – at some point – have to rely on to help you deal with
an attack when it happens.
“MOST CYBER DEFENCE EXPERTS WHEN
PUSHED ARE FORCED TO ADMIT THAT, AT
LEAST FOR THE MOMENT, THE BAD GUYS ARE
WINNING THE ARMS RACE IN CYBER.”

• Who is responsible
for what in a
response.
• Who can take
key decisions.
• How to contact
response
leaders.
• Who should you call
for specialist support
if you need it.
Start with a plan that contains the basics. If you do nothing else, agree and write down these
four things:
Discuss the plan with your executive management, not once, but regularly.
A large part of the value in making a response plan is in the discussions it prompts at the highest level of
the business around how an incident could impact the organisation. Ultimately, this will lead to increased
cyber awareness, a better understanding of cyber risks and what investment in security is needed by
business leaders. The value of this can’t be overstated if you want to be confident in your capabilities to
deal with a serious cyber-attack. It’s also something you need to maintain over time, so make sure your
plan is reviewed at least annually.
Test your plan with a simulated incident.
Walking through a major incident scenario and stress testing how it holds up is one of the best ways to
help you identify where you need more (or less) written guidance in your plans, and where there might
be gaps in your team’s technical capabilities or team’s resources.
INCIDENT RESPONSE PLANNING AS A PROCESS
By this point, you may be asking yourself, ‘so what should I be doing?’ Well, we think there
are some general rules to building your plan and capabilities:
1
2
3
“WHEN IT HITS THE FAN, YOU NEED A PLAN”: GETTING INCIDENT RESPONSE PREPARATION RIGHT

PLAYBOOKS FOR THE INEVITABLE
Once you have the basics down, the next step is to plan for specific incident scenarios aligned to your risks
and then rehearse those regularly. This process is a bit more complicated, but those who achieve this are
often able to dramatically reduce the number of serious incidents they experience, as well as halve the costs
of the response when they do happen.
For example, if you’re a law firm and you know that you are likely to be targeted by a nation-state backed
group as a result of your work on a contentious international lawsuit with a foreign government, having
playbooks for dealing with the inevitable espionage attempts, whether using malware, co-opted insiders or
listening devices, can be crucial to minimising your exposure.
Equally, if you are most worried about ransomware temporarily paralysing your business (realistically a threat
to most corporates these days), then having a well-rehearsed playbook for that scenario can ultimately save
you from thousands or millions in losses, or in the worst case scenario: bankruptcy.
Developing those playbooks is also the perfect time to interrogate and understand whether your current
technical capabilities are up to task and will detect and contain as many attacks in their early stages. This
last exercise is both broad – as it involves understanding your overall security programme in detail – and
narrowly specific, when it comes to defining exactly what you need to stop a ransomware threat from a
technical perspective (for example, ensuring you have a well-managed heuristic endpoint detection
technology, robust control of privileged accounts, secure remote access, etc).
CONCLUDING THOUGHTS
Clearly, there is a lot to do here if you want to be confident in your ability to “get off the mat” when an
incident happens, but the key takeaway is that incident response planning is a process. As with any capability,
planning should begin with the basics and receive the right investment to evolve over time. That means it
must involve executive management. Finally, above all, practise, practise, practise. As all emergency workers
know, the best laid plans go out the window in the “fog of war”, unless they are second nature.
“THE BEST LAID PLANS GO OUT THE WINDOW IN THE
FOG OF WAR, UNLESS THEY ARE SECOND NATURE.”

