Cyber crime is rampant and every organization must prepare itself for the when, not if, they will have a data breach. This presentation was given at Pworld's Crisis Communications Boot Camp in Ottawa, CA June 13, 2019
2. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
CYBER CRIME:
Preparing Your Organization for the New Normal
Sandra Fathi
President, Affect
Email: sfathi@affect.com
tweet: @sandrafathi
web: affect.com
blog: techaffect.com
Pworld Crisis Communications
Ottawa, CA
June 13, 2019
4. PROPRIETARY & CONFIDENTIAL 4@sandrafathi
CRISIS EXPERIENCE
⢠Data Breaches, Identity Theft, Website Hacks, Malware (Multiple Companies)
⢠Product Recall for Potential Lead Poisoning (Baby Product)
⢠Hurricane Sandy, Hurricane Irene (ConEd)
⢠Worker Strike, Manhole Cover Explosion, Building Explosion (ConEd)
⢠Hit & Run (By Company Employee)
⢠Sexual Harassment and Executive Misconduct (By CEO)
⢠Executive Arrest for DUI
⢠Terrorist Activity Interrupts Operations (Tech Company)
⢠Foreign Mafia Threats on Executives (Tech Company)
⢠Employee Kidnapping/Release by Militia (Tech Company)
5. PROPRIETARY & CONFIDENTIAL 5@sandrafathi
ANATOMY OF A BREACH
How does it start?
⢠IT discovers a breach
⢠Customers alert company regarding an issue
⢠Anonymous post on a social network
⢠Employee finds data for sale on the dark web
⢠A journalist calls
⢠A hacker makes contact
6. PROPRIETARY & CONFIDENTIAL 6@sandrafathi
BASIC INSTINCTS
1. Triage â Stop the bleeding
2. Diagnose â Identify the nature of the breach
3. Investigate â Find the root cause
4. Repair â Implement technical fix
5. Communicate â Inform executive team
⢠Inform legal counsel
⢠Inform marcom
⢠Inform authorities
⢠Inform customers
⢠Inform media
Takes too long
Doesnât always happen
7. PROPRIETARY & CONFIDENTIAL 7@sandrafathi
SELF-PRESERVATION
Justifications
⢠We donât know if data was accessed
⢠No critical data was accessed
⢠Itâs fixed. Weâre out of danger
⢠Very few customers were impacted
⢠We donât want to bring more attention to it
⢠We donât know all the facts, so weâll wait until we do
⢠We donât want to appear incompetent
⢠We donât want to lose our jobs, customers, revenue etc.
