Cyber Crisis Workshop You’ve been hacked – NOW WHAT?
Click to enter
In partnership with:
Making the most of this exercise Interaction is key
- Give your knee-jerk reactions
- Aim to respond in under 10 seconds.
- Your answers are anonymous
- This is a NO FAULT exercise
Put your personal circumstances aside For the purpose of this exercise
- You are the COO of GreenLife Foods
- You do NOT have any cyber insurance
- Your staff have NOT undertaken any cyber security training
- You do not have an Incident Response Plan to deal with a Cyber crisis
- Your team have no prior experience
The aim of this toolkit
Walk you through the sequence of events of a cyber attack and their potential impact. Test your reactions under pressure. Understand the impact of the crisis on the org’s critical systems. Consider what decisions need to be taken and by whom. Raise awareness of what happens in the response and remediation phase. Explore the options and resources available to you should the worst happen.
Greenlife Foods
Watch our company showreel! Click the image to view each slide
Day 1 An email to all staff
All staff 'accidentally’ receive an email from HR with an attachment of the “yearly staff bonus”.
Question one Do you open the attachment?
Yes
No
It’s decision time – You have 20 seconds please respond to the question on your screens
Day 1 All devices have been locked
Early detection could have prevented the malware from spreading widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.The implementation of processes to identify and deal with suspicious emails could have resulted in earlier detection and prevented the malware from spreading more widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.
Within a few hours of you opening the email, all devices are locked across the business. Around 5% of people targeted by phishing attacks click on malicious links or attachments, based on Verizon's 2023 Data Breach Investigations Report (DBIR). When it comes to stealing login credentials, about 30% of phishing emails that are clicked successfully capture sensitive information, such as usernames and passwords.
Some cyber insurance can provide you with an always-on detection software to support earlier detection of attacks.Most also provide you with a 24/7 access to a breach response team, helping you to respond and recover quickly from a cyber-attack - getting you back on your feet.
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
Day 1 All devices have been locked
You have deleted the email but other staff members have clicked on the attachment. Within a few hours of staff opening the email, all devices are locked. Phishing remains the most common form of cyber-crime. Of UK businesses that suffered a cyber-attack in 2022, 83% say the attack was phishing.
Early detection could have prevented the malware from spreading widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.The implementation of processes to identify and deal with suspicious emails could have resulted in earlier detection and prevented the malware from spreading more widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.
Some cyber insurance can provide you with an always-on detection software to support earlier detection of attacks.Most also provide you with a 24/7 access to a breach response team, helping you to respond and recover quickly from a cyber-attack - getting you back on your feet.
(click to view source)
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
Question two Do you try to rebbot all machines or call IT
Reboot machines
Call IT
It’s decision time You have 20 seconds please respond to the poll on your screens
10
Day 1 All devices have been locked
Machines are still locked. Ransomware attacks like the one in our story are not easily reversible because the encryption methods used by cyber criminals are virtually impossible to crack without the decryption key, which only the attacker possesses. Ransomware can lock systems in such a way that entire networks and devices have to be rebuilt, leading to prolonged downtime, and significant disruption.
NEXT PAGE
11
Day 2 There’s been a cyber attack!
IT have informed you that there is a cyber attack and all machines are locked.
- All computer-controlled production machinery locked out. Costing you over £40K lost in revenue per day.
- Over 65 staff on the production line are standing idle.
- You have a ransomware demand of £250K
12
Question three There has been a ransomeware demand, do you pay it or not?
Pay £250k
Don’t pay
It’s decision time – You have 20 seconds please respond to the poll on your screens
13
- A well-crafted IR plan considers and caters to all applicable threats and scenarios. A fit-for-purpose IR Plan:
- Will include a communication strategy to ensure clear and timely communication
- Will Clearly identify Roles & Responsibilities to ensure that all those involved are fully aware of their role during a crisis
- Clearly outline the recovery strategies for critical assets
- Identify external parties that must be informed and involved, such as insurers and regulators
Day 3 You paid but nothing has changed!
- Even if you pay, there's no assurance that the attacker will provide the decryption key or remove malicious software. In many cases, victims never get their data back.
- Even if you get the decryption key, it may not work properly or could only restore part of your data.
