Part 2 of a 3 part series that covers the highlights from the Cyber simulation held at the2nd ASEAN Regulatory Summit. #advicethatsticks #TRREGSUMMITS See also part I -Data Breach? How to survive a Hack and part III - Managing the Fallout? How to survive a Hack.
As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific,Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting,Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.
The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.
What would you do?
Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online.
Your investigations now show that your primary servers were attacked by ransomware software and the attackers are demanding 1 million USD to unlock your servers. As a result of the hack, ABC Bank switched to their redundant servers offsite which have lower security. This meant that a phishing email was able to leak through the firewalls, which an unsuspecting member of staff pushed in to the organization and was the root cause of the data leak. 50,000 customer financial records have been leaked to the public.
Question 2: We need to shut down the redundant site, but need our primary servers in order to do that. What is our next step?
The results: There was a mix of responses here. Given that it now required the company to break the law if it was to pay the ransom, 64% of the audience said they would now escalate this to the Executive/Board. 30.9% said that they would notify the relevant authorities and 2.9% said that they would try to manage it internally. Only 1.7% said that they would pay the ransom and 0.6% said that they would tell their external stakeholders.
The likelihood is that as part of their crisis management, companies would take many of these actions at the same time.
We discussed scenarios where ransoms have been paid e.g. time critical scenarios where there would be greater loss of life or liability for the company if it was to not take immediate action. One such example was in a healthcare context where a hospital conducting 24 x 7 x 365 operations is unable to access its patient data records and as a result of the need to issue life-saving medications, or surgeries, would need access to its patient records. Note that this was a unique, high-risk scenario where the decision would only be actioned with the relevant police and regulatory authorities engaged.
When a recommendation was made to the Board, we discussed that it's likely that the Board would apply basic questioning before making a final decision, applying LEADS:
From L to R: Patrick Fok, Senior Editor Thomson Reuters; Paul O'Rourke, Lead Partner, Cybersecurity Asia Pacific, Ernst & Young; Leesa Soulodre, Chief Reputation Risk Officer and Managing Partner, RL Expert Group and Julian Claxton, Managing Director, Jayde Consulting.
We discussed that when dealing with ransomware or an espionage incident, there's no right or wrong answer on what action to take, other than to do nothing. Paying the ransom may be a criminal offence and if it is paid, there's no guarantee that the perpetrators won't simply demand another ransom. Either way, your data has been compromised and the relevant authorities should be notified and legal counsel sought.
An organisation’s information security management system (ISMS) should address key issues pertaining to the business continuity and disaster recovery side of security.
It is important to ensure that there are no additional compromises pending, or rogue staff complicit in the crime. Access to sensitive information should be restricted to only those who require it to be able to do their job and an investigation commenced to identify any (ongoing) internal or external threat actors.
Regulators can assist organisations by educating stakeholders on what strategies to adopt and by guiding and reviewing those strategies, not only criticising and penalising.
Be prepared. Whilst there may be a cost to implement robust security processes within an organisation (often deemed too expensive at the time), the benefit during a crisis is immeasurable. A preventive approach will result in a far more manageable outcome.
Key Takeouts from Expert Julian Claxton, Counter Espionage Jayde Consulting
If you enjoyed reading this post, see the final part of this 3 part Series where we explorehow to manage the fallout. Hear my expert reputation risk management perspectives and learn how other Companies across Asia would deal with the challenge. This post will be published on Monday, 12th September 2016.
We will continue the discussion on practical strategies for managing a data breach at the Pan-Asian Regulatory Summit that is taking place on 8 & 9 November 2016 at the Grand Hyatt Hong Kong. For the full agenda and details on how to register, please visit the website.
I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.
If you learned something from reading this post, please click the thumbs up icon on my LinkedIn and let me know. If you would like to read my regular posts then please click 'Follow'. If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.
If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group. Read more on strategies for effective reputation risk management on our blog.
We just sent you an email. Please click the link in the email to confirm your subscription!