15. PROPRIETARY & CONFIDENTIAL 15@sandrafathi
I. READINESS
Anticipating a Crisis
1. Crisis Mapping (SWOT Analysis)
2. Policies & Procedures (Prevention)
3. Crisis Monitoring
4. Crisis Communications Plan
⢠Crisis Action Plan
⢠Crisis Standard Communications Templates
⢠Crisis Drills
Photo Credit: CyberTraining 365 Blog
16. PROPRIETARY & CONFIDENTIAL 16@sandrafathi
THREAT MAPPING
HR Sales Marketing Finance IT
People
Products
Facilities
Environment
Information
Other
Rank Order
High Risk
to
Low Risk
18. PROPRIETARY & CONFIDENTIAL
II. RESPONSE
1. Develop materials:
⢠Messages/FAQ
⢠Prepared statements
⢠Press release template
⢠Customer letters
2. Train employees
⢠Awareness
⢠Anticipation
⢠Organizational Preparation
3. Prepare channels:
⢠Hotline
⢠Dark site
⢠Social Media
4. Data Breach/Customer Assistance
Resources
⢠Microsite/Landing Page FAQ
⢠Identity Theft Remediation Services
⢠Force Password/Account
Information Change
⢠Special Customer Advocate/Team
19. PROPRIETARY & CONFIDENTIAL
PREPARING A RESPONSE
1. Donât delay
2. Acknowledge situation
3. Acknowledge impact and victims or potential victims
4. Commit to investigate
5. Commit to sharing information and cooperation with relevant
parties
6. Share corrective action plan if available
7. Respond in the format in which the crisis was received**
@sandrafathi
20. PROPRIETARY & CONFIDENTIAL
PUBLIC BREACH NOTIFICATIONS
@sandrafathi
1. What happened?
2. What do we know?
3. Who/what was impacted?
4. How do we feel about it?
5. What are we going to do about it?
6. When are we going to do it?
7. Who is involved in this process?
8. When/how will we communicate next?
21. PROPRIETARY & CONFIDENTIAL
CUSTOMER
COMMUNICATION
1. Introduction: Why are we contacting you?
2. What happened?
3. What information was compromised?
4. What are we doing to remedy the situation?
5. What can you do to prevent/mitigate further risk?
6. Where can you find more information?
@sandrafathi
22. PROPRIETARY & CONFIDENTIAL
III. REASSURANCE
Who to Reassure? - All Stakeholders: Customers, Prospects, Public,
Shareholders, Employees, Partners, Media etc.
1. Develop full response plan
⢠Policies & procedures
⢠Technology
⢠People
2. Put plan into action: Immediate remedy
3. Communicate results of plan and impact
4. Reaffirm commitment to correction
5. Demonstrate results of program
@sandrafathi
23. PROPRIETARY & CONFIDENTIAL
IV. RECOVERY
Rebuilding reputation, trust and customer loyalty
Implementing preventative measures for long-term crisis mitigation
and/or prevention
1. Review need for operational, regulatory, environmental and
employee changes
2. Develop long-term plan including policies and prevention tactics
3. Reassess crisis plan
4. Regain customer/public trust
@sandrafathi
24. PROPRIETARY & CONFIDENTIAL 24@sandrafathi
CASE STUDY: EQUIFAX ⢠March â Apache vulnerability discovered,
patch issued next day
⢠May-July â Hackers infiltrate Equifax servers
with more than 9,000 requests. ~145M
records are accessed, nearly 44% of US
Population
⢠July 29 â Equifax discovers breach
⢠Sept 7 - Equifax issues public statement
⢠Sept 8 â Equifax shares plunge 13.7%
⢠Sept 12 â CEO apologizes in USA Today Op-Ed
⢠Sept 15 - Equifax announces CIO & CSO are
retiring
⢠Sept 21 â Equifax admits sending victims to
bogus website âsecurityequifax2017.comâ
⢠Sept 26 â CEO retires
⢠Oct 3 â Former CEO testifies for the first time
(of four) in Congress
26. PROPRIETARY & CONFIDENTIAL 26@sandrafathi
CONSEQUENCES TO DATE
⢠CEO, CIO, CSO âRetireâ
⢠2 employees indicted for insider trading (CIO & Developer)
⢠CEO testifies at 4 Congressional hearings
⢠8 State bank regulators impose orders for increasing security, auditing and
reporting
⢠CA passes law imposes sanctions/fines for each data breach (up to $750 per
record, effective Jan 2020)
⢠AL & ND penalties for delayed notifications (60 days/$10K and 45 day/$5K)
⢠Federal bill for FREE credit âfreezeâ and âthawâ from all three large bureaus
(previously $5-$10 each)
⢠30+ Consumer class action suits
27. PROPRIETARY & CONFIDENTIAL 27@sandrafathi
BEST PRACTICES I
1. Implement Policies to Address Potential Vulnerabilities
2. Establish a Regular Review Cycle for Crisis Preparation
3. Establish Inter-Departmental Cooperation
4. Establish a Framework for Response
5. Build a Crisis Communications Toolkit
28. PROPRIETARY & CONFIDENTIAL 28@sandrafathi
BEST PRACTICES II
6. Know Where & How to Respond
7. Prepare Your Employees in Advance
8. Establish Assistance Services for those Impacted
9. Know the Relevant Legal & Regulatory Requirements
10. Be Honest, Be Transparent