- Paying might not prevent the data from being exposed or sold to others.
- Paying incentivises future attacks.
- Paying may violate laws or sanctions.
- Cyber insurance can cover your business interruption loss (including extra expenses resulting from the interruption) when your computer systems are impacted by a cyber event.
- Insurer's breach response team connects you with an extortion specialist, who can help with negotiations with the cyber gang.
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
14
Day 3 Data has been leaked – the Cyber criminals mean business
NEW POST
Whether you decided to pay or not to pay doesn’t alter the fact the data has been breached. To make matters worse some of the data has been leaked online. The Information commissioners office has got wind of the security breach. They require you to respond.
15
Question four The ICO have been in touch and requested information on the data breach. Do you respond immediately or later?
Respond now
Respond later
It’s decision time – You have 20 seconds please respond to the poll on your screens
16
Day 3 Data has been leaked – the Cyber criminals mean business
The law requires that you notify the ICO of a data breach within 72 hours of becoming aware of it. Guidance from the ICO:
- Well designed playbooks would have meant that the company would have clarity on whom to inform and when
- Comms Templates would mean that the organisation would be able to issue critical communications to the relevant stakeholders rather than spend hours/days with legal and other teams crafting the communications during the actual crisis.
www.ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
- Insurer's breach response team connects you with IT forensics and data recovery specialists to help you respond and recover.
- Insurer will provide access to legal advice on whether and how to notify the ICO (Information Commissioner).
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
17
Day 4 People want answers!
The ICO have acknowledged your response and will be back in touch. There are however further problems: Staff are posting about the situation on X. Journalists and key clients are calling for updates. Your team has suggested an external crisis communications support team can help but the cost is £35k!
18
Question five Do you instruct the external PR agency to manage the situation the cost is £35K?
Yes
No
It’s decision time – You have 20 seconds please respond to the poll on your screens
19
Day 5 People want answers!
By not instructing a PR agency you could potentially:
- Delayed or poor communication = damage to your reputation. Without professional support you might issue unclear, incomplete, or overly technical statements that result in distrust or confusion.
- Media Backlash - the media may amplify the negative aspects of a cyber-attack if you’re not managing your communications properly.
- A good PR company will help avoid inconsistent messaging, conflicting statements and inaccuracies.
- If communications aren’t professionally managed, customers may abandon you, investors may lose confidence and regulators may hold you in breach of your duty to provide timely notification.
In addition to communications plans and templates. An effective incidence response plan will also contain a list of support services or third party support options who you can reach out to for support. For example a trusted crisis PR firm(s) who have already have already been vetted by your business or you have an existing relationship / agreement with.
- Cyber insurers can connect you with a Public Relations consultant who can provide consultancy and advice on how to communicate with the press, or your customers. This can help mitigate brand damage arising from the cyber-attack.
- The spoiled stock costs can form part of the cyber business interruption loss calculation.
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
20
Day 5 People want answers!
The PR agency are handling enquiries from journalists... However IT are still unable to fix the problem and production has ceased with £100k of stock having to be disposed of. Key clients are calling wanting to know if their details have been compromised.
21
Question Six Key clients are calling wanting to know if their data has been compromised. How do you deal with this?
Deal with them directly
Use forensic IT team
It’s decision time – You have 20 seconds please respond to the question on your screens
22
Day 6 People want answers!
- Cyber insurance can cover you for your lost net profit arising from an adverse publication (bad press) relating to a cyber event. Where a client leaves you, insurance can reimburse you for the loss of their business. Protection for your bottom line.
- Sometimes, computer hardware is rendered useless by a cyber event, and you’ll need to replace it. Cyber insurance pays for the costs to replace or restore computer hardware and other physical equipment impacted by a loss of firmware integrity resulting from a cyber- attack.
You've tried to deal with the Client directly but the client is unsatisfied with your answers. They decide to cancel order.
- If a client cancels an order, you’ll lose the revenue (and any profit).
- Losing one important customer may cause others to consider moving away.
- Reputational damage is costly to recover from.
A good incident response plan should contain a well thought out communication plan. Including examples of responses which can use and and adapted to ensure all responses are well-thought out and provide the necessary information and support to clients and third parties. With the aim of reducing the risk of client loss due to poor communication and support.