The basics of an
incident response plan
Define the responsibilities of key response leaders. Incident
response is rarely simple and typically benefits from a pre-
agreed central coordinator, as well as an idea of who should lead
common workstreams (such as system restoration activities,
forensics, communications, legal, etc).
Decide who can take key decisions. Building on the last point,
a serious cyber-attack may trigger the need to take decisions
which could have an immediate and long-lasting impact on
the business if handled incorrectly, such as when to notify law
enforcement or regulators, take customer-facing systems offline,
or activate insurance. Knowing who can take those decisions in
advance will remove delays and avoid miscommunications that
can derail your response.
How to contact response leaders. Hours spent trying to contact
response leaders can be critical lost time in an incident. It could
make the difference between catching a ransomware group
during their planning phase and after they have encrypted all
your data. Having a central contact list, an outline of backup
methods of communication if, for example, corporate email is
down and an idea of a Plan B if critical people are uncontactable
is essential.
Know who to call for support. Most internal teams (hopefully)
don’t have a lot of experience with large-scale cyber incidents.
This means that when a serious incident happens, you will need
help from people who deal with them every day, such as specialist
data recovery, forensics, legal and public relations firms.
Knowing who you would call and having the right paperwork in
place in advance to eliminate delays can significantly reduce the
impact of an attack. Often this might be in place via your cyber
insurance.
Key Takeaways:

IN RECOVERY: THE
FIRST 24 HOURS OF
A RANSOMWARE
ATTACK, AND
BEYOND
BY JOSEPH TARRAF, ASSOCIATE DIRECTOR
WHEN YOU’RE UNDER ATTACK, DON’T LOSE SIGHT OF THE BIG
PICTURE
Cyber incidents, especially those which have a substantial
operational impact on an organisation – such as a ransomware
attack – can be extremely stressful and chaotic events. Of
course,preparationiskey;themorecomprehensive,actionable,
and practiced your incident response plans are, the better
equipped you will be to navigate a ransomware incident and its
minefields.However,eventhebestpreparedteamscandevelop
tunnel-vision during a response. For example, conducting a
forensic investigation into the incident is often deprioritised
when response teams maintain a singular focus on restoring
operational services. And this works to the detriment of the
organisation and the overall response.
and tested?
5. Do you have a
roadmap to recovery
in the event of an
incident?
2. Are you
focusing on the
right risks?
the threat picture?
Can you see your
measures align with
those risks?

Indeed, it is a common misconception that the investigation is only helpful in providing a retrospective
accounting of events after-the-fact. The reality is, though, that the investigation is a critical enabler for
the response and should be undertaken in parallel to the restoration of services.
When a ransomware event is first discovered, the situation is often extremely fluid, with an overwhelming
number of unknowns. The overall impact of the incident is unclear and, adding to the chaos, there is a
high level of uncertainty over whether the environment is being actively compromised. The first 12 - 24
hours of a response are critical. They dictate the tempo of the overall response and largely influence its
eventual outcome.
THE FIRST 24 HOURS
UNPLUG
The first order of business during a ransomware incident is to stem the bleeding. This often involves
disconnecting all assets, including critical ones, from the network. Doing so within this timeframe is
paramount for two reasons:
1. It helps prevent unimpacted assets from being infected.
2. It provides response teams with the opportunity to perform a thorough impact assessment on the
environment without having to worry about a continued compromise.
But these actions in themselves raise legitimate cause for concern. By doing the above, you are in
effect causing a business interruption. Yet there is a logic at play here. The interruption you are causing
to perform the assessment is a calculated risk. When done effectively, it will avert the even longer
interruption to the business caused by clean assets being impacted due to lack of action. Naturally there
are always exceptions, and in some cases, it may simply not be feasible to cause any interruption of
business, especially if doing so poses a potential risk to life and safety. At the end of the day, the decision
to “unplug” or not has to be taken with all the associated risk factors in mind. The better prepared you
are ahead of an incident, the better equipped you will be to make these difficult decisions in a time-
sensitive environment.
AN ORGANISATION’S RESILIENCY AGAINST LARGE-SCALE
RANSOMWARE EVENTS IS DEPENDENT ON FOUR CORE ELEMENTS:
1. A thorough understanding of critical business operations and the technical infrastructure
supporting these operations.
2. Appropriately concise, clear, and actionable incident response plans and playbooks.
3. Competent and well-staffed incident response, IT, forensic, and legal teams. The latter
two are often external teams, brought in due to their specialised expertise.
4. The availability of robust, complete, and restorable backups for critical systems and data,
retained offline.

