Responding in the age of the Cyber Attack!

The NACD (the National Association of Corporate Directors) held a discussion afternoon in San Francisco in late April designed to make directors smarter about current events (not hard to do since so much is always changing!)

The agenda was politics, a cyber attack simulation, CEO succession planning, and the economic outlook. All interesting, but the cyber attack simulation was chilling.

The simulation was run by Mary Galligan who was with the FBI for much of her career. She’s an expert in crisis management having been the supervisor of the FBI investigation into 9/11 and she was the commander on the ground in Yemen following the attack on the USS Cole. She’s now at Deloitte.

The simulation was an attack on a pharma company that sells generic drugs online and through stores. The attackers, #Hackme, gave the management team 11 hours notice before they would release confidential information (personal information of the directors and executives). They took down the stores and the web site 9 hours into the notice period; the company could not stop the attacks, or meaningfully respond within the notice period. It was on headline news before the notice period was up because it leaked. It was based on a real case. The simulation was the executive team (all drafted members of the audience) trying to figure out what to do against the deadlines.

And so… the learnings were led by Mary Galligan at the end.

What Directors should now understand about cyber attacks and how to respond:

1. You must have a plan
– do you have a plan for how to respond to a cyber attack?
– do you have a plan and has the management team practiced it?
– who will run the response, who will run the company?
– you must assume you will not get enough information in the time you need it to respond, so you must have a crisis response plan
– you should also assume you will get incorrect information, even from your own IT who will be scrambling
– map out “what will happen if” so you have response scenarios for the things you can imagine, but also have a process to respond to the things you did not imagine. Don’t only do scenario planning because the type and scale of attacks is changing fast. Enough companies have paid of Ransomware now that it has grown exponentially in the last 60 days
– the tail of a cyber incident is very long, prepare for how you are going to trade off the stress between team members

2. Know the stakeholders
– who do you need to notify and in what order?
– board, major customers, insurance, investors etc.
– what should be escalated to whom and when?
– keep it to the top (execs and directors) – must assume if ANY employees know it will leak – this is human nature (stressed this applies to all crisis management). The existence of a cyber attack typically leaks within 2 hours.

3. Directors responsibility
– to have done their duty to ensure the company has prepared
– to ask questions, review the plan, ensure management has practiced it
– review the bill going into the senate that would require every board have a cyber expert on it – but it mat not pass because there are not enough cyber experts in existence today to implement it so pay attention to the SEC’s opinion on the issue.

4. Extortion events are on the rise and are increasingly not about money but about moral/ethical issues. “hacktavists”
and most events fall into one of five types:
1. Stealing information or IP
2. Disrupting operations
3. Ransomware
4. Destroying software and hardware
5. Releasing confidential/personal data (of the directors and management team)

Altogether eye opening and a rapidly developing area to watch! These photos are from the simulation.

  original video delivering the notice of the attack and the deadline
 defacing of the drug company’s web site (before the deadline)
television reporting on the news well before the deadline – 
it leaked before the web site was hacked