Cyber crime is rampant and every organization must prepare itself for the when, not if, they will have a data breach. This presentation was given at Pworld's Crisis Communications Boot Camp in Ottawa, CA June 13, 2019

1. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies

2. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
CYBER CRIME:
Preparing Your Organization for the New Normal
Sandra Fathi
President, Affect
Email: sfathi@affect.com
tweet: @sandrafathi
web: affect.com
blog: techaffect.com
Pworld Crisis Communications
Ottawa, CA
June 13, 2019

3. PROPRIETARY & CONFIDENTIAL 3@sandrafathi
SECURITY EXPERIENCE

4. PROPRIETARY & CONFIDENTIAL 4@sandrafathi
CRISIS EXPERIENCE
• Data Breaches, Identity Theft, Website Hacks, Malware (Multiple Companies)
• Product Recall for Potential Lead Poisoning (Baby Product)
• Hurricane Sandy, Hurricane Irene (ConEd)
• Worker Strike, Manhole Cover Explosion, Building Explosion (ConEd)
• Hit & Run (By Company Employee)
• Sexual Harassment and Executive Misconduct (By CEO)
• Executive Arrest for DUI
• Terrorist Activity Interrupts Operations (Tech Company)
• Foreign Mafia Threats on Executives (Tech Company)
• Employee Kidnapping/Release by Militia (Tech Company)

5. PROPRIETARY & CONFIDENTIAL 5@sandrafathi
ANATOMY OF A BREACH
How does it start?
• IT discovers a breach
• Customers alert company regarding an issue
• Anonymous post on a social network
• Employee finds data for sale on the dark web
• A journalist calls
• A hacker makes contact

6. PROPRIETARY & CONFIDENTIAL 6@sandrafathi
BASIC INSTINCTS
1. Triage – Stop the bleeding
2. Diagnose – Identify the nature of the breach
3. Investigate – Find the root cause
4. Repair – Implement technical fix
5. Communicate – Inform executive team
• Inform legal counsel
• Inform marcom
• Inform authorities
• Inform customers
• Inform media
Takes too long
Doesn’t always happen

7. PROPRIETARY & CONFIDENTIAL 7@sandrafathi
SELF-PRESERVATION
Justifications
• We don’t know if data was accessed
• No critical data was accessed
• It’s fixed. We’re out of danger
• Very few customers were impacted
• We don’t want to bring more attention to it
• We don’t know all the facts, so we’ll wait until we do
• We don’t want to appear incompetent
• We don’t want to lose our jobs, customers, revenue etc.

8. PROPRIETARY & CONFIDENTIAL 8@sandrafathi
ANY INDUSTRY – ANY TIME

9. PROPRIETARY & CONFIDENTIAL 9@sandrafathi
HEADLINE NEWS

10. PROPRIETARY & CONFIDENTIAL 10@sandrafathi
OLD & NEW THREATS

11. PROPRIETARY & CONFIDENTIAL 11@sandrafathi
ALL 50 STATES

12. PROPRIETARY & CONFIDENTIAL 12@sandrafathi
ALL 50 STATES

13. PROPRIETARY & CONFIDENTIAL 13@sandrafathi
WHO’S IN THE ROOM
Crisis Drills/Tabletops
• Tech Leadership
• Executive Leadership
• Legal Counsel
• Operations
• Communications***
Photo Credit: CyberBit

14. PROPRIETARY & CONFIDENTIAL 14@sandrafathi
FOUR PHASES OF CRISIS
COMMUNICATION

15. PROPRIETARY & CONFIDENTIAL 15@sandrafathi
I. READINESS
Anticipating a Crisis
1. Crisis Mapping (SWOT Analysis)
2. Policies & Procedures (Prevention)
3. Crisis Monitoring
4. Crisis Communications Plan
• Crisis Action Plan
• Crisis Standard Communications Templates
• Crisis Drills
Photo Credit: CyberTraining 365 Blog

16. PROPRIETARY & CONFIDENTIAL 16@sandrafathi
THREAT MAPPING
HR Sales Marketing Finance IT
People
Products
Facilities
Environment
Information
Other
Rank Order
High Risk
to
Low Risk

17. PROPRIETARY & CONFIDENTIAL
CHANNEL MAPPING

18. PROPRIETARY & CONFIDENTIAL
II. RESPONSE
1. Develop materials:
• Messages/FAQ
• Prepared statements
• Press release template
• Customer letters
2. Train employees
• Awareness
• Anticipation
• Organizational Preparation
3. Prepare channels:
• Hotline
• Dark site
• Social Media
4. Data Breach/Customer Assistance
Resources
• Microsite/Landing Page FAQ
• Identity Theft Remediation Services
• Force Password/Account
Information Change
• Special Customer Advocate/Team

