how to achieve cyber resilience

Manage the unexpectedCrisis management in a hyper connectedworld: how to achieve cyber resilience

Brussels, 28 January 2016

New technologies bring new risks and crisis situations

Cloud &Virtualization

CollaborationPlatforms

MobileBYOD

Social mediaBig data

Newpaymentsystems

Internet ofthings

BCI BE Forum 2

BCI BE Forum 3

As BCM professionals we are well aware of the threat

But are we ready to face the threat?

BCI BE Forum 4

Striving for cyber resilience

5BCI BE Forum

Readiness Response Recovery

cyber crisis

Readiness

6BCI BE Forum


cyber crisis

ReadinessPrepare smarter

7BCI BE Forum

Sun Tzu,The Art of War6th Century BC

If you know your enemies and know yourself,you will not fear the result of a hundred battles;

If you know yourself but do not know your enemies,for every victory gained you will also suffer a defeat;

If you know neither your enemies nor yourself,you will be imperiled in every single battle.

ReadinessMake sure you understand…

8BCI BE Forum

1. Your organisation 2. Your threat landscape 3. Your capabilities

ReadinessFirst, understand your organisation

9BCI BE Forum

What does your organization look like?• Geographical locations (of your operations, vendors, partners, and customers)• Presence (brick & mortar vs. e-store)• B-2-B or B-2-C?• Sector & sub-sector• Centralized or distributed?• Business processes• Types of data processed by the various divisions (financial, personal, IP, etc.)?• Systems used to support the business

Readiness

10

Competition

Criminals

Customers

Hackers

Insiders

Threat actorsMaking astatement

Competitiveadvantage

Espionage

Disruption

Financial Gain

Targeted assets Impacts

Organized Crime

Hacktivists

State Agencies

Terrorists

Second, understand your threat landscape

Attack VectorsFinancial data

IntellectualProperty

SensitiveOperationalInformation

Services

Brand image

Malicious code

Socialengineering

Botnets

DDOS

Spam

Phishing

Physical damage

Ransomware

Financial loss

Reputation harm

Lawsuit

Regulatorysanctions

Loss of trust

Continuity ofservice

What are the threats your organization might be facing?

Motives

Are we ready to deal with the unexpected?Just a tweet

11BCI BE Forum

Dow Jones fell 143 points (recovered in 7 min)Reuters: 200$ Billion lost on global exchanges

Are we ready to deal with the unexpected?How much are your data worth to you?

12BCI BE Forum

Source: www.batblue.com/category/watch-desk/

http://www.bbc.com/news/uk-34784980

ReadinessFinally, assess your cyber capabilities

13BCI BE Forum

What do your capabilities look like?• What is the current maturity of your capabilities?• What should their maturity be?• Is their maturity uniform across the organisation?• How do they match up against the threats they face?• Have we correctly prioritized our investments to enhance

the most important capabilities?

Examples include:

• Training & Awareness• Data Leakage Prevention• Vendor Management• Security Event Monitoring• Privacy & Data Protection• Physical Security

Response

14BCI BE Forum


cyber crisis

ResponseLive up to your reputation

15BCI BE Forum

16

Response

Strategic impacts

Operational impacts

Tactical impacts

• Increased governmental regulations• C-Suite resignations or forced

departures increased• Vulnerability to corporate raiders

increased• Share price and/or market share

decreased

• Intellectual property compromised• Reputation and/or brand negatively

impacted• Significant contracts or key

customers lost• Inability to raise capital• International tax issues

• Government scrutiny of businesspractices increased

• Shareholder/customer litigation• Higher operation costs (new protections)• Major fines and penalties from

regulatory bodies

• Liquidity issues• Breach insurance claims made• Financial reporting requirements impaired• Customer contracts breached• Direct financial loss• Liability/compensation payments

• IT support costs to investigate andremediate increased

• Customer support staff to address publicconcerns increased

• Unplanned server shutdowns• IT business disrupted• Legal customer notification required

• Confidential data lost• Operation dependent on breached

applications disrupted• Report noncompliance• Cyber insurance claims• Beach of Personal Data

A crisis is no place for “on-the-job training”

A cyber incident might have a greatimpact on all levels of theorganisation.

If you know what the impacts canbe its easier to identify them andmodify your response strategyaccordingly.

