We've summarised the key findings from 100 cyber security surveys. We choose the best of these each month to discus with our customers, to guide & accelerate their cyber resilience journey.
Slides used in VIP Customer Forums hosted by Cyber Rescue Alliance, for individual thought leaders.
These slides supported discussion about where Third Party Risk Management needs to go in the months and years ahead, in the face of dynamic cyber threats.
Ensuring Cyber Resilience in the Finance SectorKevin Duffey
Presented at the prestigious Operational Resilience, Outsourcing & Third Party Risk conference in London on 22-23 Nov 2022.
Provides data on Ransomware, Cyber Insurance, DDoS and other fast developing aspects of cyber resilience. Focusses on 3rd Party and 4th Party challenges & opportunities to measure & mitigate risks.
Breaches Anticipated in 2022 as Cyber Security Posture so LowKevin Duffey
Sample of over 500 breaches anticipated by SecurityScorecard, as cyber security posture was so low before the ransomware gang or other cyber attack succeeded.
For daily insights follow Cyber Rescue at https://www.linkedin.com/company/cyber-rescue-alliance/posts/
Cyber Insurance - Best Insights of June 2022.pptxKevin Duffey
Cyber Insurance: best insights of June 2022 to help firms improve their cyber resilience against ransomware and other cyber attacks for operational resilience and business continuity.
Best Cyber Risk Insights from 100 reports published in year to March 2022Kevin Duffey
March 2022: includes Budgets, Salaries, Certifications, Ransoms Paid, Business Losses, emerging Threats and how to Respond to cyber attack. Download and share, because every graph in the the pdf is hyperlinked to a detailed report.
We've summarised the key findings from 100 cyber security surveys. We choose the best of these each month to discus with our customers, to guide & accelerate their cyber resilience journey.
Slides used in VIP Customer Forums hosted by Cyber Rescue Alliance, for individual thought leaders.
These slides supported discussion about where Third Party Risk Management needs to go in the months and years ahead, in the face of dynamic cyber threats.
Ensuring Cyber Resilience in the Finance SectorKevin Duffey
Presented at the prestigious Operational Resilience, Outsourcing & Third Party Risk conference in London on 22-23 Nov 2022.
Provides data on Ransomware, Cyber Insurance, DDoS and other fast developing aspects of cyber resilience. Focusses on 3rd Party and 4th Party challenges & opportunities to measure & mitigate risks.
Breaches Anticipated in 2022 as Cyber Security Posture so LowKevin Duffey
Sample of over 500 breaches anticipated by SecurityScorecard, as cyber security posture was so low before the ransomware gang or other cyber attack succeeded.
For daily insights follow Cyber Rescue at https://www.linkedin.com/company/cyber-rescue-alliance/posts/
Cyber Insurance - Best Insights of June 2022.pptxKevin Duffey
Cyber Insurance: best insights of June 2022 to help firms improve their cyber resilience against ransomware and other cyber attacks for operational resilience and business continuity.
Best Cyber Risk Insights from 100 reports published in year to March 2022Kevin Duffey
March 2022: includes Budgets, Salaries, Certifications, Ransoms Paid, Business Losses, emerging Threats and how to Respond to cyber attack. Download and share, because every graph in the the pdf is hyperlinked to a detailed report.
Breaches Anticipated - because firms have weak cyber security visible to hac...Kevin Duffey
March 2022: This document lists hundreds of firms that had a low cyber risk score on SecurityScorecard, for months before they were breached, often by ransomware gangs. If you're responsible for your firm's security, operational resilience or cyber insurance, it's well worth five minutes.
Breaches anticipated in 2021 - Published 14th Jjune 2021Kevin Duffey
New report shows 92 breaches anticipated at firms with weaker cyber security posture than their peers.
So forward this report to your colleagues now, and ask: "which of our Suppliers is most likely to be breached today?"
If your colleagues can't give you graphs like these, just send an email to Assistance@CyberRescue.co.uk and we'll give you a complementary report, to help you measure and manage cyber risk across your supply chain.
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
Presentation given to Chief Risk Officers, Heads of Operational Resilience and CISOs at the annual Marcus Evans conference on Operational Resilience and Business Continuity in Financial Services.
Includes how to measure, mitigate and manage cyber vulnerabilities at outsourcing firms and other suppliers of critical ("material") services, as expected by regulators like the Bank of England / Prudential Regulatory Authority, European Banking Authority, and Financial Stability Board.
