Ransom? How to survive a Hack Part II

Part 2 of a 3 part series that covers the highlights from the Cyber simulation held at the 2nd ASEAN Regulatory Summit. #advicethatsticks #TRREGSUMMITS See part 1 - Data Breach? How to survive a Hack and part III - Managing the Fallout? How to survive a Hack.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific, Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting, Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.

What would you do?

Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online.

Your investigations now show that your primary servers were attacked by ransomware software and the attackers are demanding 1 million USD to unlock your servers. As a result of the hack, ABC Bank switched to their redundant servers offsite which have lower security. This meant that a phishing email was able to leak through the firewalls, which an unsuspecting member of staff pushed in to the organization and was the root cause of the data leak. 50,000 customer financial records have been leaked to the public.

Question 2: We need to shut down the redundant site, but need our primary servers in order to do that. What is our next step?

1. Pay the ransom
2. Notify the relevant authorities
3. Tell your external stakeholders
4. Try to manage it internally
5. Escalate to the Executive / Board

The results: There was a mix of responses here. Given that it now required the company to break the law if it was to pay the ransom, 64% of the audience said they would now escalate this to the Executive/Board. 30.9% said that they would notify the relevant authorities and 2.9% said that they would try to manage it internally. Only 1.7% said that they would pay the ransom and 0.6% said that they would tell their external stakeholders.

The likelihood is that as part of their crisis management, companies would take many of these actions at the same time.

We discussed scenarios where ransoms have been paid e.g. time critical scenarios where there would be greater loss of life or liability for the company if it was to not take immediate action. One such example was in a healthcare context where a hospital conducting 24 x 7 x 365 operations is unable to access its patient data records and as a result of the need to issue life-saving medications, or surgeries, would need access to its patient records. Note that this was a unique, high-risk scenario where the decision would only be actioned with the relevant police and regulatory authorities engaged.

When a recommendation was made to the Board, we discussed that it's likely that the Board would apply basic questioning before making a final decision, applying LEADS:

1. Is it Legal? (Both locally & internationally),
2. Is it Ethical (Is it regarded as unethical behavior by stakeholders even if legal?),
3. Is it Acceptable (Is it criticized by some, but regarded as acceptable by most who matter most),
4. Is it Defensible (Could we defend our action if this became front page news?) and
5. Is it Sensible - Even if it failed all or some of the Ethical, Acceptable or Defensible criteria - does it still make good business sense?”

From L to R: Patrick Fok, Senior Editor Thomson Reuters; Paul O'Rourke, Lead Partner, Cybersecurity Asia Pacific, Ernst & Young; Leesa Soulodre, Chief Reputation Risk Officer and Managing Partner, RL Expert Group and Julian Claxton, Managing Director, Jayde Consulting.

We discussed that when dealing with ransomware or an espionage incident, there's no right or wrong answer on what action to take, other than to do nothing. Paying the ransom may be a criminal offence and if it is paid, there's no guarantee that the perpetrators won't simply demand another ransom. Either way, your data has been compromised and the relevant authorities should be notified and legal counsel sought.

An organisation’s information security management system (ISMS) should address key issues pertaining to the business continuity and disaster recovery side of security.

It is important to ensure that there are no additional compromises pending, or rogue staff complicit in the crime. Access to sensitive information should be restricted to only those who require it to be able to do their job and an investigation commenced to identify any (ongoing) internal or external threat actors. 

Regulators can assist organisations by educating stakeholders on what strategies to adopt and by guiding and reviewing those strategies, not only criticising and penalising.

Be prepared. Whilst there may be a cost to implement robust security processes within an organisation (often deemed too expensive at the time), the benefit during a crisis is immeasurable. A preventive approach will result in a far more manageable outcome.