ASSEMBLE
A well-prepared organisation will enact its incident response plans within the first 24 hours following the
detection of an incident. As part of these plans, the incident response team should be assembled, with a
clear mandate and well-defined roles and responsibilities. Stakeholders for a ransomware incident expand
well beyond the technical; senior leadership participation is crucial to make critical decisions quickly, input
from across business units is important to establish the restoration plan, and legal representation is key to
ensure that legal and regulatory obligations are met.
ASSESS
Once convened, the incident response team’s priority is to conduct a thorough assessment to gain a clear
picture of which assets are impacted. Backups should crucially form part of this assessment. It is very
common for ransomware operators to target backups for encryption or deletion as part of their attack.
Doing so effectively cripples restoration activities, increasing the threat actor’s leverage when negotiating
for a ransom payment with their victims. Evaluating the availability and integrity of recent backups for
impacted assets is therefore a key priority during the initial response.
AFTER 24 HOURS
At this stage, the impact assessment has been completed and the state of backups confirmed. Now the
incident response team should establish a clear order of priority for the restoration of services. In essence,
this translates into a checklist of activities that need to be completed to bring targeted systems back online
and connected to a clean network.
An IT team’s competency and capacity play a crucial part in this process. During restoration, systems and
services do not recover seamlessly, with Murphy’s Law ever present in these cases! The better equipped the
IT team is to troubleshoot and resolve the inevitable issues that arise during the restoration process, the
shorter the restoration timelines are and the lower the potential business interruption.
RESTORATION OPTIONS
The best-case outcome in a bad ransomware scenario sees a victim organisation have unimpacted backups
with minimal data loss that are readily available, and crucially, easily restorable. If this is not possible, there
are two less ideal alternatives:
1. Rebuild systems from scratch, with substantial or total data loss.
OR
2. Negotiate and pay a ransom amount for a decryptor tool to salvage data.
Losing substantial amounts of data can be operationally crippling and virtually unrealistic. Operations
simply cannot be restored in certain cases without the availability of historic data. Rebuilding systems from
scratch is a time-consuming and labour-intensive process, often taking weeks to complete with substantial
financial costs and potential financial impacts.
Negotiating and paying ransoms and receiving decryptor tools is also a lengthy process. It is not uncommon
for it to take a week or more before an organisation gets a decryptor tool in-hand. There are additional
considerations to keep in mind when entertaining this option. For example, paying a ransom can have
reputational, regulatory, and legal ramifications, and even with access to a decryptor, there is no guarantee
that all data can be salvaged. Additionally, decryptor tools only unlock data; they do not sanitise assets.
IN RECOVERY: THE FIRST 24 HOURS OF A RANSOMWARE ATTACK, AND BEYOND