Privacy & Security in Feb 2020: new Fintech regulations on Cyber Security at ...Kevin Duffey
Presented to an expert audience at the PrivSec Congress in London on 4th Feb 2020, this presentation uses PayPal & Travelex as topical examples, showing why cyber security of private data processed by suppliers is an increasing concern of Financial Regulators.
And then it demonstrates what your peers are doing to comply with those new regulations.
Let’s work together to mitigate risks.
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Kevin Duffey
Chief Risk Officers and CISOs from 25 of our customers & friends debated their SMART objectives for 2020. Here's the results, showing who to involve and how to report progress on cyber risk across 3rd parties during 2020.
Keynote at Operational Resilience summit - Financial Services - 18th Nov 2019Kevin Duffey
Opening keynote presentation at Operational Resilience in Financial Services summit, with Freshfields, UK Finance and City & Financial Global. Focus on measuring cyber risk at suppliers to mitigate harm.
London First - cyber attack simulation - 22nd May 2018Kevin Duffey
London First is an association of prestigious companies, working together to make London the best place in the world for business. Cyber Resilience is part of that work, so senior executives were taken through this interactive simulation.
Cyber Attack Simulation for 450 ExecutivesKevin Duffey
Cyber Attack Simulation for 450 Executives at the Finance Malta conference, in May 2018. Will your Board Directors also disagree on how to respond to a Breach?
Cyber attack response from the CEO perspective - Tallinn Estonia - Short Simu...Kevin Duffey
Estonia is famously a leader in digital and cyber technology. This short simulation was presented to Estonian executives, experts and government representatives. It is a very short version of the sort of executive simulation we run for large enterprises across Europe. Follow us at - https://www.linkedin.com/company/cyber-rescue-alliance/
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
The Cyber Crime Unit in the Hellenic Police is one of the best developed in Europe, for example with specialist skills around social media. Their Director provided this 119 slide presentation of their excellent work, in Greek.
Vodafone security priorities in GreeceKevin Duffey
Vodafone supports businesses and consumers across Greece with innovative communication services. Vodafone has identified "a cyber attack resulting in customer data loss" as a top 10 strategic risk, and takes a mature approach to mitigating this risk.
ENISA - EU strategies for cyber incident responseKevin Duffey
ENISA is the EU Agency for Network & Information Security. In this presentation, the Head of Stakeholder Relations shares lessons for CEOs from over 200 cyber simulations and other research conducted by ENISA.
Danish National Cyber Crime Centre - Kim Aarenstrup - how to fight cyber crimeKevin Duffey
The Danish National Police employ about 100 staff in the Danish National Cyber Crime Centre (NC3). In this presentation, the Head of the Centre shares insights with business executives on how to fight cyber crime.
Danish Council for Digital Security - Rasmus Theede - Commmercial insights in...Kevin Duffey
The Danish Council for Digital Security is an independent membership organization with highly specialized knowledge and experience on information security and privacy protection. In this presentation to business executives, their Chairman explains lessons CEOs should take from previous cyber attacks in Denmark.
Danish Centre for Cyber Security - Thomas Kristmar - CEOs leading recovery in...Kevin Duffey
The Danish Defence Intelligence Service has a unit of about 100 people working in the Danish Centre for Cyber Security. In this presentation to business executives, their Head of Policy explains lessons CEOs should take from previous cyber attacks in Denmark.
Breaches Anticipated - because firms have weak cyber security visible to hac...Kevin Duffey
March 2022: This document lists hundreds of firms that had a low cyber risk score on SecurityScorecard, for months before they were breached, often by ransomware gangs. If you're responsible for your firm's security, operational resilience or cyber insurance, it's well worth five minutes.
Breaches anticipated in 2021 - Published 14th Jjune 2021Kevin Duffey
New report shows 92 breaches anticipated at firms with weaker cyber security posture than their peers.
So forward this report to your colleagues now, and ask: "which of our Suppliers is most likely to be breached today?"
If your colleagues can't give you graphs like these, just send an email to Assistance@CyberRescue.co.uk and we'll give you a complementary report, to help you measure and manage cyber risk across your supply chain.
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
Presentation given to Chief Risk Officers, Heads of Operational Resilience and CISOs at the annual Marcus Evans conference on Operational Resilience and Business Continuity in Financial Services.
Includes how to measure, mitigate and manage cyber vulnerabilities at outsourcing firms and other suppliers of critical ("material") services, as expected by regulators like the Bank of England / Prudential Regulatory Authority, European Banking Authority, and Financial Stability Board.
