Chief executives worldwide are confronting an urgent new responsibility. While profits and success have flowed from digital transformation, the risk to their reputation and revenues has risen with wave after wave of successful cyberattacks. In the search for profit, many companies have turned to data lakes and digital oceans, using information as their compass, cargo and fuel. But if data is the energy of the digital economy, it follows that data breaches can be explosive.
Commercial recovery during a catastrophic cyberattack is increasingly recognised as an essential competence. A Board-level executive must be accountable for how a business recovers from a breach, as every function can be impacted when hackers break through. The shock, speed and ambiguity of a successful cyberattack sets it apart from other crises, so progressive companies are calling on experts to help them rehearse, plan and achieve corporate recovery.
Cyber Rescue is a leader in this field, operating across Europe from its London HQ. Cyber Rescue has helped enterprises like Maersk, Vodafone and Swedbank, and many small companies from fintech to pharmaceuticals. In this article, we look at how Cyber Rescue is helping Boards, CEOs and CIOs to confront the challenge of our times: the successful cyberattack.
From all the breaches we have assisted with, we have noticed a strong demand for three precise capabilities:
- cyberattack simulations for executive leaders, to demonstrate risks and responsibilities
- bespoke recovery plans for each business, to ensure efficient and effective response
- coaching CEOs during the “golden hours” after a breach, to avoid mistakes made by others.
We will consider each of those needs in detail, after considering why businesses are turning to experts.
Why now? Computers will never be safe, according to the front page of The Economist this year. But business leaders have been slow to hear that message, since they are typically more interested in “when will our new app launch” than “is our new app secure?”
The IT Directors who build those apps are under enormous pressure to be fast and flexible, with few benefiting from a Board that recognize the risks such pressures create. So increasingly it is the IT Director or CIO who insists that the executive leadership experiences a data breach simulation.
Based on our experience it is our opinion that, investing sixty minutes to rehearse the cascade of commercial consequences from a breach is the best investment a Board can make.
Further, an effective simulation brings home to the CFO, the COO, Marketing and even HR heads, that they all have a crucial role in leading recovery when the unthinkable happens. In just an hour, the leadership’s understanding of why they need to support IT security is transformed. Simulations can be designed either as introductory Board-level or with more customized and larger enterprise-wide events sometimes running over two days.
IT Directors and CISOs initiate about half of the calls that Cyber Rescue receives, with other requests coming from Chief Operating Officers, Chief Risk Officers or CEOs. The rapid growth in publicly reported data breaches is causing non-specialists to recognize the increasing possibility that their business could be next.
FBI Director Robert Mueller probably said it best, when he warned that “there are two types of company – those that have been breached, and those that will.”
And the exponential growth in publicly reported cyberattacks is shocking many executives into action, especially if they see graphs like this one, from Verizon’s famous annual report on data breaches.
Chief Risk Officers are increasingly trying to estimate the chance of their company being hit by a breach.
What’s the risk? To help our Members understand emerging risks, we maintain a library of over two hundred recent reports on cyber threats. Our research lead, Dr Chaditsa Poulatova, comments that “while many reports are sponsored by vendors with an interest in highlighting such threats, the numbers should certainly be causing CEOs to reflect on the new risk environment their businesses operate in.”
The vast majority of attacks are kept secret. For example, in the UK, a major survey in May 2016 found that 95% of businesses keep their most disruptive data breaches from the public, including 82% who don’t report breaches to the police. That secrecy makes it hard for other businesses to appreciate the scale of the problem. A good indication of the current likelihood of being attacked is given by this finding: some 2.8% of medium sized organizations in Ireland are certain they suffered a data breach caused by malicious attack in the last two years.
Example figures include the 125% annual growth in sophisticated Zero Day attacks, the 71% increase in large DDoS attacks; the 55% growth in Spear Phishing; the 29% growth in Malware and 21% increase in SQL injection attacks.
Interestingly, it’s images instead of statistics that often engage the busy executive. For example, live attack maps attract many visitors.
And there seems to be a rather morbid fascination with quotes made by executives who have been closest to major cyberattacks, as for example:
There was this horrible moment where I realized there was nothing at all that I could do.
