CEOs leading Recovery from Cyber Attack
•Download as PPT, PDF•
4 likes•1,215 views
This presentation was given to senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, etc, at an event organised by Cyber Rescue on 29th June 2016.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to CEOs leading Recovery from Cyber Attack
Similar to CEOs leading Recovery from Cyber Attack (20)
More from Kevin Duffey
More from Kevin Duffey (20)
Recently uploaded
Recently uploaded (20)
CEOs leading Recovery from Cyber Attack
- 1. recovery How should CEOs lead response to a catastrophic Cyber Attack? www.CyberRescue.co.uk Kevin Duffey Managing Director 29th June 2016
- 2. summary www.CyberRescue.co.uk This presentation was given to an invited audience of senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, etc, at an event organised by Cyber Rescue on 29/6/16. The event was “National & Commercial Strategies for Cyber Resilience.” It included a pre-publication preview of the UK’s National Cyber Security Strategy to 2020. Three items were discussed during this presentation: •Specific CEO responses to cyber attack, and the particular ways that lack of commercial preparation for breach hurt reputations & revenues. Slides 3-9 •Visualisation of threats, and what mature response looks like. By analogy with an earthquake, anticipating the consequences of a breach is key. Slides 10-14 •Specific commercial challenges that follow a catastrophic cyber attack, in particular the paralysing ambiguity of the situation. Slides 15-21. For similar material, follow Cyber Rescue on LinkedIn here.
- 4. Amy Pascal former CEO of Sony Pictures, February 2015 [Click on name for full interview] There was this horrible moment where I realized there was absolutely nothing at all that I could do.
- 5. Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016 I’ve been through stages of denial, disbelief, frustration.
- 6. I am incredibly angry about this data breach. John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015
- 7. The only crime that has been proven is the hack. That is the story. Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016
- 8. The awful truth is that I don’t know. Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015
- 9. Companies should be thinking about decisions the CEO will need to make. Michael Vatis Director, FBI's National Infrastructure Protection Center, January 2016
- 10. CEOs struggle to visualize data risks The £600 USB 3.1 storage device “memory stick” from HyperX, stores 1,000 Gigabytes
- 11. FBI data storage in 1942 = 10 million sets of fingerprints, plus 23 million paper cards = 680 Gigabytes All this data fits on a memory stick
- 12. CEOs struggle to visualize cyber response
- 13. “Hands on your head” isn’t enough for adults Material for Earthquake Response. Slogan “Shake Out. Don’t Freak Out.”
- 14. Aesop’s Menagerie of Cyber Breach Responses http://www.cyberrescue.co.uk/library/blog#instincts Without a commercial response plan to anticipate decisions that will be needed, executives respond with well-intentioned but counter-productive instincts.
- 15. You are “blindsided” You weren’t told of other Security Incidents CEO (55%), HR (68%), Legal (72%). You are told of the Breach by an outsider Law Enforcement (41%), 3rd Parties (35%), Fraud Detection (14%) or Internal (10%). You are already weeks behind the attackers Average time to discovery of breach: 69 days (114 days in health, and 46 in all other sectors) Cyber Attacks are different from other business continuity challenges in the “paralysing ambiguity” of the situation.
- 16. Authorities are “difficult” Who to call? 31 organisations fight cyber threats to Financial Services in UK. 68% of IoD Members are unaware of Action Fraud. What resources do they have? UK NCSP gives £30m pa to combat cyber crime, including £12m to NCEC. The ICO has 30 officers handling over 200,000 concerns & 1,000 cases per year. What do Authorities do? “4% of cyber crime dealt with appropriately by police.”
- 17. There are a lot of opinions Who is in charge? The UK Parliament expressed its view on 20th June 2016 . What has been breached? Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days. How soon to notify customers? 91% of consumers expect "24 hours or less." But 32% of consumers say their loyalty would diminish if they knew of a data breach.
- 18. (International) Laws are complicated Click to view DLA Piper’s 425 page summary of Privacy and Breach Notification laws and other “response” documents
- 19. Decisions imply a Budget Insurance Pays? 52% of UK CEOs believe they have cover, but <10% actually do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims covered: In USA, 78% went on Crisis Services, 8% on Defence, 9% on Settlement, & 4% for Fines. Big Gesture? 53% of Breach Notifications offer Credit Monitoring, which is taken up by 10% of affected consumers.
