recovery

How should CEOs leadresponse to a catastrophic

Cyber Attack?

www.CyberRescue.co.uk

Kevin DuffeyManaging Director29th June 2016

summary

www.CyberRescue.co.uk

This presentation was given to an invited audience of senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, etc, at an event organised by Cyber Rescue on 29/6/16.

The event was “National & Commercial Strategies for Cyber Resilience.” It included a pre-publication preview of the UK’s National Cyber Security Strategy to 2020.

Three items were discussed during this presentation:•Specific CEO responses to cyber attack, and the particular ways that lack of commercial preparation for breach hurt reputations & revenues. Slides 3-9•Visualisation of threats, and what mature response looks like. By analogy with an earthquake, anticipating the consequences of a breach is key. Slides 10-14•Specific commercial challenges that follow a catastrophic cyber attack, in particular the paralysing ambiguity of the situation. Slides 15-21.

For similar material, follow Cyber Rescue on LinkedIn here.

Amy Pascal former CEO of Sony Pictures, February 2015 [Click on name for full interview]

There was this horrible moment where I realized there was absolutely nothing at all that I could do.

Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016

I’ve been through stages of

denial, disbelief, frustration.

I am incredibly angry about this data breach.

John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015

The only crime that has been proven is the hack.

That is the story.

Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016

The awful truth is that I don’t know.

Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015

Companies should be thinking about

decisions the CEO will need to make.

Michael Vatis Director, FBI's National Infrastructure Protection Center, January 2016

CEOs struggle to visualize data risks

The £600 USB 3.1 storage device “memory stick” from HyperX, stores 1,000 Gigabytes

FBI data storage in 1942 = 10 million sets of fingerprints, plus 23 million paper cards = 680 Gigabytes

All this data fits on a memory stick

CEOs struggle to visualize cyber response

“Hands on your head” isn’t enough for adults

Material for Earthquake Response. Slogan “Shake Out. Don’t Freak Out.”

Aesop’s Menagerie ofCyber Breach Responses

http://www.cyberrescue.co.uk/library/blog#instincts

Without a commercial response plan to anticipate decisions that will be needed, executives respond with well-intentioned but counter-productive instincts.

You are “blindsided”

You weren’t told of other Security Incidents CEO (55%), HR (68%), Legal (72%).

You are told of the Breach by an outsiderLaw Enforcement (41%), 3rd Parties (35%), Fraud Detection (14%) or Internal (10%).

You are already weeks behind the attackersAverage time to discovery of breach: 69 days (114 days in health, and 46 in all other sectors)

Cyber Attacks are different from other business continuity challenges in

the “paralysing ambiguity” of the situation.

Authorities are “difficult”

Who to call? 31 organisations fight cyber threats to Financial Services in UK. 68% of IoD Members are unaware of Action Fraud.

What resources do they have? UK NCSP gives £30m pa to combat cyber crime, including £12m to NCEC. The ICO has 30 officers handling over 200,000 concerns & 1,000 cases per year.

What do Authorities do? “4% of cyber crime dealt with appropriately by police.”

There are a lot of opinions

Who is in charge? The UK Parliament expressed its view on 20th June 2016.

What has been breached? Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days.

How soon to notify customers? 91% of consumers expect "24 hours or less." But32% of consumers say their loyalty would diminish if they knew of a data breach. 

(International)Laws are complicated

Click to view DLA Piper’s 425 page summary of Privacy and Breach Notification laws

and other “response” documents

Decisions imply a Budget

Insurance Pays?52% of UK CEOs believe they have cover, but <10% actually do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims covered: In USA, 78% went on Crisis Services, 8% on Defence, 9% on Settlement, & 4% for Fines.

Big Gesture?53% of Breach Notifications offer Credit Monitoring, which is taken up by 10% of affected consumers.

How to triage complaints?

Irate consumers want to receive the global standard in call centre response, 80% of calls answered in 20 seconds.

But volumes can be 100 times normal, with call duration x2 standard 4 mins.

And in addition - - Social Media - Regulators - Suppliers - Press - Staff - Police - Shareholders

You are overwhelmed

You are criticizedfor trying your best

“You notified … too slowly … too fast … without cause … putting us at risk of scammers”

“Experts say you should have … encrypted … vetted suppliers … trained staff … … .”

UK Parliament 20/6/16: Bigger fines for poor response; cyber impact on CEO bonus

the future? Massive growth in digital opportunities and cyber threats.

Expectations on CEOs will rise:to have a detailed planto reduce harm fromcyber attack.

membership

www.CyberRescue.co.uk

We help executives reduce harm caused by cyber attacks

Practice your Response with Executive Simulations

Bespoke Commercial Response Plan

Commercial Coach for Cyber Attack Response

To find out more, click here or Assistance@CyberRescue.co.uk

thank you National & Organisational

Strategies for Cyber Resilience

www.CyberRescue.co.uk

Kevin DuffeyManaging Director29th June 2016

For similar material, follow Cyber Rescue on LinkedIn here.