More Related Content
Similar to Takeaways from a Simulated Cyber Attack (20)
More from Boston Consulting Group (20)
Takeaways from a Simulated Cyber Attack
- 2. 1
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
The CyberCanada attack simulation exercise was attended by 100+ Canadian
leaders representing a wide-range of organizations from both the private and
public sector.
Some of the views shared by participants, and captured here, may appear to be
conflicting. This is a reflection of different opinions voiced and/or differences
between the various individuals and groups represented.
A short recap of the learning objectives, feedback shared by attendees during the
module readouts, and questions to consider asking your organizations have been
included in this short report.
To ensure privacy, opinions have not been attributed to any individuals.
A brief summary of the discussions during the
CyberCanada attack simulation exercise
- 3. 2
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Recap: the Table Top eXercise (TTX) had specific
learning objectives
Experience what your management
team goes through when under
cyberattack
• Basic cybersecurity concepts
• Cybersecurity as a strategic business risk
• The impacts of people, culture, process,
procedures and technology on cyber resilience
• How to advance cyber resilience beyond the
technical part
The Experience Understand by doing
- 4. 3
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Module 1: The
Compromise
Strengths and weaknesses of CEO's communications
• Strengths: out in front, confident, clear, available, took ownership
• Weaknesses: other management was not informed, too much
information was shared, not enough assurance, not genuine
enough, lack of preparation, false statements made
Responsibilities of the Management Board
• Ensure business continuity
• Determine regulatory reporting requirements
• Decide on internal communications
• Get handle on scope, control the message
• Engage the Board
What will you do next?
• Impact assessment from BUs + Functions
• Determine what insurance the company has
• Consult legal counsel
• Solicit Public Relations support
• Determine recovery and comms plans
• Determine plan of action
• Decide what should be the cadence for updates
Summary of responses shared during Module 1
3
2
1
- 5. 4
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Module 2: The
Briefing
Views regarding ransom payment and who should make the decision
• Much disagreement on whether or not to pay the ransom
• Ransom payment considerations: assess the financial impact with
cost/benefit analysis, will we get back the data, can operations
resume without paying, who is the attacker, ask for extension on
deadline, discuss with law enforcement
• Who should make decision: some said Board should decide, others
said C-Suite should decide with advice from Board
Thoughts on engaging the community
• Engage the entire ecosystem
• Third parties: cybersecurity consultants, legal, PR, insurance, law
enforcement, call centers, ransom negotiator
• Stakeholders: employees, customers, partners, suppliers,
shareholders, government, regulators
What are next steps?
• Assess the business impact and set long-term strategy
• Get back to operations, assign responsible parties
• Look at the culture that allowed this to happen
• Fire the CEO
3
2
1
Summary of responses shared during Module 2
- 6. 5
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Module 3: The
Response
Experts you would contact during a cyber attack and when
• Engage law enforcement early; they have intel
• Crisis response consultants and forensics teams can help
• Different responses for different jurisdictions and industries
• Prepare before the attack: meet with law enforcement and establish
the relationship beforehand
• Collaborate with industry partners
Following this exercise, what will you do differently?
• Ask the organization questions about cybersecurity
• Raise cybersecurity to the Board level
• “Culture is to punish the victim” has to stop
• Establish relationships with law enforcement and national CERT
• Don't wait for an attack to happen, plan incident response now
• Set cybersecurity long-term vision/strategy; and be agile
• Cybersecurity is not a cost center; it's a business enabler
How has digitalization impacted cybersecurity and business strategy?
• Increased the number of unknowns and interdependencies
• Has caused information overload creating a need to educate the public
• IoT has increased the risk by increasing the attack surface
Summary of responses shared during Module 3
3
2
1
- 7. 6
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Key questions you should be asking your organization
Crown jewels
How does your organization know
which systems, data, and assets
have the most value and do you
conduct tests on breaching those
systems?
Technology
How are the users of your
cybersecurity tools properly trained
on how to get the best results from
them?
Culture
How is cybersecurity ingrained into
the culture of your organization the
same way as safety, quality, ethics
and compliance?
Third parties
How do you secure suppliers,
acquisitions, business partners, and
customers with the same rigor as
you secure your enterprise?
Design for Cyber
How are your products, networks,
and systems designed with
cybersecurity in mind—from the first
design concept meeting through
every stage?
Business enabler
How have you integrated
cybersecurity into your business
strategy so that your business can
safely and securely innovate and
grow faster?
Consequences
How do you optimize your budget
between reducing vulnerabilities
and reducing the consequences of a
breach?
Preparation
What kind of plans do you have in
place for incident response, business
continuity & disaster recovery? Do
you regularly practice executing
these plans?
- 8. 7
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.
Boards are in a unique strategic position to
improve cyber resilience. And they are
ultimately responsible for cyber risk in their
companies
BCG jointly with the Forum established 10
Board Principles for cyber resilience
• Responsibility for Cyber Resilience
• Command of the Subject
• Accountable officer
• Integration of Cyber Resilience
• Risk assessment and reporting
• Risk appetite
• Resilience plans
• Community
• Review
• Effectiveness
See also the Forum's comprehensive report
on "Advancing Cyber Resilience: Principles
and Tools for Boards" (2017)
Source: BCG and World Economic Forum
See the publication at: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf
1
2
3
4
6
5
8
7
9
10
- 9. 8
The services and materials provided by The Boston Consulting Group (BCG) are subject to BCG's Standard Terms
(a copy of which is available upon request) or such other agreement as may have been previously executed by BCG.
BCG does not provide legal, accounting, or tax advice. The Client is responsible for obtaining independent advice
concerning these matters. This advice may affect the guidance given by BCG. Further, BCG has made no undertaking
to update these materials after the date hereof, notwithstanding that such information may become outdated
or inaccurate.
The materials contained in this presentation are designed for the sole use by the board of directors or senior
management of the Client and solely for the limited purposes described in the presentation. The materials shall not be
copied or given to any person or entity other than the Client (“Third Party”) without the prior written consent of BCG.
These materials serve only as the focus for discussion; they are incomplete without the accompanying oral commentary
and may not be relied on as a stand-alone document. Further, Third Parties may not, and it is unreasonable for any
Third Party to, rely on these materials for any purpose whatsoever. To the fullest extent permitted by law (and except
to the extent otherwise agreed in a signed writing by BCG), BCG shall have no liability whatsoever to any Third Party,
and any Third Party hereby waives any rights and claims it may have at any time against BCG with regard to the
services, this presentation, or other materials, including the accuracy or completeness thereof. Receipt and review of
this document shall be deemed agreement with and consideration for the foregoing.
BCG does not provide fairness opinions or valuations of market transactions, and these materials should not be relied on
or construed as such. Further, the financial evaluations, projected market and financial information, and conclusions
contained in these materials are based upon standard valuation methodologies, are not definitive forecasts, and are not
guaranteed by BCG. BCG has used public and/or confidential data and assumptions provided to BCG by the Client.
BCG has not independently verified the data and assumptions used in these analyses. Changes in the underlying data or
operating assumptions will clearly impact the analyses and conclusions.
Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.