Privacy & Security in Feb 2020: new Fintech regulations on Cyber Security at ...Kevin Duffey
Presented to an expert audience at the PrivSec Congress in London on 4th Feb 2020, this presentation uses PayPal & Travelex as topical examples, showing why cyber security of private data processed by suppliers is an increasing concern of Financial Regulators.
And then it demonstrates what your peers are doing to comply with those new regulations.
Let’s work together to mitigate risks.
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Kevin Duffey
Chief Risk Officers and CISOs from 25 of our customers & friends debated their SMART objectives for 2020. Here's the results, showing who to involve and how to report progress on cyber risk across 3rd parties during 2020.
Keynote at Operational Resilience summit - Financial Services - 18th Nov 2019Kevin Duffey
Opening keynote presentation at Operational Resilience in Financial Services summit, with Freshfields, UK Finance and City & Financial Global. Focus on measuring cyber risk at suppliers to mitigate harm.
London First - cyber attack simulation - 22nd May 2018Kevin Duffey
London First is an association of prestigious companies, working together to make London the best place in the world for business. Cyber Resilience is part of that work, so senior executives were taken through this interactive simulation.
Cyber Attack Simulation for 450 ExecutivesKevin Duffey
Cyber Attack Simulation for 450 Executives at the Finance Malta conference, in May 2018. Will your Board Directors also disagree on how to respond to a Breach?
Cyber attack response from the CEO perspective - Tallinn Estonia - Short Simu...Kevin Duffey
Estonia is famously a leader in digital and cyber technology. This short simulation was presented to Estonian executives, experts and government representatives. It is a very short version of the sort of executive simulation we run for large enterprises across Europe. Follow us at - https://www.linkedin.com/company/cyber-rescue-alliance/
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
The Cyber Crime Unit in the Hellenic Police is one of the best developed in Europe, for example with specialist skills around social media. Their Director provided this 119 slide presentation of their excellent work, in Greek.
Vodafone security priorities in GreeceKevin Duffey
Vodafone supports businesses and consumers across Greece with innovative communication services. Vodafone has identified "a cyber attack resulting in customer data loss" as a top 10 strategic risk, and takes a mature approach to mitigating this risk.
ENISA - EU strategies for cyber incident responseKevin Duffey
ENISA is the EU Agency for Network & Information Security. In this presentation, the Head of Stakeholder Relations shares lessons for CEOs from over 200 cyber simulations and other research conducted by ENISA.
Danish National Cyber Crime Centre - Kim Aarenstrup - how to fight cyber crimeKevin Duffey
The Danish National Police employ about 100 staff in the Danish National Cyber Crime Centre (NC3). In this presentation, the Head of the Centre shares insights with business executives on how to fight cyber crime.
Danish Council for Digital Security - Rasmus Theede - Commmercial insights in...Kevin Duffey
The Danish Council for Digital Security is an independent membership organization with highly specialized knowledge and experience on information security and privacy protection. In this presentation to business executives, their Chairman explains lessons CEOs should take from previous cyber attacks in Denmark.
Danish Centre for Cyber Security - Thomas Kristmar - CEOs leading recovery in...Kevin Duffey
The Danish Defence Intelligence Service has a unit of about 100 people working in the Danish Centre for Cyber Security. In this presentation to business executives, their Head of Policy explains lessons CEOs should take from previous cyber attacks in Denmark.
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
1. www.CyberRescue.co.uk Page: 1
How would I respond to
a Cyber Attack?
26th
April 2017
Kevin.Duffey@CyberRescue.co.uk
+44 79 20 76 65 30
For more information, contact Assistance@CyberRescue.co.uk or +44 (0)20 7859 4320
A censored set of
slides shown to the
Worshipful
Company of
Information
Technologists.
Boardroom Briefing on Cyber Security
2. www.CyberRescue.co.uk Page: 2
A word about Cyber Rescue
www.CyberRescue.co.uk
We help executives lead commercial recovery
when digital defences fail
Practice your Response
with Executive Simulations
Bespoke Commercial
Response Plan
Commercial Coach for
Cyber Attack Response
To find out more, click here
or Assistance@CyberRescue.co.uk
3. www.CyberRescue.co.uk Page: 3
FBI data storage in 1942
= 10 million sets of fingerprints,
plus 23 million paper cards
= 680 Gigabytes
Digital opportunity
4. www.CyberRescue.co.uk Page: 4
Digital transformation
of assets
£600 storage device in 2016
a “memory stick” from HyperX,
stores 1,000 Gigabytes
Digital opportunity
and cyber risk
9. www.CyberRescue.co.uk Page: 9
Staff Risks:
•78% of staff don't obey info policy
•63% of breaches involve passwords
•41% of staff install apps on work PC
•30% of phishing messages are opened
•12% of staff download malicious s/ware
Supply Chain Risks:
•41% of breaches affecting healthcare are
caused by Third Parties
•17% of breaches investigated by Kroll
caused by Third Parties
•AT&T, Home Depot, TalkTalk, and Target all
suffered breaches via 3rd
parties
Assess Risks beyond IT
13. www.CyberRescue.co.uk Page: 13
Amy Pascal former CEO of Sony Pictures, February 2015 [Click on name for full interview]
There was this
horrible moment
where I realized
there was
absolutely
nothing at all
that I could do.