A personal data breach might havesimilar, but different, impacts onthe organisation and how yourespond and recover…

17

Response

Strategic impacts

Operational impacts

Tactical impacts

• Increased governmental regulations• C-Suite resignations or forced

departures increased• Vulnerability to corporate raiders

increased• Share price and/or market share

decreased

• Intellectual property compromised• Reputation and/or brand

negatively impacted• Significant contracts or key

customers lost• Inability to raise capital• International tax issues

• Government scrutiny of businesspractices increased

• Shareholder/customer litigation• Higher operation costs (new

protections)• Major fines and penalties from

regulatory bodies

• Liquidity issues• Breach insurance claims made• Financial reporting requirements impaired• Customer contracts breached• Direct financial loss• Liability/compensation payments

• IT support costs to investigate andremediate increased

• Customer support staff to addresspublic concerns increased

• Unplanned server shutdowns• IT business disrupted• Legal customer notification required

• Confidential data lost• Operation dependent on breached

applications disrupted• Report noncompliance• Cyber insurance claims• Beach of Personal Data

A crisis is no place for “on-the-job training”

Do you know how the new EUGeneral Data ProtectionRegulation (GDPR) will impactyour organisation when itbecomes effective in early 2018?

• Increased accountability fororganisations

• Increased enforcement power forauthorities

• Higher fines• Privacy by design (PIAs)• Mandatory retention periods• …

Are you aware of the new EU data breach notification requirements???Response

BCI-event 18

Deadline forOrganisation

Duty of theOrganisation

Is there riskto rights orfreedoms?

Required Content

Personal databreach

(1) Facts surrounding the breach(2) Effects(3) Remedial actions

(1) Nature of the breach (categories & No.of data subjects and records impacted(2) DPO contact details(3) Consequences of the breach(4) Remedial actions

(1) Nature of the breach(2) DPO contact details(3) Consequences of the breach(4) Remedial measures

On-going

- Without unduedelay (max 72h)

- Can be inmultiple phases

Without unduedelay

Internaldocumentation &

duty for theprocessor to notify

the controller

Notify the DPA

Notify the datasubjects

No

Yes

Yes, a HighRisk

ResponsePrepare your corporate crisis management team to deal with the unexpected

1. Initiate & Declare2. Analyze

situation

3. Develop

Objective

4. Decide

on COA

5. Determine

Actions

6. Review &

Refine

• Consistent meeting agenda and structureis critical. It helps save time, set prioritiesand provide clarity.

• Obtain situational understanding and(re)gain the initiative

• Continually frame the crisis, new impactsmight emerge, things might escalatequickly

Establish a clear on-going decisionmaking process

Exercise to deal with the unexpected

Questions?Please come and find us!

20BCI BE Forum


cyber crisis

BusinessContinuity

CyberSecurity

Key takeaways

21BCI BE Forum

• Incident Management• Crisis Management• Communications

High risk & big impacts• Regulatory• Reputational• Financial


Key takeaways

22BCI BE Forum

1. No industry is immune (Every company’s Information network can be compromised)• Not a matter of if you will be attacked, but when… & to what extent• Also, of equal importance, how you will manage an event/incident/breach

2. Cyber damages go beyond Euros• While the average cost is known, the long term effects on reputation, brand, morale, etc. are

significant and take their toll on organizations – Good BC can help minimize this damage3. Speed of attack is increasing and response times are shrinking

• Cyber threats are asymmetrical risks (small, highly skilled groups exact disproportionate damage,and threat velocity is increasing while response windows are getting smaller)

4. Teamwork & Communication – None of us are as smart as all of us• Engage with your business leaders, your cyber security team, privacy professionals, risk &

compliance team, and your forensics specialists in order to make sure that you have all of theinput you need to keep the business going when problems arise.

Presenters

23BCI BE Forum

Johan Van GriekenDeloitte PartnerIT Risk Management, Business Continuity Leader

Berkenlaan 8B1831 DiegemBelgium

Phone: + 32 2 800 24 53Email: [email protected]

Ryan ReynoldsDeloitte Senior ManagerCyber Security, Privacy and Data Protection Services

Berkenlaan 8B1831 DiegemBelgium

Phone: + 32 2 800 29 81Email: [email protected]