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
23
Day 7 Costs mount up
A forensic IT team have been instructed at a cost of £50k. They have provided details to the client and they have decided to proceed with their previous order. IT have called to let you know there’s a breakthrough in dealing with the attack but new hardware is needed adding a further cost of £75k.
24
Question seven Do you purchase new hardware?
Yes
No
It’s decision time – You have 20 seconds please respond to the question on your screens
25
Week 2 We’re back online
IT break-through.Success in uploading some of the data. Without new hardware it is difficult to guarantee that your systems have have the malware completely wiped from the system.
NEXT PAGE
26
Week 2 We’re back online
- IT break through. Success in uploading some of the data
- Crisis PR support has kicked in - feeding facts to interested 3rd parties with daily updates
- The production line is back online and employees are back at their stations
27
Reflecting on your own business Ask yourself these questions:
What level of awareness/ training do your employees have on Cyber threats? What level of Cyber protection does the business have? Does our insurance cover Cyber-attacks? Do we have an incident response plan in place should the worst happen?
28
Creating Incidence Response Plan What does a fit for purpose plan include?
An overview of the sequence of events and steps to take at each stage A clear communication strategy to ensure timely communication with the right individuals/ organisations Identifies roles & responsibilities to ensure that all those involved are fully aware of their role during a crisis An outline the recovery strategies for critical assets External parties that must be informed, contacted and involved, such as insurers and regulators
30
Cyber Webinar SlidesV2.4-JD.pptx.pptx
jon drew
Created on October 9, 2024
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Essential Business Proposal
View
Project Roadmap Timeline
View
Step-by-Step Timeline: How to Develop an Idea
View
Artificial Intelligence History Timeline
View
Momentum: First Operational Steps
View
Momentum: Employee Introduction Presentation
View
Mind Map: The 4 Pillars of Success
Explore all templates
Transcript
Cyber Crisis Workshop You’ve been hacked – NOW WHAT?
Click to enter
In partnership with:
Making the most of this exercise Interaction is key
Put your personal circumstances aside For the purpose of this exercise
The aim of this toolkit
Walk you through the sequence of events of a cyber attack and their potential impact. Test your reactions under pressure. Understand the impact of the crisis on the org’s critical systems. Consider what decisions need to be taken and by whom. Raise awareness of what happens in the response and remediation phase. Explore the options and resources available to you should the worst happen.
Greenlife Foods
Watch our company showreel! Click the image to view each slide
Day 1 An email to all staff
All staff 'accidentally’ receive an email from HR with an attachment of the “yearly staff bonus”.
Question one Do you open the attachment?
Yes
No
It’s decision time – You have 20 seconds please respond to the question on your screens
Day 1 All devices have been locked
Early detection could have prevented the malware from spreading widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.The implementation of processes to identify and deal with suspicious emails could have resulted in earlier detection and prevented the malware from spreading more widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.
Within a few hours of you opening the email, all devices are locked across the business. Around 5% of people targeted by phishing attacks click on malicious links or attachments, based on Verizon's 2023 Data Breach Investigations Report (DBIR). When it comes to stealing login credentials, about 30% of phishing emails that are clicked successfully capture sensitive information, such as usernames and passwords.
Some cyber insurance can provide you with an always-on detection software to support earlier detection of attacks.Most also provide you with a 24/7 access to a breach response team, helping you to respond and recover quickly from a cyber-attack - getting you back on your feet.
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
Day 1 All devices have been locked
You have deleted the email but other staff members have clicked on the attachment. Within a few hours of staff opening the email, all devices are locked. Phishing remains the most common form of cyber-crime. Of UK businesses that suffered a cyber-attack in 2022, 83% say the attack was phishing.
Early detection could have prevented the malware from spreading widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.The implementation of processes to identify and deal with suspicious emails could have resulted in earlier detection and prevented the malware from spreading more widely, reducing the extent of IT infrastructure damage, and minimizing production downtime.
Some cyber insurance can provide you with an always-on detection software to support earlier detection of attacks.Most also provide you with a 24/7 access to a breach response team, helping you to respond and recover quickly from a cyber-attack - getting you back on your feet.