14. www.CyberRescue.co.uk Page: 14
Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016
I’ve been through
stages of
denial, disbelief,
frustration.
15. www.CyberRescue.co.uk Page: 15
I am
incredibly
angry
about this
data
breach.
John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015
16. www.CyberRescue.co.uk Page: 16
The only crime that
has been proven is
the hack.
That is the story.
Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016
17. www.CyberRescue.co.uk Page: 17
The
awful truth
is that
I don’t know.
Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015
18. www.CyberRescue.co.uk Page: 18
Atiur Rahman,
Bangladesh Bank Governor,
after cyber thieves
compromised their systems -
15th
March 2016
It was like an
Earthquake.
21. www.CyberRescue.co.uk Page: 21
Companies should be
thinking about
decisions the CEO
will need to make.
Michael Vatis Director, FBI's National Infrastructure Protection Center, January 2016
22. www.CyberRescue.co.uk Page: 22
You are
“blindsided”
You weren’t told of other Security Incidents
CEO (55%), HR (68%), Legal (72%).
You are told of the Breach by an outsider
Law Enforcement (41%), 3rd Parties (35%),
Fraud Detection (14%) or Internal (10%).
You are already weeks behind the attackers
Average time to discovery of breach: 69 days
(114 days in health, and 46 in all other sectors)
Cyber Attacks are different from other
business continuity challenges in
the “paralysing ambiguity”
of the situation.
23. www.CyberRescue.co.uk Page: 23
Authorities are
“difficult”
Who to call? 31 organisations fight cyber threats to Financial Services in UK.
68% of IoD Members are unaware of Action Fraud.
What resources do they have?
UK NCSP gives £30m pa to combat cyber crime, including £12m to NCEC.
The ICO has 30 officers handling over 200,000 concerns & 1,000 cases per year.
What do Authorities do? “4% of cyber crime dealt with appropriately by police.”
24. www.CyberRescue.co.uk Page: 24
There are a lot
of opinions
Who is in charge? The UK Parliament expressed its view on 20th June 2016
.
What has been breached? Only 45% of security professionals are confident they can
determine the scope of a breach. External forensics typically lasts 43 days.
How soon to notify customers? 91% of consumers expect "24 hours or less." But
32% of consumers say their loyalty would diminish if they knew of a data breach.
26. www.CyberRescue.co.uk Page: 26
Decisions imply a
Budget
Insurance Pays?
52% of UK CEOs
believe they have
cover, but <10%
actually do. Some
81% of companies
with cyber cover in
USA have never
claimed on it.
Claims covered:
In USA, 78% went
on Crisis Services,
8% on Defence,
9% on Settlement,
& 4% for Fines.
Big Gesture?
53% of Breach
Notifications offer
Credit Monitoring,
which is taken up
by 10% of affected
consumers.
27. www.CyberRescue.co.uk Page: 27
How to triage complaints?
Irate consumers want to receive the
global standard in call centre response,
80% of calls answered in 20 seconds.
But volumes can be 100 times normal,
with call duration x2 standard 4 mins.
And in addition -
- Social Media
- Regulators
- Suppliers
- Press
- Staff
- Police
- Shareholders
You are overwhelmed
28. www.CyberRescue.co.uk Page: 28
Example Simulation
Acme Ltd is a new subsidiary of Acme PLC.
You employ 100 staff, with 50,000 customers.
You have 10 key partners, eg suppliers.
Your IT Director is away.
You launch a new service “Acme Cares” in a week.
Acme Ltd
You work in the senior executive team of a
medium-sized luxury hospitality business.
29. www.CyberRescue.co.uk Page: 29
Enjoy the Simulation
Much will be uncertain during the
exercise. That is deliberate.
Paralysing ambiguity is a defining
characteristic of cyber attacks.
