SlideShare a Scribd company logo

Takeaways from a Simulated Cyber Attack

Boston Consulting Group
Boston Consulting Group

Explore the key lessons gleaned from the cyber attack simulation exercise at the CyberCanada Senior Leadership Summit

Business
1 of 10
MARCH 1, 2018 Summary Report Cyber attack simulation exercise
1 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. The CyberCanada attack simulation exercise was attended by 100+ Canadian leaders representing a wide-range of organizations from both the private and public sector. Some of the views shared by participants, and captured here, may appear to be conflicting. This is a reflection of different opinions voiced and/or differences between the various individuals and groups represented. A short recap of the learning objectives, feedback shared by attendees during the module readouts, and questions to consider asking your organizations have been included in this short report. To ensure privacy, opinions have not been attributed to any individuals. A brief summary of the discussions during the CyberCanada attack simulation exercise
2 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Recap: the Table Top eXercise (TTX) had specific learning objectives Experience what your management team goes through when under cyberattack • Basic cybersecurity concepts • Cybersecurity as a strategic business risk • The impacts of people, culture, process, procedures and technology on cyber resilience • How to advance cyber resilience beyond the technical part The Experience Understand by doing
3 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 1: The Compromise Strengths and weaknesses of CEO's communications • Strengths: out in front, confident, clear, available, took ownership • Weaknesses: other management was not informed, too much information was shared, not enough assurance, not genuine enough, lack of preparation, false statements made Responsibilities of the Management Board • Ensure business continuity • Determine regulatory reporting requirements • Decide on internal communications • Get handle on scope, control the message • Engage the Board What will you do next? • Impact assessment from BUs + Functions • Determine what insurance the company has • Consult legal counsel • Solicit Public Relations support • Determine recovery and comms plans • Determine plan of action • Decide what should be the cadence for updates Summary of responses shared during Module 1 3 2 1
4 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 2: The Briefing Views regarding ransom payment and who should make the decision • Much disagreement on whether or not to pay the ransom • Ransom payment considerations: assess the financial impact with cost/benefit analysis, will we get back the data, can operations resume without paying, who is the attacker, ask for extension on deadline, discuss with law enforcement • Who should make decision: some said Board should decide, others said C-Suite should decide with advice from Board Thoughts on engaging the community • Engage the entire ecosystem • Third parties: cybersecurity consultants, legal, PR, insurance, law enforcement, call centers, ransom negotiator • Stakeholders: employees, customers, partners, suppliers, shareholders, government, regulators What are next steps? • Assess the business impact and set long-term strategy • Get back to operations, assign responsible parties • Look at the culture that allowed this to happen • Fire the CEO 3 2 1 Summary of responses shared during Module 2
5 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 3: The Response Experts you would contact during a cyber attack and when • Engage law enforcement early; they have intel • Crisis response consultants and forensics teams can help • Different responses for different jurisdictions and industries • Prepare before the attack: meet with law enforcement and establish the relationship beforehand • Collaborate with industry partners Following this exercise, what will you do differently? • Ask the organization questions about cybersecurity • Raise cybersecurity to the Board level • “Culture is to punish the victim” has to stop • Establish relationships with law enforcement and national CERT • Don't wait for an attack to happen, plan incident response now • Set cybersecurity long-term vision/strategy; and be agile • Cybersecurity is not a cost center; it's a business enabler How has digitalization impacted cybersecurity and business strategy? • Increased the number of unknowns and interdependencies • Has caused information overload creating a need to educate the public • IoT has increased the risk by increasing the attack surface Summary of responses shared during Module 3 3 2 1
6 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Key questions you should be asking your organization Crown jewels How does your organization know which systems, data, and assets have the most value and do you conduct tests on breaching those systems? Technology How are the users of your cybersecurity tools properly trained on how to get the best results from them? Culture How is cybersecurity ingrained into the culture of your organization the same way as safety, quality, ethics and compliance? Third parties How do you secure suppliers, acquisitions, business partners, and customers with the same rigor as you secure your enterprise? Design for Cyber How are your products, networks, and systems designed with cybersecurity in mind—from the first design concept meeting through every stage? Business enabler How have you integrated cybersecurity into your business strategy so that your business can safely and securely innovate and grow faster? Consequences How do you optimize your budget between reducing vulnerabilities and reducing the consequences of a breach? Preparation What kind of plans do you have in place for incident response, business continuity & disaster recovery? Do you regularly practice executing these plans?
7 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Boards are in a unique strategic position to improve cyber resilience. And they are ultimately responsible for cyber risk in their companies BCG jointly with the Forum established 10 Board Principles for cyber resilience • Responsibility for Cyber Resilience • Command of the Subject • Accountable officer • Integration of Cyber Resilience • Risk assessment and reporting • Risk appetite • Resilience plans • Community • Review • Effectiveness See also the Forum's comprehensive report on "Advancing Cyber Resilience: Principles and Tools for Boards" (2017) Source: BCG and World Economic Forum See the publication at: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf 1 2 3 4 6 5 8 7 9 10
8 The services and materials provided by The Boston Consulting Group (BCG) are subject to BCG's Standard Terms (a copy of which is available upon request) or such other agreement as may have been previously executed by BCG. BCG does not provide legal, accounting, or tax advice. The Client is responsible for obtaining independent advice concerning these matters. This advice may affect the guidance given by BCG. Further, BCG has made no undertaking to update these materials after the date hereof, notwithstanding that such information may become outdated or inaccurate. The materials contained in this presentation are designed for the sole use by the board of directors or senior management of the Client and solely for the limited purposes described in the presentation. The materials shall not be copied or given to any person or entity other than the Client (“Third Party”) without the prior written consent of BCG. These materials serve only as the focus for discussion; they are incomplete without the accompanying oral commentary and may not be relied on as a stand-alone document. Further, Third Parties may not, and it is unreasonable for any Third Party to, rely on these materials for any purpose whatsoever. To the fullest extent permitted by law (and except to the extent otherwise agreed in a signed writing by BCG), BCG shall have no liability whatsoever to any Third Party, and any Third Party hereby waives any rights and claims it may have at any time against BCG with regard to the services, this presentation, or other materials, including the accuracy or completeness thereof. Receipt and review of this document shall be deemed agreement with and consideration for the foregoing. BCG does not provide fairness opinions or valuations of market transactions, and these materials should not be relied on or construed as such. Further, the financial evaluations, projected market and financial information, and conclusions contained in these materials are based upon standard valuation methodologies, are not definitive forecasts, and are not guaranteed by BCG. BCG has used public and/or confidential data and assumptions provided to BCG by the Client. BCG has not independently verified the data and assumptions used in these analyses. Changes in the underlying data or operating assumptions will clearly impact the analyses and conclusions. Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
bcg.com

