The document outlines a cyber attack executive simulation held on May 22, 2018, aimed at preparing CEOs and executives for responding to cyber breaches. It includes insights from industry leaders about their experiences with cyber incidents, emphasizing the importance of having a cyber crisis plan and effective communication strategies in place. Key recommendations include immediate action steps after a breach, stakeholder notification processes, and the establishment of a robust response framework.

1. Cyber Attack
Executive Simulation
22nd May 2018
Kevin.Duffey@CyberRescue.co.uk

2. HOW READY ARE YOUR EXECS?
www.Slido.com - enter #cyberres

3. www.Slido.com - enter #cyberres

4. www.Slido.com - enter #cyberres

5. www.Slido.com - enter #cyberres

6. www.Slido.com - enter #cyberres

7. www.Slido.com - enter #cyberres

8. www.Slido.com - enter #cyberres

9. www.Slido.com - enter #cyberres

10. Cyber Rescue helps CEOs
reduce harm from cyber attacks
www.Slido.com - enter #cyberres

11. Proud supporter of LDSC
www.Slido.com - enter #cyberres

12. www.Slido.com - enter #cyberres

13. www.Slido.com - enter #cyberres

14. www.Slido.com - enter #cyberres

15. Crisis Simulation
Proud to
work with…
www.Slido.com - enter #cyberres

16. www.Slido.com - enter #cyberres

17. What we do at Cyber Rescue

18. How ready are your Execs?
www.Slido.com - enter #cyberres

19. BEFORE THE BREACH…
John J. Kelley III
Mr. Kelley achieved a rating of
“Distinguished” on his individual
objectives, such as:
• Continuing to refine and build
out the Company’s global
security organization.
Mr Kelley $2.8m compensation
was an 8% increase on the
previous year.

20. Soren Skou, CEO of Maersk, August 2017
I had no
intuitive idea
on how to
move forward.

21. I felt there was
absolutely
nothing at all that
I could do.

22. Atiur Rahman
Bangladesh Bank
Governor, after cyber
thieves compromised their
systems - 15th March 2016
Source
It was like an
Earthquake.

23. “It was petrifying... .
You kind of have to
embrace the panic
and the fear.”
Dan Taylor, head of
security at NHS Digital*

24. Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016
I’ve been through
stages of
denial, disbelief,
frustration.

25. I am
incredibly
angry about
this data
breach.
John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015

26. The only crime
that has been
proven is the
hack.
That is the story.
Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016

27. The
awful truth
is that
I don’t
know.
Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015

28. You’re now on the Board of Acme
www.Slido.com - enter #cyberres

30. Who do you inform?
1. Nobody – this doesn’t look real
2. Police – perhaps they can help
3. CEO – the boss needs to know
4. DPO – tell Data Privacy Officer
5. IT Team – were we breached?
6. Procurement – 3rd party breach
7. Other – eg Security, Insurance…
www.Slido.com - enter #cyberres

31. A 2nd message “from Korea”
Proof
you don’t care
Info on
187 Customers
www.Slido.com - enter #cyberres

32. When to tell affected customers?
1. Immediately
2. In 24 hours
3. In 48 hours
4. In 72 hours
5. In 7 days
6. In 28 days
7. Don’t inform
www.Slido.com - enter #cyberres

33. Update from IT Department
The Koreans are probably
still in our systems.
If only you had invested
in SilverBullet Security.
We can stop the hackers
by disconnect for 3 days.
To follow Cyber Rescue: www.tinyurl.com/cyber999

34. What executive action to take?
1. Disconnect systems from internet
2. Forensics – what has happened?
3. Remediation – close the breach
4. Ask Insurer to confirm covered
5. Brief the Board and set Budget
6. Submit report to Regulators
7. Implement Cyber Crisis Plan
www.Slido.com - enter #cyberres

35. Where is your Cyber Crisis Plan?
To follow Cyber Rescue: www.tinyurl.com/cyber999
(Cyber Rescue specializes in helping businesses to write & test their executive response plan)

36. Your plan includes:
Check which suppliers had the breached data
To follow Cyber Rescue: www.tinyurl.com/cyber999

37. The results come back -
To follow Cyber Rescue: www.tinyurl.com/cyber999

38. Your team review your suppliers
To follow Cyber Rescue: www.tinyurl.com/cyber999

39. Your team review your suppliers
To follow Cyber Rescue: www.tinyurl.com/cyber999

40. To follow Cyber Rescue: www.tinyurl.com/cyber999
Your team review your suppliers

41. But rumours are circulating…
Acme don’t care about my safety!
Now Russians will steal my money
Because we care
On Friday, Acme launch a great
new service to show customers
how we care
www.Slido.com - enter #cyberres

42. Day 5 – Tuesday, 07:50

43. Day 5 – Tuesday, 07:50
“Door stepped” by Journalists
Do you care about customers?
What are you doing to help them?
What data did the Russians steal?
What did celebrity Kara say?
How do you train your staff and
help suppliers keep data safe?
Did you invest in SilverBullet?
Are you criminally negligent?

44. What communications needed?
1. Stop other comms, such as ad campaign
2. Create web site with Q&A about breach
3. Customer advice, eg how to prevent fraud
4. Provide script (eg for Twitter & Call Centre)
5. Pre-brief employees about situation
6. Identify advocates to speak for company
7. Customer Compensation to go with apology
www.Slido.com - enter #cyberres

45. How much time will you give?
1. Stop other comms
2. Create web site
3. Customer advice
4. Provide script
5. Pre-brief employees
6. Identify advocates
7. Customer Compensation
www.Slido.com - enter #cyberres

46. Day 4
Example call from a Client
I got your email.
I just want to query your instruction
to reset my password… .
Why do you need my maiden
name?
To follow Cyber Rescue: www.tinyurl.com/cyber999
But then phone calls start

47. From: BreachRecovery@Acme.com
To: You
Good day
We are sorry to confirm that media reports are correct, and
we have been breached. To protect you, please reset your
password here -
http://www.accountz.Acme.com/breach-recovery/
Please email if you have any questions.
Regards
William Jenkins
Breach Recovery
+44 208 734 4300

48. Customer
Filter
Is sending
server trusted?
Customer
Inbox
Criminal
Mail Server
IP Address
“@jebensmensching.de”
Someone spoofing your customers

49. Acme Group
What hackers can see today
Someone spoofing your customers

50. Criminal
Mail Server
IP Address
“@jebensmensching.de”
Customer
Filter
Is sending
server trusted?
Customer
Inbox
JM’s Sender Policy
Framework
Someone spoofing your customers

51. Day 6 – Wednesday, 12:00
“The breach is at your partner!”
• Your data was stolen from one of your partners
• The breach happened five months ago.
• Data was then posted on a forum, two weeks ago.
• A fifteen year old was trying to blackmail you.
• Your systems were never compromised.
• However, a criminal took advantage of the publicity to
put your customers at risk of fraud. Get DMARC.
Finally, some good(ish) news
To follow Cyber Rescue: www.tinyurl.com/cyber999

52. How likely you’ll be hacked??
You weren’t attacked by a Nation

53. Your call centre coped, somehow

54. Your communications stayed on

55. You weren’t sued (yet)

56. Your insurance wasn’t disputed

57. Say GDPR one
more time!

58. Cyber Attack
Executive Simulation
Contact us for:
• An executive simulation for your senior team
• A bespoke response plan to help you lead through a breach
• A fully-automated score of your cyber security, Vs your peers
Kevin.Duffey@CyberRescue.co.uk
To follow Cyber Rescue: www.tinyurl.com/cyber999