InfoSecurity wasn’t the only cyber-security event in London this week - on the other side of the Thames, Wall Street Journal’s Cyber-security executive forum saw board execs being brought up to speed with the latest cyber-threats and how to tackle them.
In some cases the same themes were covered at both events, and in at least one case, with the same speaker, as Becky Pinkard, CISO Aldermore Bank, ran from the opening discussion on how to respond to attacks - The year in hacks (see below) - to a similar panel at Infosec.
Pinkard was joined by Yvonne Eskenzi, founder of Eskenzie PR in a discussion chaired by Kim Nash, deputy editor WSJ Pro Cybersecurity.
Nash kicked off asking what did the fact that hackers were being found to have been inside attacked networks for two, three or four years before they were found following mergers. Eskensi responded that it showed how the acquiring company’s due diligence was sloppy - citing the case of the Marriott hotels as "Doing everything you shouldn’t do." For Pinkard it showed the complexity in M&A deals, with the security layer being brought in as an afterthought when it should have been under consideration alongside the financial aspects of the deal. She noted how attitudes have shifted, for while security pros have always said, security should be considered at the onset, now businesses realise security needs a seat at the board. But even now, she noted that there’s " A lot of talk about it (the importance of cyber security) but less action to back it up."
Eskenzi emphasised the need to get staff on board, noting how people will find ways around security processes if they are clunky. And it’s the company that needs to change to overcome this, get security right at the outset. Because the financial repercussions are not just a one off hit, citing studies that showed: "If you are breached, share price initially drops three percent, but then three years later a breached company will be underperforming by some 15 percent."
However, it does depend upon how you respond, hence there are exceptions and Pinkard pointed out that: "TK Max had its POS compromised, then it bounced back thanks to its handling of the issue and it actually did better the following year. So handling of the issue can be key to how a company recovers."
How you handle things can also have a negative effect with Eskenzi noting how Facebook’s response was a disaster, again providing an example of what not to do. "You don’t ever want to be arrogant. They took ages to respond, five days to have Zukerberg comment, and then it was to blame others. You need to be transparent, honest and have empathy with your customers, for example, you might need to apologise. BA did it right, they took out advertising to speak to their customers."
Pinkard, agreed, noting that some companies had responded straight away to being breached, whereas the fact that Facebook let it sit for a while, suggests they had not anticipated this, and had to craft something, while the industry echoed the football chant of ‘they don't know what they’re doing.’
"They need a plan and rehearse it the whole time. Over and over. Have a planned message, and demonstrate integrity, honesty, get legal counsel involved, have cyber- insurance, and you need your pros and executive in line, knowing what to say and saying the same thing," advised Eskenzi.
Pinkard adds, "And if don't know something, you need to provide assurances, that you will find out what it is you don’t know and you will come back within a defined time with what has happened, and that it will then be back to normal. Not a series of trickle down updates that seems you don’t know what's going on. You need a timeline and end point." Leaders need to be kept up to date have confidence in their message.
With reputational and financial loss from a shutdown now exacerbated by GDPR fines, some ransomware attackers are leveraging the regulatory fines to say, "Pay us the ransom or we’ll tell the regulator you were breached." In view of this increased pressure, SC Media UK asked the panel - is it ever acceptable to pay a ransom when you’ve been breached?
Pinkard replied, "I have always said ‘Don’t pay ransoms.’ (But more recently within the industry) I’ve been getting feedback that at the top tier that there may sometimes be a time to negotiate. So I expect we will see evolution in that thinking, Especially when they are targetted attacks for money."