Recommended

Bain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaBain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agenda
Anne LEHMAN
 
Cracking the Code on Consumer Fraud | Accenture
Cracking the Code on Consumer Fraud | AccentureCracking the Code on Consumer Fraud | Accenture
Cracking the Code on Consumer Fraud | Accenture
accenture
 
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
TMT Outlook 2017: A new wave of advances offer opportunities and challengesTMT Outlook 2017: A new wave of advances offer opportunities and challenges
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
Deloitte United States
 
Intelligent Operations for Future-Ready Businesses | Accenture
Intelligent Operations for Future-Ready Businesses | AccentureIntelligent Operations for Future-Ready Businesses | Accenture
Intelligent Operations for Future-Ready Businesses | Accenture
accenture
 
NUS Case Competition Slide Deck
NUS Case Competition Slide DeckNUS Case Competition Slide Deck
NUS Case Competition Slide Deck
Charles “Cody” Hodge
 
Bain & Co. GDRoadshow Presentation
Bain & Co. GDRoadshow PresentationBain & Co. GDRoadshow Presentation
Bain & Co. GDRoadshow Presentation
Glassdoor
 
Dyer at kearny presentation
Dyer at kearny presentationDyer at kearny presentation
Dyer at kearny presentation
CALSTART
 
The 360 supply chain: Bain & Company examines changes needed to make supply c...
The 360 supply chain: Bain & Company examines changes needed to make supply c...The 360 supply chain: Bain & Company examines changes needed to make supply c...
The 360 supply chain: Bain & Company examines changes needed to make supply c...
National Retail Federation
 