19. PROPRIETARY & CONFIDENTIAL
PREPARING A RESPONSE
1. Don’t delay
2. Acknowledge situation
3. Acknowledge impact and victims or potential victims
4. Commit to investigate
5. Commit to sharing information and cooperation with relevant
parties
6. Share corrective action plan if available
7. Respond in the format in which the crisis was received**
@sandrafathi

20. PROPRIETARY & CONFIDENTIAL
PUBLIC BREACH NOTIFICATIONS
@sandrafathi
1. What happened?
2. What do we know?
3. Who/what was impacted?
4. How do we feel about it?
5. What are we going to do about it?
6. When are we going to do it?
7. Who is involved in this process?
8. When/how will we communicate next?

21. PROPRIETARY & CONFIDENTIAL
CUSTOMER
COMMUNICATION
1. Introduction: Why are we contacting you?
2. What happened?
3. What information was compromised?
4. What are we doing to remedy the situation?
5. What can you do to prevent/mitigate further risk?
6. Where can you find more information?
@sandrafathi

22. PROPRIETARY & CONFIDENTIAL
III. REASSURANCE
Who to Reassure? - All Stakeholders: Customers, Prospects, Public,
Shareholders, Employees, Partners, Media etc.
1. Develop full response plan
• Policies & procedures
• Technology
• People
2. Put plan into action: Immediate remedy
3. Communicate results of plan and impact
4. Reaffirm commitment to correction
5. Demonstrate results of program
@sandrafathi

23. PROPRIETARY & CONFIDENTIAL
IV. RECOVERY
Rebuilding reputation, trust and customer loyalty
Implementing preventative measures for long-term crisis mitigation
and/or prevention
1. Review need for operational, regulatory, environmental and
employee changes
2. Develop long-term plan including policies and prevention tactics
3. Reassess crisis plan
4. Regain customer/public trust
@sandrafathi

24. PROPRIETARY & CONFIDENTIAL 24@sandrafathi
CASE STUDY: EQUIFAX • March – Apache vulnerability discovered,
patch issued next day
• May-July – Hackers infiltrate Equifax servers
with more than 9,000 requests. ~145M
records are accessed, nearly 44% of US
Population
• July 29 – Equifax discovers breach
• Sept 7 - Equifax issues public statement
• Sept 8 – Equifax shares plunge 13.7%
• Sept 12 – CEO apologizes in USA Today Op-Ed
• Sept 15 - Equifax announces CIO & CSO are
retiring
• Sept 21 – Equifax admits sending victims to
bogus website ‘securityequifax2017.com’
• Sept 26 – CEO retires
• Oct 3 – Former CEO testifies for the first time
(of four) in Congress

25. PROPRIETARY & CONFIDENTIAL 25@sandrafathi
MEDIA REACTIONS

26. PROPRIETARY & CONFIDENTIAL 26@sandrafathi
CONSEQUENCES TO DATE
• CEO, CIO, CSO ‘Retire’
• 2 employees indicted for insider trading (CIO & Developer)
• CEO testifies at 4 Congressional hearings
• 8 State bank regulators impose orders for increasing security, auditing and
reporting
• CA passes law imposes sanctions/fines for each data breach (up to $750 per
record, effective Jan 2020)
• AL & ND penalties for delayed notifications (60 days/$10K and 45 day/$5K)
• Federal bill for FREE credit ‘freeze’ and ‘thaw’ from all three large bureaus
(previously $5-$10 each)
• 30+ Consumer class action suits

27. PROPRIETARY & CONFIDENTIAL 27@sandrafathi
BEST PRACTICES I
1. Implement Policies to Address Potential Vulnerabilities
2. Establish a Regular Review Cycle for Crisis Preparation
3. Establish Inter-Departmental Cooperation
4. Establish a Framework for Response
5. Build a Crisis Communications Toolkit

28. PROPRIETARY & CONFIDENTIAL 28@sandrafathi
BEST PRACTICES II
6. Know Where & How to Respond
7. Prepare Your Employees in Advance
8. Establish Assistance Services for those Impacted
9. Know the Relevant Legal & Regulatory Requirements
10. Be Honest, Be Transparent

29. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
Sandra Fathi
President, Affect
Email: sfathi@affect.com
tweet: @sandrafathi
web: affect.com
blog: techaffect.com
Slides Available: Slideshare.net/sfathi