Key Takeouts from Expert Julian Claxton, Counter Espionage Jayde Consulting

1. Don't be an enabler - organisations need to ensure that robust security policies and procedures are in place AND enforced. This should include regular risk and vulnerability assessments, with recommended treatment options implemented. It is both surprising and concerning to see how few organisations maintain a dynamic risk register or even undertake regular security reviews.
2. Limit access to information - Whether electronic or paper-based, not everyone within an organisation necessarily needs to have access to everything. For example, a Human Resources Manager need not have access to financial documents or marketing plans, nor the offices where such information is stored. Too often, we see that employees are given full and free physical access to all areas of a tenancy, at all hours of the day; or unrestricted access to data servers. This is unnecessary and makes it difficult to contain information, or determine who has accessed what, in the aftermath of a breach. It is also important for organisations to appropriately vet staff with unprecedented access to data. This should include pre-employment, bankruptcy, and criminal history checks. Whilst not foolproof, this makes for an excellent baseline.
3. Read the signs - Often there are telltale signs in the lead up to a crime. Organisations need to make use of existing 'intelligence'. People are creatures of habit and will ordinarily come and go at roughly the same time, will access certain information in a uniform manner, and will generally maintain a fixed routine from day to day. Changes to these routines or habits may indicate an emerging issue. These might include the type of information an employee is accessing on a server (particularly if it doesn't relate to their core function at work), unusual changes to their working hours or office access (such as weekends or overnight), out of character questions or behaviour; and many other similar examples. This is only a snapshot of the 'intelligence' at hand within most organisations, however, they cover some of the more likely indicators. Look for the anomalies!

-

If you enjoyed reading this post, see the final part of this 3 part Series where we explore how to manage the fallout. Hear my expert reputation risk management perspectives and learn how other Companies across Asia would deal with the challenge. This post will be published on Monday, 12th September 2016.

We will continue the discussion on practical strategies for managing a data breach at the Pan-Asian Regulatory Summit that is taking place on 8 & 9 November 2016 at the Grand Hyatt Hong Kong. For the full agenda and details on how to register, please visit the website.

---

I appreciate that you are reading my post. Here, at LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group. Read more on strategies for effective reputation risk management on our blog.

For more on this topic, check out my other recent LinkedIn Influencer posts on the Reputation Risk Management agenda:

• Cyber Breach? How to survive a Hack
• 5 challenges of managing Cybercrime
• 10 steps for future proofing reputation
• Make sure your boss get's the message
• Most risk managers don't understand reputation risk
• Can you explain in one minute?
• Financials hidden in plain sight - Ask "Why?"
• 5 steps to take if your supply chain is morally corrupt
• Getting boards into reputation risk management
• Carmakers python - a matter of outrage and trust
• Social License to Operate Risks Matter in Mining
• Facts Everyone Should Know about Child Labor
• Reputation Risk in Banking
• Addressing McDonald's $39B Reputation Risk Challenge
• Challenges for CxO's with APAC's top 10 Risks
• Reinventing Risk for an Asian Century
• New weapon of choice for complex global supply chains?
• 5 steps for effective due diligence in Asia

About Leesa Soulodre: 

Managing Partner and Director of RL Expert Group, an international reputation risk management think tank and consulting practice and Asia Associate of the Reputation Institute. An Innovation Advisor to the European Commission and to the University of Illinois Urbana Champaign Advanced Digital Science Centre, Singapore. Board Advisor to Belgian PR Software firm, Prezly, Korean Fashion Analytics firm FashionMatch, and the US Sports Analytics firm, Autoscout.

Leesa has worked for 20 years on the cutting edge of strategy, communications, technology, cyber security and risk consulting. Specialised in reputation risk management, she has advised more than 400+ multinationals and their start-ups in 19 sectors across Europe, Asia Pacific and the Americas. As a serial en/intrepreneur, she has led companies with turnovers from $4M to $14B USD into new markets and has shared the exhilaration of one IPO, numerous exits and the hard knocks of lessons learned.

Connect: Leesa Soulodre, Managing Partner RL Expert Group