Systems will still need to be rebuilt to ensure a safe restoration, and decrypting large amounts of data can
take several days. All these factors extend the timelines of a response even further.
In practice, organisations often adopt a restoration approach that combines the above scenarios out of
pure necessity. Often, backups are only available for a subset of critical systems and data. In such cases,
organisations may elect to restore backups where they can, negotiate and obtain a decryptor tool to restore
other critical services, and rebuild tertiary systems from scratch. No matter which option or combination of
options is taken, restoring services is not an instantaneous process. In most cases, it may take an organisation
several days to restore critical services, and perhaps weeks to restore full operations.
FORENSIC INVESTIGATION
It is imperative that response teams incorporate forensic acquisition activities into the restoration process.
Getting this right is a balancing act, and often requires a high level of coordination and communication
between IT and forensic teams. As the IT teams move to restore systems, they should be working in tandem
with the forensic teams to ensure that the required forensic artefacts are collected prior to restoration.
These artefacts could include live forensic collections, which tend to be relatively quick endeavours, or full
disk images, which could take several hours to complete for a single system. However, the forensic aspect
of a response cannot be overstated. Performing a forensic investigation should be an organic part of the
response, and provides an organisation with the opportunity to surface the root cause of the incident,
Indicators of Compromise (IOCs) used by the threat actors, and whether the threat actor accessed or
exfiltrated sensitive data.
Establishing the root cause of an incident is important. Doing so allows for appropriate measures to be
taken as part of the response to ensure any open vectors of attack are addressed. Blocking threat actor
IOCs and monitoring for their presence in the rebuilt environment is also key to preventing a reinfection
of the environment. Finally, understanding threat actor activities within the environment, particularly
whether they accessed or exfiltrated sensitive data, is critical. This dictates whether organisations have any
notification obligations to the public, regulators, or law enforcement. Failure to notify when a requirement
is present can be very costly, reputationally and financially. External law firms specialising in data breaches
are exceptionally well-equipped to provide the appropriate legal advice in such cases, and an organisation
would be well-advised to seek their engagement early on in the process.
IN OUR EXPERIENCE…
Ransomware events are by nature an extreme stress-test of an organisation’s people, operational resilience,
and response capabilities. Restoring services from this shock to the system is neither an easy nor quick task.
Even in the best of cases, some level of business interruption is to be expected. An organisation’s level of
preparedness and the initial first hours of the response are key factors that determine the duration of that
business interruption.
Our response teams have witnessed both sides of the spectrum: we’ve seen unprepared organisations face
business interruptions to critical services for weeks. But we’ve also seen those with robust incident response
plans and a backup strategy for critical systems mitigate the damage and get back up and running quickly.
Finally,havingtherightexternalpartnerscanbeaforcemultiplierforanorganisation’sresilience.Experienced
breach coaches and digital forensic and incident response firms are faced with these situations on a day-to-
day basis. Leveraging their expertise can help an organisation stem the bleeding, restore services quicker,
and limit their legal risks substantially. Ultimately, a ransomware incident is never a good day, but with the
right elements in place, you can minimise the impact on your organisation and get through to the other
side of it.

Ransomware Recovery Timeline
Key Takeaways:
Contain:
Take immediate steps to contain
further spread. This may entail
disconnecting the majority of assets
from the network.
Assemble:
Activate your response plan and
assemble your team.
Assess:
Conduct an impact assessment,
including backups.
Review your restoration options:
Most likely a combination of
• Recovery from backups
• Rebuild from scratch
• Pay ransom and decrypt
Work with counsel:
Ensure notification requirements are
met.
Investigate:
Embed your forensic investigation
into the recovery process.
Recover:
Enact your recovery plan.
• Establish root causes
• Block and monitor IOCs
• Identify threat actor activities
signs of exfiltration
0-24 hours
24 hours +

QA
LIBBY BENET
Libby’s experience in
the insurance and
reinsurance sector
spans over 30 years.
She joined AXA XL in February 2020 after
serving as President and CEO of Cyber
Secure Work Inc, and holding several
senior positions across the likes of Beazley,
General Reinsurance, and Zurich Financial
Services, among others. She is a member
of the Minnesota Lawyers Mutual Board
of Directors through the International
Association of Privacy Professionals. She is
a certified information privacy professional,
and certified as a privacy information
manager.
BILLY GOUVEIA
Billy joined S-RM
in 2019 as Senior
Managing Director.
He also forms part of
S-RM’s Executive Committee. Prior to S-RM,
his career spanned the tech startup scene,
management consulting positions at Booz
Allen Hamilton, Sungard, and Protiviti as
well as service in the US military. He holds
degrees from Columbia University and
Georgetown’s School of Foreign Service.
S-RM: What does cyber confidence
mean to you?
BILLY: With cyber confidence – as a concept – we’re
exploring a measure of how large the gap is between
how you might feel about your cyber security posture’s
effectiveness and its actual effectiveness. If you have
cyber confidence, it means that you understand your
security posture, you feel good about your security
posture and your security posture is indeed good.
However, there’s a lot of room for mismatches here.
For example, you might feel very insecure about the
state of your security posture, as though you’re never
doing enough, when in fact you are. On the other hand,
you might be feeling completely satisfied with your
security posture, certain that you’ve covered all your
bases, when in fact you haven’t: you’re overconfident.
Both over- and under-confidence are prevalent in
our sector, and understanding the drivers behind the
gaps I’ve mentioned, and how to address them, is
something we’re extremely focused on.
LIBBY: From the insurance perspective, we evaluate our
insureds, or applicants, to determine where they are
on their roadmap to cyber confidence. But at the same
time, insurance itself forms a part of that roadmap.
We therefore also want to determine to what extent
an organisation understands which risks it wants to
assume, i.e. what they want to keep, and which ones
they want to transfer via insurance.
In Conversation: What
Drives Over- and
Under-Confidence in
Cyber Security?
Featuring Libby Benet, Global
Chief Underwriting Officer,
Financial Lines, AXA XL