Decisions have consequences, as
does failure to take prompt action.
None of you will be evaluated.
The exercise is safe and enjoyable.
It is OK to make mistakes.
Teamwork is key.
Who? How? Why?
30. www.CyberRescue.co.uk Page: 30
Simulation Slides have been removed
Please contact Cyber Rescue for a
simulation of the decisions your executive
team will need to make when hackers
breach your defences.
www.CyberRescue.co.uk
+44 (0)20 7859 4320
31. www.CyberRescue.co.uk Page: 31
$4 million USD is the “average” total cost of a reported data breach (up 29% since 2013): more in Healthcare, Education & Finance.
Abnormal churn following a breach ranges from 6.2% in Finance and 5.3% in Health to 0.1% in Public Sector.
Cost is reduced most by: Incident Response Team (-10%), Encryption (-8%), Training (-6%).
$158 USD is the average cost per lost or stolen record (up 15% since 2013). (June 2016)
53% of Breach Notifications included an offer of Credit Monitoring, which was taken up by 10% of those consumers. – March 2016
32. www.CyberRescue.co.uk Page: 32
55% pa increase in spear-phishing attacks on employees (April ‘16)
52% of IT professionals re-use personal passwords for business apps
41% of Millennials install apps on work PC without consulting IT
30% of Millennials email company info to a personal email address
30% of phishing messages are opened (April ‘16)
29% of companies with mandatory data protection training give an exception to CEOs (May ‘16)
Cause of breach (March ‘16):
- 48% Current Employee
- 31% Outside Perpetrator
- 17% Related Third Party
- 4% Former Employee.
35. www.CyberRescue.co.uk Page: 35
the future?
Massive growth in digital opportunities
and cyber threats.
Expectations on CEOs will rise:
to have a detailed plan
to reduce harm from
cyber attack.
36. www.CyberRescue.co.uk Page: 36
How we help leaders like you
www.CyberRescue.co.uk
We help executives lead commercial recovery
when digital defences fail
Practice your Response
with Executive Simulations
Bespoke Commercial
Response Plan
Commercial Coach for
Cyber Attack Response
To find out more, click here
or Assistance@CyberRescue.co.uk
Please contact us if you’d like
to protect your Reputation, Revenues and Company Value
It’s the data storage system the FBI used in 1942
To hold a lot less data than fits on a modern memory stick.
Choosing pictures that tell stories is really important.
For example, some people compare a data breach to an earthquake.
There is some value in that approach, because…
This memory stick holds 1,000 Gigabytes
Who here can visualise what that looks like?
We find it helpful to show CEOs this picture, of just 600 Gigabytes
“Everyone thinks they have a plan, until they get punched in the face.”
Mike Tyson said that.
So did Vicki Gavin – the award winning CISO of The Economist Group – and many others who work in cyber resilience.
The quote applies at two levels:
CEOs genuinely think they have a plan. For example, the UK Government found that more than half of UK CEOs think they have cyber insurance,Insurance Brokers say the actual figure is closer to 2%.
Where a plan does exist, it is inadequate. Typically it covers only technical response,
Technical forensics and Technical remediation
Such response is necessary
but not sufficient for Full Recovery
That includes the Reputation, the Revenues and indeed the Roles that executives are responsible for.
Technical incident response plans don’t support Executives through the
shock that is often disorientating, and the
uncertainty that often leads to decision paralysis or Reckless Hyper Activity
After a Breach it’s fine to feel Anger, Depression, Self-Pity or Betrayal, but then
Executives need a plan of action.
Famously, they don’t always.
Amy Pascal didn’t have a plan.
“There was this horrible moment,
where I realized
there was absolutely
nothing at all
that I could do.”
There was actually – of course - a huge amount to do.
Which she’d have learnt by role playing a cyber attack –
Engaging with law enforcement,
the media
staff and talent
customers and suppliers
investors and regulators
finance, operations, HR, customer service, IT and many more.
But there’s so much to do,
it’s hard to get past emotions
Robert Pera did a service by sharing his feelings.
“Denial, Disbelief, Frustration.”
Those are the emotions he described to shareholders,
after the FBI told him
they’d seen his company’s money
going into a bank account they were watching.
Pera blamed
“a couple individuals
who displayed incredibly poor judgment and incompetence”
But those “couple of individuals” made
14 wire transfers, over 17 days, totalling over $46m
without checking in person with the “colleague” who
supposedly was emailing instructions
to send the cash to
new bank accounts in China, Russia, Poland and other countries.