Recommended

Bain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agendaBain Covid 19 situation report & action agenda
Bain Covid 19 situation report & action agenda
Anne LEHMAN
 
Cracking the Code on Consumer Fraud | Accenture
Cracking the Code on Consumer Fraud | AccentureCracking the Code on Consumer Fraud | Accenture
Cracking the Code on Consumer Fraud | Accenture
accenture
 
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
TMT Outlook 2017: A new wave of advances offer opportunities and challengesTMT Outlook 2017: A new wave of advances offer opportunities and challenges
TMT Outlook 2017: A new wave of advances offer opportunities and challenges
Deloitte United States
 
Intelligent Operations for Future-Ready Businesses | Accenture
Intelligent Operations for Future-Ready Businesses | AccentureIntelligent Operations for Future-Ready Businesses | Accenture
Intelligent Operations for Future-Ready Businesses | Accenture
accenture
 
NUS Case Competition Slide Deck
NUS Case Competition Slide DeckNUS Case Competition Slide Deck
NUS Case Competition Slide Deck
Charles “Cody” Hodge
 
Bain & Co. GDRoadshow Presentation
Bain & Co. GDRoadshow PresentationBain & Co. GDRoadshow Presentation
Bain & Co. GDRoadshow Presentation
Glassdoor
 
Dyer at kearny presentation
Dyer at kearny presentationDyer at kearny presentation
Dyer at kearny presentation
CALSTART
 
The 360 supply chain: Bain & Company examines changes needed to make supply c...
The 360 supply chain: Bain & Company examines changes needed to make supply c...The 360 supply chain: Bain & Company examines changes needed to make supply c...
The 360 supply chain: Bain & Company examines changes needed to make supply c...
National Retail Federation
 
2016 Strategic Hospital Priorities Study
2016 Strategic Hospital Priorities Study2016 Strategic Hospital Priorities Study
2016 Strategic Hospital Priorities Study
L.E.K. Consulting
 
Accenture Consumer Behavior Research: The value shake-up
Accenture Consumer Behavior Research: The value shake-upAccenture Consumer Behavior Research: The value shake-up
Accenture Consumer Behavior Research: The value shake-up
accenture
 
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
PwC
 
Consumer privacy in retail
Consumer privacy in retailConsumer privacy in retail
Consumer privacy in retail
Deloitte United States
 
Seven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareSeven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise Software
Boston Consulting Group
 
Creating a Winning Recipe for a Meal Kits Program
Creating a Winning Recipe for a Meal Kits ProgramCreating a Winning Recipe for a Meal Kits Program
Creating a Winning Recipe for a Meal Kits Program
L.E.K. Consulting
 
Colgate vs P&G
Colgate vs P&GColgate vs P&G
Colgate vs P&G
Jeevan Rathod
 
Argentina's Consumer Pulse Update - August 2020
Argentina's Consumer Pulse Update - August 2020Argentina's Consumer Pulse Update - August 2020
Argentina's Consumer Pulse Update - August 2020
Bain & Company Brasil
 
#BainWebinar Procurement Best Practices Through Covid19
#BainWebinar Procurement Best Practices Through Covid19 #BainWebinar Procurement Best Practices Through Covid19
#BainWebinar Procurement Best Practices Through Covid19
Bain & Company Brasil
 
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC
 
Pursuing Customer Inspired Growth
Pursuing Customer Inspired GrowthPursuing Customer Inspired Growth
Pursuing Customer Inspired Growth
Kearney
 
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Boston Consulting Group
 
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting GroupSalesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
Salesforce Finland
 
The Innovation Bottom Line: How Sustainability is Paying Off
The Innovation Bottom Line: How Sustainability is Paying OffThe Innovation Bottom Line: How Sustainability is Paying Off
The Innovation Bottom Line: How Sustainability is Paying Off
Boston Consulting Group
 
The Great Mobility Tech Race: Winning the battle for future profits
The Great Mobility Tech Race: Winning the battle for future profitsThe Great Mobility Tech Race: Winning the battle for future profits
The Great Mobility Tech Race: Winning the battle for future profits
Boston Consulting Group
 