– Amy Pascal, ex-CEO at Sony
Breach Prevention? How is that working for you?
– Jason Hart, VP, SafeNet Inc
I am incredibly angry about this data breach and we will institute a thorough review.
– John Legere, T-Mobile USA
JP Morgan spent $250m dedicated to cyber security. They did everything right, and they still got hacked.
– Erik Avakian, CISO, Penn State
There are 2 types of companies: those that have been hacked, & those that will.
– Robert Mueller – FBI Director
There’s no conceivable system that can stop 1 person in 100 opening a phishing email and that’s all it takes.
– Ciaran Martin – Director, GCHQ
It’s important to remember that the vast majority of companies won’t suffer a major breach in the next twelve month. By emphasising this, we highlight that cyberattacks are just one of the business continuity challenges that a company should prepare for. Security Directors and Risk Officers often want us to simulate a data breach for their Board as part of their wider risk mitigation strategy. It makes sense to use any Board- level interest in cyber to build resilience to all kinds of challenges a company might face.”
Major cyberattacks are a low probability, but very high impact event. And they are much more likely than other scenarios that companies rehearse. For example, there were 17 deaths from fire in UK office buildings last year, during which thousands of British organisations suffered major breaches. Yet every company holds at least an annual rehearsal of its evacuation for a fire. What should they rehearse to ensure commercial recovery from successful cyberattacks?
Business challenges! The Board need to be ready to be blindsided by a breach, to appreciate that authorities may be unable to help and their could be poor internal command and control. Here are some of the issues typically addressed during a simulation.
The shock of a breach is often made worse by several factors. For example, you may be told of this Breach by an outsider, most frequently by Law Enforcement (41%) or Third Parties including customers (35%). You may then discover you weren’t told of previous Data Incidents. Even worse, you are weeks behind the attackers, as the average time to discover a breach is 69 days (followed by 70 days of technical containment.)
Help from authorities is easier if you already know the right people. But who? There are 31 organisations fighting cyber threats to Financial Services in the UK, where 68% of Directors are unaware of who to call.
Some authorities have less resources than they’d like. The UK’s ICO has 30 officers handling 200,000 concerns and 1,000 cases per year. The police have said only 4% of cybercrime is dealt with appropriately.
Your chain of command will be stressed by ambiguity during a suspected breach. The UK Parliament is clear on who should lead cyber response in a business.
Opinions may fill the gap where facts are missing. Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days. And decisions must be made fast: 91% of consumers expect “24 hours or less.”
Your legal and moral responsibilities might not be immediately clear. For example, law enforcement may ask you not to notify customers, so that the hacker won’t be alerted to their investigations.
Extra-territorial laws on protection of citizens from cyberattack mean you may be subject to the requirements of more countries than you operate in. Just a summary of Privacy & Breach Notification laws runs to 425 pages.
Serious decisions require money. In the UK, 52% of CEOs think they have cyber insurance, but <10% do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims paid have been on: Crisis Services (78%), Legal Defence (8%) & Settlement (9%).
Will you pay for a big gesture? 53% of Breach Notifications offer Credit Monitoring. And what will be the long term revenue impact? Abnormal churn after a breach ranges from 6.2% in Financial Services and 5.3% in Health, down to 0.1% in Public Sector.
The surge in enquiries can quickly turn into even more irate calls from customers who – in their moment of crisis – want to receive the global standard in call centre response, 80% of calls answered in 20 seconds.
But after a breach, call volumes can be one hundred times higher than normal. And in addition, you must communicate with Regulators, Suppliers, Press, Staff, Police and Shareholders, and manage Social Media.
You will be criticised, even if your company suffered a criminal attack. Customers complain that you notified “too slowly … too fast … without cause … putting us at risk of scammers.” Consumers might say “Credit Monitoring doesn’t help me” or “How will you make this good” or simply “I want to break my contract and leave.”
The UK Parliament has called for bigger fines for poor response and a cyber impact on CEO bonuses.
The format of a simulation is as important as its content. Some executives can feel nervous about exposing their ignorance in front of their colleagues, for example. Cyber Rescue does a lot to customise the format of a simulation to the individual participants.