- 20. How to triage complaints? Irate consumers want to receive the global standard in call centre response, 80% of calls answered in 20 seconds. But volumes can be 100 times normal, with call duration x2 standard 4 mins. And in addition - - Social Media - Regulators - Suppliers - Press - Staff - Police - Shareholders You are overwhelmed
- 21. You are criticized for trying your best “You notified … too slowly … too fast … without cause … putting us at risk of scammers” “Experts say you should have … encrypted … vetted suppliers … trained staff … … .” UK Parliament 20/6/16: Bigger fines for poor response; cyber impact on CEO bonus
- 22. the future? Massive growth in digital opportunities and cyber threats. Expectations on CEOs will rise: to have a detailed plan to reduce harm from cyber attack.
- 23. membership www.CyberRescue.co.uk We help executives reduce harm caused by cyber attacks Practice your Response with Executive Simulations Bespoke Commercial Response Plan Commercial Coach for Cyber Attack Response To find out more, click here or Assistance@CyberRescue.co.uk
- 24. thank you National & Organisational Strategies for Cyber Resilience www.CyberRescue.co.uk Kevin Duffey Managing Director 29th June 2016 For similar material, follow Cyber Rescue on LinkedIn here.
Editor's Notes
- The Cyber Rescue Alliance exists to help Executives reduce harm from cyber attack. To help organisations be resilient. To help with commercial Recovery. We help executives avoid turning a breach into a disaster. We help CEOs make decisions in what is often the most stressful time in their career. We recognise that a cyber attack is a crime We know that executives deserve our sympathy and support And we know that executives find attacks very stressful because they are often so unprepared. So I will share some observations about how executives respond to major breaches. I will start by looking at the public face of a breach to show what lack of preparation looks like to shareholders, suppliers and customers. I will finish by asking your thoughts on the mistakes executives should most avoid when told of a major breach. Most executives – especially of bigger firms - think that they have a plan. But then… If there’s time, I’ll explain the services that our Member Organisations seem to find most useful. But we’ve brought you together because we We have a particular emphasis on Recovery: Commercial Coaches to advise on remediation during a major attack Commercial Response Plans for Our twenty advisors and researchers bring together the specialisms needed for effective recovery. are specialise 20 we recover. We have over 20 advisors, researchers and staff who are experts in different aspects of that recovery. I’m going to help you think But many Executives – if they think about Recovery at all – think that Recovery is A technical issue That belongs to someone else Do executives have a Plan for a major cyber attack?
- “Everyone thinks they have a plan, until they get punched in the face.” Mike Tyson said that. So did Vicki Gavin – the award winning CISO of The Economist Group – and many others who work in cyber resilience. The quote applies at two levels: CEOs genuinely think they have a plan. For example, the UK Government found that more than half of UK CEOs think they have cyber insurance,Insurance Brokers say the actual figure is closer to 2%. Where a plan does exist, it is inadequate. Typically it covers only technical response, Technical forensics and Technical remediation Such response is necessary but not sufficient for Full Recovery That includes the Reputation, the Revenues and indeed the Roles that executives are responsible for. Technical incident response plans don’t support Executives through the shock that is often disorientating, and the uncertainty that often leads to decision paralysis or Reckless Hyper Activity After a Breach it’s fine to feel Anger, Depression, Self-Pity or Betrayal, but then Executives need a plan of action. Famously, they don’t always. Amy Pascal didn’t have a plan.
- “There was this horrible moment, where I realized there was absolutely nothing at all that I could do.” There was actually – of course - a huge amount to do. Which she’d have learnt by role playing a cyber attack – Engaging with law enforcement, the media staff and talent customers and suppliers investors and regulators finance, operations, HR, customer service, IT and many more. But there’s so much to do, it’s hard to get past emotions Robert Pera did a service by sharing his feelings.
- “Denial, Disbelief, Frustration.” Those are the emotions he described to shareholders, after the FBI told him they’d seen his company’s money going into a bank account they were watching. Pera blamed “a couple individuals who displayed incredibly poor judgment and incompetence” But those “couple of individuals” made 14 wire transfers, over 17 days, totalling over $46m without checking in person with the “colleague” who supposedly was emailing instructions to send the cash to new bank accounts in China, Russia, Poland and other countries. As CEO, Pera could have created a culture in which staff talk to executives when asked to do strange things a control system that checks new payments to new bank accounts a training platform that educates staff about the risks of phishing, whaling and other attacks. It’s obvious Pera was feeling enormous anger. That anger is even more intense when a breach can be blamed on a supplier.