(click to view source)
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
Question two Do you try to rebbot all machines or call IT
Reboot machines
Call IT
It’s decision time You have 20 seconds please respond to the poll on your screens
10
Day 1 All devices have been locked
Machines are still locked. Ransomware attacks like the one in our story are not easily reversible because the encryption methods used by cyber criminals are virtually impossible to crack without the decryption key, which only the attacker possesses. Ransomware can lock systems in such a way that entire networks and devices have to be rebuilt, leading to prolonged downtime, and significant disruption.
NEXT PAGE
11
Day 2 There’s been a cyber attack!
IT have informed you that there is a cyber attack and all machines are locked.
12
Question three There has been a ransomeware demand, do you pay it or not?
Pay £250k
Don’t pay
It’s decision time – You have 20 seconds please respond to the poll on your screens
13
Day 3 You paid but nothing has changed!
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
14
Day 3 Data has been leaked – the Cyber criminals mean business
NEW POST
Whether you decided to pay or not to pay doesn’t alter the fact the data has been breached. To make matters worse some of the data has been leaked online. The Information commissioners office has got wind of the security breach. They require you to respond.
15
Question four The ICO have been in touch and requested information on the data breach. Do you respond immediately or later?
Respond now
Respond later
It’s decision time – You have 20 seconds please respond to the poll on your screens
16
Day 3 Data has been leaked – the Cyber criminals mean business
The law requires that you notify the ICO of a data breach within 72 hours of becoming aware of it. Guidance from the ICO:
www.ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
17
Day 4 People want answers!
The ICO have acknowledged your response and will be back in touch. There are however further problems: Staff are posting about the situation on X. Journalists and key clients are calling for updates. Your team has suggested an external crisis communications support team can help but the cost is £35k!
18
Question five Do you instruct the external PR agency to manage the situation the cost is £35K?
Yes
No
It’s decision time – You have 20 seconds please respond to the poll on your screens
19
Day 5 People want answers!
By not instructing a PR agency you could potentially:
In addition to communications plans and templates. An effective incidence response plan will also contain a list of support services or third party support options who you can reach out to for support. For example a trusted crisis PR firm(s) who have already have already been vetted by your business or you have an existing relationship / agreement with.
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
20
Day 5 People want answers!
The PR agency are handling enquiries from journalists... However IT are still unable to fix the problem and production has ceased with £100k of stock having to be disposed of. Key clients are calling wanting to know if their details have been compromised.
21
Question Six Key clients are calling wanting to know if their data has been compromised. How do you deal with this?
Deal with them directly
Use forensic IT team
It’s decision time – You have 20 seconds please respond to the question on your screens
22
Day 6 People want answers!
You've tried to deal with the Client directly but the client is unsatisfied with your answers. They decide to cancel order.
A good incident response plan should contain a well thought out communication plan. Including examples of responses which can use and and adapted to ensure all responses are well-thought out and provide the necessary information and support to clients and third parties. With the aim of reducing the risk of client loss due to poor communication and support.
NEXT PAGE
SEE INCIDENT RESPONSE PLAN
HOW WOULD CYBER INSURANCE HELP?
23
Day 7 Costs mount up
A forensic IT team have been instructed at a cost of £50k. They have provided details to the client and they have decided to proceed with their previous order. IT have called to let you know there’s a breakthrough in dealing with the attack but new hardware is needed adding a further cost of £75k.
24
Question seven Do you purchase new hardware?
Yes
No
It’s decision time – You have 20 seconds please respond to the question on your screens
25
Week 2 We’re back online
IT break-through.Success in uploading some of the data. Without new hardware it is difficult to guarantee that your systems have have the malware completely wiped from the system.
NEXT PAGE
26
Week 2 We’re back online
27
Reflecting on your own business Ask yourself these questions:
What level of awareness/ training do your employees have on Cyber threats? What level of Cyber protection does the business have? Does our insurance cover Cyber-attacks? Do we have an incident response plan in place should the worst happen?
28
Creating Incidence Response Plan What does a fit for purpose plan include?
An overview of the sequence of events and steps to take at each stage A clear communication strategy to ensure timely communication with the right individuals/ organisations Identifies roles & responsibilities to ensure that all those involved are fully aware of their role during a crisis An outline the recovery strategies for critical assets External parties that must be informed, contacted and involved, such as insurers and regulators
30