S-RM: What do you think is one of the primary obstacles that prevent cyber
security professionals from feeling confident about their security posture?
BILLY: I think a major challenge arises when organisations don’t take the time to understand what their real business
risks are in the first place. There’s a tendency to overcomplicate cyber security. In fact, I think this is an industry (of
which I’m admittedly part), that has an over-complication problem. There’s a lot of information out there, it’s very
dynamic and some of it is quite technical. And there are a lot of providers that are trying to create uncertainty and
anxiety based on throwing scary numbers around.
The impact of this is that instead of thinking through their cyber risk in a logical and systematic way, organisations
feel confused by all the information, and that can lead to an oversimplification of the risks. So I think it’s incumbent
on security leaders and management teams to take the time to understand what those risks really are, what they
actually mean for the business and what should be done about them.
LIBBY: I think the issue of complexity or over-complexity often comes into play with management teams who
frequently fail to understand what their responsibility is as business leaders and as board members. It might be
the result of them feeling overwhelmed.
But because of that feeling, leadership teams tend to hold their IT and information security teams responsible for
all things cyber security. I think that’s a mistake. As Billy says, leaders have to understand what the business risks
are, and while those people in IT and information security are your hands and feet on the ground, this business risk
analysis at the highest levels still needs to be conducted, and decisions taken as to what to do about it.
S-RM: How can organisations gain a clearer understanding of the impact a
cyber-attack might have on them? And what role does cyber insurance play here
specifically?
LIBBY: The cyber insurance industry is very much about risk mitigation, and therefore it plays an important part
in any business risk analysis. If you’ve never experienced a cyber incident before, you may under-appreciate
the impact on your organisation. We, in the insurance sector, have visibility of the types of losses incurred by
organisations who have suffered a cyber-attack – because we’re paying them. And because we have a very deep
knowledge of historical losses and how they came about, we can be an important source of information on what
that might look like for those companies that haven’t had a loss yet.
“IF YOU HAVE CYBER CONFIDENCE, IT MEANS THAT
YOU UNDERSTAND YOUR SECURITY POSTURE, YOU
FEEL GOOD ABOUT YOUR SECURITY POSTURE AND
YOUR SECURITY POSTURE IS INDEED GOOD.”
AXA, the AXA and XL logos are trademarks of AXA SA or its affiliates ©2020
IN CONVERSATION: WHAT DRIVES OVER- AND UNDER-CONFIDENCE IN CYBER SECURITY?