No one is evaluated in the simulations. Participants are to be put at ease, and assign them to teams. But a simulation isn’t realistic without a bit of pressure. Friendly competition can energise participants, and create a little pressure. But a simulation is an opportunity to learn, to bond and to reflect.”
“Simulations are very positive experiences, even fun”notes Anjola Adeniyi, one of Cyber Rescue’s busy advisors. “I hosted a session we ran for the UK’s Worshipful Company of Information Technologists, an exclusive association of executives and thought leaders who have done the most to deliver the digital world we all now live in. Rather than the traditional death by powerpoint, a simulation creates energy through engagement.”
A key lesson from every simulation is the need for a plan. “All large enterprises have a continuity plan,” notes Patrick Donegan, one of Cyber Rescue’s specialists in the telecoms sector, “but too many assume that it covers the challenges of modern cyberattacks. Without a bespoke plan, under intense pressure, the executive leadership can take a cyber incident and turn it into a commercial crisis through ill-informed, wrong-headed, decisions. They might take too long to inform impacted customers, or raise the alarm prematurely. They might fail to consider how notify affected parties in the correct order and effective manner, from regulators and law enforcement to suppliers, staff and shareholders.”
Going into battle, fighting to save your reputation and revenues during a major hack, is like boxing an invisible opponent. You can’t assume that the crisis management plan you’ve written for situations like a fire or a pandemic will work against a cyberattack. We sometimes quote what Mike Tyson used to say, of his over-confident opponents, ‘everyone has a plan until they get punched in the face!’
Every executive likes to think they’ll make the right decisions during a crisis, and given enough time and information, most of them do. But the speed and ambiguity of a cyber crisis makes for a unique dynamic.
A customised commercial response plan, prepared in advance of a major data breach, will make your response much more timely and effective. It provides Directors with simple checklists, templates and instructions about each of the decisions they must face. Crucially, it will document where sensitive data is held, including by third party suppliers and information processors, so that breaches caused by partners are considered during the initial forensic stage of response.
The plan has to be easy for executives to use. A section for each designated executive has to be provided, highlighting the resources they can call upon, the consequences of alternative actions they must choose between, and even the text of communications they may need to issue very urgently.
Who you gonna call? One thing that executives can forget when drafting a response plan is that normal business won’t stop during a crisis. The leadership team of a typical enterprise is full highly competent individuals who are already giving everything to their job.
They are in essential roles, not redundant positions. So naturally, when a crisis hits, the business may want to bring in one or two specialists to at least help with the workload.
Cyber Rescue provides Crisis Coaches to help executives triage and resolve conflicting demands. For example, many organisations discover they have more than a dozen “stakeholders” who expect to be briefed, consulted or notified. Technical staff may be swamped with unreasonable requests for updates, and given conflicting priorities. Legal responsibilities many be unclear, and your communications team may be unprepared. Our library points out that 91% of consumers say they expect notification of a breach in 24 hours or less, but also that it is very harmful to send a badly worded notification. A crisis coach can help the executive team navigate such challenges.
The crisis coaches bring wisdom and experience. If there are conflicting views among your executive team, your crisis coach is a trusted sounding board. If blame or politics might creep into conversations, your crisis coach is a reliable and neutral partner to all. If things start to become over complicated, your advisor will bring you back to basics.
You need to anticipate avoidable mistakes that others have suffered. You must consider the commercial consequences of various actions you might take. During the shock and ambiguity of a possible major breach, a Crisis Coach is invaluable.
The speed at which response has to be delivered matters. Ideally, a Crisis Coach will start travelling to the Members HQ within 60 minutes of a call finishing. There is a golden hour at the start of your commercial response to a major cyberattack. This is when you establish command and control, stand- up your response team, identify uncertainties and set priorities. We’ve built Cyber Rescue to respond to such challenges.
You probably won’t suffer a major breach in the coming months. A breach is a low-probability, high impact event. Preparing your Board for such an eventuality is beneficial in many dimensions. If you want to energise your GDPR compliance programme, or build resilience to any kind of crisis, if you need to strengthen teamwork within the Board or simply an appreciation of the importance of IT, a simulation is a great place to start.”