Data privacy by the numbers
Data privacy by the numbersData privacy by the numbers
Data privacy by the numbers
Boston Consulting Group
 
Shifting Trade Rules and the Future for North America’s Auto Industry
Shifting Trade Rules and the Future for North America’s Auto IndustryShifting Trade Rules and the Future for North America’s Auto Industry
Shifting Trade Rules and the Future for North America’s Auto Industry
Boston Consulting Group
 
Cloud value in cash management
Cloud value in cash managementCloud value in cash management
Cloud value in cash management
McKinsey & Company
 
Corporate ventures in sweden
Corporate ventures in swedenCorporate ventures in sweden
Corporate ventures in sweden
Felipe Sotelo A.
 
Right Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | AccentureRight Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | Accenture
accenture
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
 
Workshop B: Jill Cuthbert, Citi
Workshop B: Jill Cuthbert, CitiWorkshop B: Jill Cuthbert, Citi
Workshop B: Jill Cuthbert, Citi
Stuart Reid
 

More Related Content

What's hot

Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Boston Consulting Group
 

What's hot (20)

2016 Strategic Hospital Priorities Study
2016 Strategic Hospital Priorities Study2016 Strategic Hospital Priorities Study
2016 Strategic Hospital Priorities Study
 
Accenture Consumer Behavior Research: The value shake-up
Accenture Consumer Behavior Research: The value shake-upAccenture Consumer Behavior Research: The value shake-up
Accenture Consumer Behavior Research: The value shake-up
 
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
Apache Hadoop Summit 2016: The Future of Apache Hadoop an Enterprise Architec...
 
Consumer privacy in retail
Consumer privacy in retailConsumer privacy in retail
Consumer privacy in retail
 
Seven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise SoftwareSeven Forces Reshaping Enterprise Software
Seven Forces Reshaping Enterprise Software
 
Creating a Winning Recipe for a Meal Kits Program
Creating a Winning Recipe for a Meal Kits ProgramCreating a Winning Recipe for a Meal Kits Program
Creating a Winning Recipe for a Meal Kits Program
 
Colgate vs P&G
Colgate vs P&GColgate vs P&G
Colgate vs P&G
 
Argentina's Consumer Pulse Update - August 2020
Argentina's Consumer Pulse Update - August 2020Argentina's Consumer Pulse Update - August 2020
Argentina's Consumer Pulse Update - August 2020
 
#BainWebinar Procurement Best Practices Through Covid19
#BainWebinar Procurement Best Practices Through Covid19 #BainWebinar Procurement Best Practices Through Covid19
#BainWebinar Procurement Best Practices Through Covid19
 
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...PwC’s new Golden Age Index – how well are countries harnessing the power of o...
PwC’s new Golden Age Index – how well are countries harnessing the power of o...
 
Pursuing Customer Inspired Growth
Pursuing Customer Inspired GrowthPursuing Customer Inspired Growth
Pursuing Customer Inspired Growth
 
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
Chinese Internet Economy White Paper 2.0 - Decoding the Chinese Internet 2.0:...
 
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting GroupSalesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
Salesforce Basecamp Helsinki 8.5.2018 - Boston Consulting Group
 
The Innovation Bottom Line: How Sustainability is Paying Off
The Innovation Bottom Line: How Sustainability is Paying OffThe Innovation Bottom Line: How Sustainability is Paying Off
The Innovation Bottom Line: How Sustainability is Paying Off
 
The Great Mobility Tech Race: Winning the battle for future profits
The Great Mobility Tech Race: Winning the battle for future profitsThe Great Mobility Tech Race: Winning the battle for future profits
The Great Mobility Tech Race: Winning the battle for future profits
 
Data privacy by the numbers
Data privacy by the numbersData privacy by the numbers
Data privacy by the numbers
 
Shifting Trade Rules and the Future for North America’s Auto Industry
Shifting Trade Rules and the Future for North America’s Auto IndustryShifting Trade Rules and the Future for North America’s Auto Industry
Shifting Trade Rules and the Future for North America’s Auto Industry
 