As CEO, Pera could have created
a culture in which staff talk to executives when asked to do strange things
a control system that checks new payments to new bank accounts
a training platform that educates staff about the risks of phishing, whaling and other attacks.
It’s obvious Pera was feeling enormous anger.
That anger is even more intense when a breach can be blamed on a supplier.
John Legere,
was “incredibly angry”
when data on his 15 million customers
was breached by one of his suppliers, the data processor, Experian.
Experian’s costs for that breach – so far - are $20 million
plus the loss of one of their largest customers, T-Mobile.
But executives can do more
than trust that their data will be safe,
they can make efforts to verify.
In the future,
it won’t be enough for Executives to say they are angry.
They must insist on a procurement approach
that does more than ask providers to promise to keep data safe.
For just $20,000, it is possible to automatically identify
which of your providers
- has failed to patch their systems,
- has failed to keep passwords safe,
- has failed to XXX.
At Cyber Rescue, we offer that $20,000 service.
We also help CEOs role play and plan for the consequences of a breach.
A cyber attack is a crime. The attacked CEO might expect sympathy.
An obvious example of a CEO who expected sympathy is Ramon Fonseca?
He said…
“The only crime that has been proven is the hack. That is the story.”
But of course the story
that the media focussed on
as they read the Panama Papers
that had been breached from his law firm
Was the illegal
tax evasion
and money laundering
the law firm appeared to have facilitated.
If the executives at Mossack Fonseca
had role played the consequences of a data breach
it would have been obvious they’d get little public sympathy.
At Cyber Rescue,
we have Members,
who have realised through our role play exercises
that while what they do is really good work
the media might choose not to be sympathetic to a breach.
So having role-played a breach, our Members
our members do much more
to encrypt, segment, tokenise, limit access to and otherwise
protect
their clients data.
By role-playing and planning the consequences of a breach
Executives at least understand what protections they have in place.
They don’t need to find themselves on national TV
and having to say
“The awful truth is that I don’t know”
It is not a great answer to the question
“Do you know if your customer’s sensitive information was encrypted?”
Dido Harding was faced with several questions that could have been anticipated.
For example, “did TalkTalk implement Cyber Essentials before this breach.”
Role playing such a question in advance makes it obvious
that an investment of less than £1k to get the certificate the Government recommends
is worth making
even if you’re already doing everything needed technically.
Cyber attacks
are not just a technical issue,
they are an expected challenge of doing digital business
So, companies need to be expecting a breach.
And as the FBI says…
It was like an Earthquake!
And actually, that’s an interesting analogy.
What would you do if there was a major earthquake.
If you are a child…
…CEOs struggle to visualise effective cyber response.
Putting your hands on your head is a start,
but we actually want more from our leaders.
As Group General Manager at International SOS
I was responsible for evacuating thousands of people
during events like The Arab Spring,
the eruptions of the Eyjafjallajökul volcano in Iceland
and the Japanese earthquake that destroyed the Fukushima nuclear plant.
My career has been based on helping leaders
anticipate the future
including the consequences of disasters
And it’s the consequences that often do more damage than the event.
For example,
a mature response to an earthquake anticipates all the
decisions and resources needed when
an earthquake can be followed by:
Landslide
Tsunami
Fire
Radiation Leak
Water Shortage
Food Shortage
Shelter Shortage
Transport Problems
and so on
“Companies should be thinking about the decisions the CEO will need to make”
During and immediately after a major cyber attack is discovered.
And that’s where we in this room have a responsibility
We have to help CEOs to anticipate and really visualise the consequences of cyber attack.
People say that “out of sight is out of mind”
and what does data look like?
These days, if it has any physical appearance, perhaps it looks like this.
Passions can run high, because
although we all know a breach is “inevitable,”
most CEOs aren’t mentally prepared.
And the “paralysing ambiguity”
of an attack you can’t physically see
is very disorientating.
CEOs then think about calling for help
And there are some excellent individuals at the many organisations that help fight cyber attacks.
But it can be difficult to navigate the various authorities during a crisis.
Similarly, it can be difficult to navigate internally
And the legal picture is certainly not simple,
especially for businesses that operate in more than one State.
Yet decisions have to be made
including to put dollars against specific actions.
How much, for example, should be invested in
the Surge capability needed
to communicate with all Stakeholders?
The future will bring many digital opportunities,
but the bar of expectations will also be raised
not just for good cyber security,
but also
for good commercial response.
Please contact us if you’d like
to protect your Reputation, Revenues and Company Value