BILLY: Certainly, we see that all the time in our incident response work, and in our planning and exercising sessions
in which a company may be the victim of a ransomware attack, for example. One of my roles is to educate them
and help set their expectations around how long it would take to recover, irrespective of which path they take,
be it recovering from backups, decrypting after a negotiation with the threat actor, or rebuilding their entire
infrastructure. Oftentimes there’s a mindset of: ‘I’ll just get the keys and I’ll decrypt everything. I’ll be back to
normal in three business days.’ But that is simply not the case. So, I think another key point that organisations can
learn from their cyber insurance is the expected time of business interruption.
S-RM: What factors do organisations consider when deciding whether to
purchase cyber insurance? And where are the blind spots?
LIBBY: I think there is an opportunity in the industry to help drive improvements in this area. I don’t think that
insureds really understand what they’re buying sometimes. I think many organisations buy a cyber policy and
think, ‘Okay, good. I’ve got this. I’ve got the issue covered.’ But they don’t actually understand the many ways in
which their business can sustain a loss.
An example of that is the trend we’re seeing with regards to attacks on operational technology. An organisation
may purchase a cyber insurance product that is focused on breaches of personally identifiable information or
corporate information and the downstream impacts that relate to these types of breaches. But what if an attack
occurs on an operational technology that then causes a fire or equipment breakdown? Have the consequences of
that been thought through?
So, I think we have an opportunity to help policyholders make sure that they are covering the diverse range of
business risks that they are exposed to in the event of a cyber incident. When it comes to cyber insurance, businesses
– in conjunction with their insurance agents/brokers – need to evaluate whether there is adequate coverage in the
event of damage, loss, modification or unauthorised access of information, and whether there is coverage in the
event of a breach of privacy and regulatory non-compliance. In other words, when advising a company that wants
to purchase cyber insurance, insurance sector practitioners must understand not only that company’s security
posture, but also what type of losses the company is likely to incur if it gets hit with a cyber-attack.
“I THINK MANY ORGANISATIONS BUY A CYBER POLICY
AND THINK: I’M GOOD. BUT THEY DON’T ACTUALLY
UNDERSTAND THE MANY WAYS IN WHICH THEIR
BUSINESS CAN SUSTAIN A LOSS.”
AXA, the AXA and XL logos are trademarks of AXA SA or its affiliates ©2020

For the full discussion, tune into Episode 9 of S-RM
Insider, available wherever you get your podcasts.

www.s-rminform.com
The information provided to you in this document is confidential and prepared for your sole use. It must not be copied (in whole or in part) or used for any purpose other than to evaluate its contents. No
representation or warranty, express or implied, is or will be made and no responsibility or liability is or will be accepted by S-RM, or by any of its respective officers, employees or agents in relation to the accuracy
or completeness of this document and any such liability is expressly disclaimed. In particular, but without limitation, no representation or warranty is given as to the reasonableness of suggestions as to future
conduct contained in this document. Information herein is provided by S-RM Intelligence and Risk Consulting Ltd on our standard terms of business as disclosed to you or as otherwise made available on
request. This information is provided to you in good faith to assist you in mitigating risks which could arise. No implied or express warranty against risk, changes in circumstances or other unforeseen events is
or can be provided. S-RM Intelligence and Risk Consulting Ltd accepts no liability for any loss from relying on information contained in the report. S-RM Intelligence and Risk Consulting Ltd is not authorised
to provide regulatory advice. S-RM Intelligence and Risk Consulting Ltd is registered in England with Number 05408866 with its registered office at: Beaufort House, 15 St Botolph Street, London, EC3A 7DT, UK.
© S-RM Intelligence and Risk Consulting Ltd. 2020
S-RM IS A GLOBAL RISK AND
INTELLIGENCE CONSULTANCY
Founded in 2005, we have 250+ practitioners spanning six international offices,
serving world class organisations across all regions and major sectors.
CONTRIBUTORS:
LENOY BARKAI, Associate Director | S-RM
LIBBY BENET, Global Chief Underwriting Officer, Financial Lines | AXA XL
DANIEL CAPLIN, Associate Director | S-RM
MONA DAMIAN, Senior Analyst | S-RM
BILLY GOUVEIA, Senior Managing Director | S-RM
JAMES JACKSON, Senior Associate | S-RM
HARRIET MARTIN, Associate Director | S-RM
ROSS MCKEAN, Partner | DLA Piper
ANDREW SHAUGHNESSY, Associate | S-RM
JAMIE SMITH, Head of Cyber Security | S-RM
JOSEPH TARRAF, Associate Director | S-RM
If you would like to speak to any one of our in-house experts or learn more about building cyber
confidence within your organisation, do not hesitate to get in touch: hello@s-rminform.com

Challenging Insecurity: A Roadmap to Cyber Confidence

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Challenging Insecurity: A Roadmap to Cyber Confidence

Similar to Challenging Insecurity: A Roadmap to Cyber Confidence (20)

Recently uploaded

Recently uploaded (20)

Challenging Insecurity: A Roadmap to Cyber Confidence