Cloud value in cash management
Cloud value in cash managementCloud value in cash management
Cloud value in cash management
 
Corporate ventures in sweden
Corporate ventures in swedenCorporate ventures in sweden
Corporate ventures in sweden
 
Right Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | AccentureRight Cloud Mindset: Survey Results Hospitality | Accenture
Right Cloud Mindset: Survey Results Hospitality | Accenture
 

Similar to Takeaways from a Simulated Cyber Attack

Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
Association for Project Management
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CloudIDSummit
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
evonnehoggarth79783
 

Similar to Takeaways from a Simulated Cyber Attack (20)

A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Workshop B: Jill Cuthbert, Citi
Workshop B: Jill Cuthbert, CitiWorkshop B: Jill Cuthbert, Citi
Workshop B: Jill Cuthbert, Citi
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
CIOReview
CIOReviewCIOReview
CIOReview
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Vendor Management - An Overview (Project File)
Vendor Management - An Overview (Project File)Vendor Management - An Overview (Project File)
Vendor Management - An Overview (Project File)
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
 

More from Boston Consulting Group

Sources of advantage in Regulatory Filing Management
Sources of advantage in Regulatory Filing Management Sources of advantage in Regulatory Filing Management
Sources of advantage in Regulatory Filing Management
Boston Consulting Group
 

More from Boston Consulting Group (20)

Sources of advantage in Regulatory Filing Management
Sources of advantage in Regulatory Filing Management Sources of advantage in Regulatory Filing Management
Sources of advantage in Regulatory Filing Management
 
Green Venture Opportunities
Green Venture Opportunities Green Venture Opportunities
Green Venture Opportunities
 
Reinvent M
Reinvent MReinvent M
Reinvent M
 
BCG Telco Sustainability Index
BCG Telco Sustainability IndexBCG Telco Sustainability Index
BCG Telco Sustainability Index
 
BCG Telco Sustainability Index
BCG Telco Sustainability IndexBCG Telco Sustainability Index
BCG Telco Sustainability Index
 
What’s Chipping Away at Automotive Production
What’s Chipping Away at Automotive ProductionWhat’s Chipping Away at Automotive Production
What’s Chipping Away at Automotive Production
 
Urban Mobility Is Evolving in Unexpected Ways Due to COVID-19
Urban Mobility Is Evolving in Unexpected Ways Due to COVID-19Urban Mobility Is Evolving in Unexpected Ways Due to COVID-19
Urban Mobility Is Evolving in Unexpected Ways Due to COVID-19
 
Win The Fight: Crush and Contain for Safer Reopening
Win The Fight: Crush and Contain for Safer Reopening Win The Fight: Crush and Contain for Safer Reopening
Win The Fight: Crush and Contain for Safer Reopening
 
Seismic shifts: Retail banking in the wake of COVID-19
Seismic shifts: Retail banking in the wake of COVID-19Seismic shifts: Retail banking in the wake of COVID-19
Seismic shifts: Retail banking in the wake of COVID-19
 
Driving Change in Racial Equity
Driving Change in Racial Equity Driving Change in Racial Equity
Driving Change in Racial Equity
 
What Does the Recovery of Demand for Urban Mobility Look Like Post-COVID-19?
What Does the Recovery of Demand for Urban Mobility Look Like Post-COVID-19?What Does the Recovery of Demand for Urban Mobility Look Like Post-COVID-19?
What Does the Recovery of Demand for Urban Mobility Look Like Post-COVID-19?
 