- John Legere, was “incredibly angry” when data on his 15 million customers was breached by one of his suppliers, the data processor, Experian. Experian’s costs for that breach – so far - are $20 million plus the loss of one of their largest customers, T-Mobile. But executives can do more than trust that their data will be safe, they can make efforts to verify. In the future, it won’t be enough for Executives to say they are angry. They must insist on a procurement approach that does more than ask providers to promise to keep data safe. For just $20,000, it is possible to automatically identify which of your providers - has failed to patch their systems, - has failed to keep passwords safe, - has failed to XXX. At Cyber Rescue, we offer that $20,000 service. We also help CEOs role play and plan for the consequences of a breach. A cyber attack is a crime. The attacked CEO might expect sympathy. An obvious example of a CEO who expected sympathy is Ramon Fonseca? He said…
- “The only crime that has been proven is the hack. That is the story.” But of course the story that the media focussed on as they read the Panama Papers that had been breached from his law firm Was the illegal tax evasion and money laundering the law firm appeared to have facilitated. If the executives at Mossack Fonseca had role played the consequences of a data breach it would have been obvious they’d get little public sympathy. At Cyber Rescue, we have Members, who have realised through our role play exercises that while what they do is really good work the media might choose not to be sympathetic to a breach. So having role-played a breach, our Members our members do much more to encrypt, segment, tokenise, limit access to and otherwise protect their clients data. By role-playing and planning the consequences of a breach Executives at least understand what protections they have in place. They don’t need to find themselves on national TV and having to say
- “The awful truth is that I don’t know” It is not a great answer to the question “Do you know if your customer’s sensitive information was encrypted?” Dido Harding was faced with several questions that could have been anticipated. For example, “did TalkTalk implement Cyber Essentials before this breach.” Role playing such a question in advance makes it obvious that an investment of less than £1k to get the certificate the Government recommends is worth making even if you’re already doing everything needed technically. Cyber attacks are not just a technical issue, they are an expected challenge of doing digital business So, companies need to be expecting a breach. And as the FBI says…
- “Companies should be thinking about the decisions the CEO will need to make” During and immediately after a major cyber attack is discovered. And that’s where we in this room have a responsibility We have to help CEOs to anticipate and really visualise the consequences of cyber attack. People say that “out of sight is out of mind” and what does data look like? These days, if it has any physical appearance, perhaps it looks like this.
- This memory stick holds 1,000 Gigabytes Who here can visualise what that looks like? We find it helpful to show CEOs this picture, of just 600 Gigabytes
- It’s the data storage system the FBI used in 1942 To hold a lot less data than fits on a modern memory stick. Choosing pictures that tell stories is really important. For example, some people compare a data breach to an earthquake. There is some value in that approach, because…
- …CEOs struggle to visualise effective cyber response. Putting your hands on your head is a start, but we actually want more from our leaders. As Group General Manager at International SOS I was responsible for evacuating thousands of people during events like The Arab Spring, the eruptions of the Eyjafjallajökul volcano in Iceland and the Japanese earthquake that destroyed the Fukushima nuclear plant. My career has been based on helping leaders anticipate the future including the consequences of disasters And it’s the consequences that often do more damage than the event.
- For example, a mature response to an earthquake anticipates all the decisions and resources needed when an earthquake can be followed by: Landslide Tsunami Fire Radiation Leak Water Shortage Food Shortage Shelter Shortage Transport Problems and so on
- Responding by Instinct is not enough. Indeed, well-intentioned responses are often counter productive.
- Passions can run high, because although we all know a breach is “inevitable,” most CEOs aren’t mentally prepared. And the “paralysing ambiguity” of an attack you can’t physically see is very disorientating.
- CEOs then think about calling for help And there are some excellent individuals at the many organisations that help fight cyber attacks. But it can be difficult to navigate the various authorities during a crisis.
- Similarly, it can be difficult to navigate internally
- And the legal picture is certainly not simple, especially for businesses that operate in more than one State.
- Yet decisions have to be made including to put dollars against specific actions.
- How much, for example, should be invested in the Surge capability needed to communicate with all Stakeholders?
- Recognise that no matter how much you do you’ll still be criticised. Some individuals and organisations will bring their own agenda and might be motivated to make you look bad.
- The future will bring many digital opportunities, but the bar of expectations will also be raised not just for good cyber security, but also for good commercial response.
- Please contact us if you’d like to protect your Reputation, Revenues and Company Value
- Thank you.