Retail Banking in the New Reality – Summary Survey Findings
Retail Banking in the New Reality – Summary Survey FindingsRetail Banking in the New Reality – Summary Survey Findings
Retail Banking in the New Reality – Summary Survey Findings
 
2019 CPG Growth Leaders Report
2019 CPG Growth Leaders Report2019 CPG Growth Leaders Report
2019 CPG Growth Leaders Report
 
Unlocking the Hidden Value in Securities Services
Unlocking the Hidden Value in Securities ServicesUnlocking the Hidden Value in Securities Services
Unlocking the Hidden Value in Securities Services
 
Navigating the COVID-19 Crisis V2 - April 20
Navigating the COVID-19 Crisis V2 - April 20 Navigating the COVID-19 Crisis V2 - April 20
Navigating the COVID-19 Crisis V2 - April 20
 
Navigating the COVID-19 Crisis V1
Navigating the COVID-19 Crisis V1Navigating the COVID-19 Crisis V1
Navigating the COVID-19 Crisis V1
 
COVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis ChecklistCOVID-19 Rapid Response Crisis Checklist
COVID-19 Rapid Response Crisis Checklist
 
Covid-19 Is a Call for Retail Banks to Accelerate Digital Transformation
Covid-19 Is a Call for Retail Banks to Accelerate Digital TransformationCovid-19 Is a Call for Retail Banks to Accelerate Digital Transformation
Covid-19 Is a Call for Retail Banks to Accelerate Digital Transformation
 
COVID-19 Rapid Response Checklist for Nonprofits
COVID-19 Rapid Response Checklist for NonprofitsCOVID-19 Rapid Response Checklist for Nonprofits
COVID-19 Rapid Response Checklist for Nonprofits
 
COVID-19: Sustaining Liquidity/Funding Management and Treasury Operations in ...
COVID-19: Sustaining Liquidity/Funding Management and Treasury Operations in ...COVID-19: Sustaining Liquidity/Funding Management and Treasury Operations in ...
COVID-19: Sustaining Liquidity/Funding Management and Treasury Operations in ...
 

Recently uploaded

Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
dlhescort
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 

Recently uploaded (20)

Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 

Takeaways from a Simulated Cyber Attack

  • 1. MARCH 1, 2018 Summary Report Cyber attack simulation exercise
  • 2. 1 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. The CyberCanada attack simulation exercise was attended by 100+ Canadian leaders representing a wide-range of organizations from both the private and public sector. Some of the views shared by participants, and captured here, may appear to be conflicting. This is a reflection of different opinions voiced and/or differences between the various individuals and groups represented. A short recap of the learning objectives, feedback shared by attendees during the module readouts, and questions to consider asking your organizations have been included in this short report. To ensure privacy, opinions have not been attributed to any individuals. A brief summary of the discussions during the CyberCanada attack simulation exercise
  • 3. 2 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Recap: the Table Top eXercise (TTX) had specific learning objectives Experience what your management team goes through when under cyberattack • Basic cybersecurity concepts • Cybersecurity as a strategic business risk • The impacts of people, culture, process, procedures and technology on cyber resilience • How to advance cyber resilience beyond the technical part The Experience Understand by doing
  • 4. 3 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 1: The Compromise Strengths and weaknesses of CEO's communications • Strengths: out in front, confident, clear, available, took ownership • Weaknesses: other management was not informed, too much information was shared, not enough assurance, not genuine enough, lack of preparation, false statements made Responsibilities of the Management Board • Ensure business continuity • Determine regulatory reporting requirements • Decide on internal communications • Get handle on scope, control the message • Engage the Board What will you do next? • Impact assessment from BUs + Functions • Determine what insurance the company has • Consult legal counsel • Solicit Public Relations support • Determine recovery and comms plans • Determine plan of action • Decide what should be the cadence for updates Summary of responses shared during Module 1 3 2 1
  • 5. 4 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 2: The Briefing Views regarding ransom payment and who should make the decision • Much disagreement on whether or not to pay the ransom • Ransom payment considerations: assess the financial impact with cost/benefit analysis, will we get back the data, can operations resume without paying, who is the attacker, ask for extension on deadline, discuss with law enforcement • Who should make decision: some said Board should decide, others said C-Suite should decide with advice from Board Thoughts on engaging the community • Engage the entire ecosystem • Third parties: cybersecurity consultants, legal, PR, insurance, law enforcement, call centers, ransom negotiator • Stakeholders: employees, customers, partners, suppliers, shareholders, government, regulators What are next steps? • Assess the business impact and set long-term strategy • Get back to operations, assign responsible parties • Look at the culture that allowed this to happen • Fire the CEO 3 2 1 Summary of responses shared during Module 2
  • 6. 5 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 3: The Response Experts you would contact during a cyber attack and when • Engage law enforcement early; they have intel • Crisis response consultants and forensics teams can help • Different responses for different jurisdictions and industries • Prepare before the attack: meet with law enforcement and establish the relationship beforehand • Collaborate with industry partners Following this exercise, what will you do differently? • Ask the organization questions about cybersecurity • Raise cybersecurity to the Board level • “Culture is to punish the victim” has to stop • Establish relationships with law enforcement and national CERT • Don't wait for an attack to happen, plan incident response now • Set cybersecurity long-term vision/strategy; and be agile • Cybersecurity is not a cost center; it's a business enabler How has digitalization impacted cybersecurity and business strategy? • Increased the number of unknowns and interdependencies • Has caused information overload creating a need to educate the public • IoT has increased the risk by increasing the attack surface Summary of responses shared during Module 3 3 2 1
  • 7. 6 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Key questions you should be asking your organization Crown jewels How does your organization know which systems, data, and assets have the most value and do you conduct tests on breaching those systems? Technology How are the users of your cybersecurity tools properly trained on how to get the best results from them? Culture How is cybersecurity ingrained into the culture of your organization the same way as safety, quality, ethics and compliance? Third parties How do you secure suppliers, acquisitions, business partners, and customers with the same rigor as you secure your enterprise? Design for Cyber How are your products, networks, and systems designed with cybersecurity in mind—from the first design concept meeting through every stage? Business enabler How have you integrated cybersecurity into your business strategy so that your business can safely and securely innovate and grow faster? Consequences How do you optimize your budget between reducing vulnerabilities and reducing the consequences of a breach? Preparation What kind of plans do you have in place for incident response, business continuity & disaster recovery? Do you regularly practice executing these plans?
  • 8. 7 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Boards are in a unique strategic position to improve cyber resilience. And they are ultimately responsible for cyber risk in their companies BCG jointly with the Forum established 10 Board Principles for cyber resilience • Responsibility for Cyber Resilience • Command of the Subject • Accountable officer • Integration of Cyber Resilience • Risk assessment and reporting • Risk appetite • Resilience plans • Community • Review • Effectiveness See also the Forum's comprehensive report on "Advancing Cyber Resilience: Principles and Tools for Boards" (2017) Source: BCG and World Economic Forum See the publication at: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf 1 2 3 4 6 5 8 7 9 10
  • 9. 8 The services and materials provided by The Boston Consulting Group (BCG) are subject to BCG's Standard Terms (a copy of which is available upon request) or such other agreement as may have been previously executed by BCG. BCG does not provide legal, accounting, or tax advice. The Client is responsible for obtaining independent advice concerning these matters. This advice may affect the guidance given by BCG. Further, BCG has made no undertaking to update these materials after the date hereof, notwithstanding that such information may become outdated or inaccurate. The materials contained in this presentation are designed for the sole use by the board of directors or senior management of the Client and solely for the limited purposes described in the presentation. The materials shall not be copied or given to any person or entity other than the Client (“Third Party”) without the prior written consent of BCG. These materials serve only as the focus for discussion; they are incomplete without the accompanying oral commentary and may not be relied on as a stand-alone document. Further, Third Parties may not, and it is unreasonable for any Third Party to, rely on these materials for any purpose whatsoever. To the fullest extent permitted by law (and except to the extent otherwise agreed in a signed writing by BCG), BCG shall have no liability whatsoever to any Third Party, and any Third Party hereby waives any rights and claims it may have at any time against BCG with regard to the services, this presentation, or other materials, including the accuracy or completeness thereof. Receipt and review of this document shall be deemed agreement with and consideration for the foregoing. BCG does not provide fairness opinions or valuations of market transactions, and these materials should not be relied on or construed as such. Further, the financial evaluations, projected market and financial information, and conclusions contained in these materials are based upon standard valuation methodologies, are not definitive forecasts, and are not guaranteed by BCG. BCG has used public and/or confidential data and assumptions provided to BCG by the Client. BCG has not independently verified the data and assumptions used in these analyses. Changes in the underlying data or operating assumptions will clearly impact the analyses and conclusions. Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.