Okay, perfect. Let's start. I was asked to do this presentation in English. I hope you are fine with that. First of all, good morning from my side. My name is Florian Jörgens. I will say some words about myself on the next slide. First of all, what can you expect within the next 60-70 minutes? My goal is to create really bad mood.
Yes, and this will work, definitely. So, expectation management is clear. The mood will be at the lowest possible point. This might be good for all upcoming speakers because it only can get better. But you will also receive a lot of benefits. You don't need to take pictures. I will send you all the slides. I will give you all the slides.
So, this is not necessary. Just to give you a short introduction to myself, Florian Jörgens. I'm currently the Chief Information Security Officer for the Vorwerk Group.
Vorwerk, we are famous for the best kitchen appliance in the world, the Thermomix, and our famous Cobalt Vacuum Cleaners. I'm working for Vorwerk since around about two and a half years now.
So, what are we going to do today? We are simulating a tabletop simulation.
So, you will take over the role as the CISO, the Information Security Responsible, the IT Security Responsible. And your company has been hacked, and you need to make decisions.
So, this will be a very interactive session. So, I hope that you will all take part of that, and we will have a very interesting and active discussion. We will simulate this in four rounds, and each round I will give you additional information about what happened, what is the current status. And after each round, I will ask you, as the person responsible, what is your next step, what is your next decision. There is no right and wrong. It's not about the best practice approach. It's depending on the situation itself.
But I will give each round some hints what might be useful at this point of the current attack. So, let's start with the introduction. First of all, it's Sunday evening.
Of course, it's Sunday evening. It always happens Sunday evening. It could not be Monday morning or Tuesday morning, so it's Sunday evening. Your colleagues from IT receive some calls, emails from your employees saying, my computer isn't working anymore. I cannot start it. There's a scowl on the screen.
It's very, very strange. And then your IT colleagues decided, okay, we will declare a major incident. We'll put all incident, all tickets together, and then they will call you, the CISO, the person responsible for information security.
Hey, there's something going on. Please, we need you. Have a look about what happened. Typical ransomware attack. The attacker says they stole some customer data, and if you will not pay the $2 million in Bitcoin, then they will publish these customer data, and with every hour you wait longer, the price will be higher. The $2 million is just a fictive number. So if you will be the victim of a ransomware attack, you will get an individual offer, depending on the revenue of your company. So if you are a big company, it's not very unusual that they want $20 million.
If you're a smaller company, we're talking about $500,000 until to $1 million. So you will get a very individual offer, perfect for your company, depending on the revenue. And they will choose an amount of money that will hurt you, but on the other side, that you can pay, because you will get it back within the next two, three years, something like that. We will start short and small with a short interactive question. What is your first step? Three possibilities. First of all, you can contact your forensic company to get some more insights.
They can help you to see, okay, how did the attackers come within your network, for example. Or you create a Microsoft Teams channel and invite all the relevant stakeholders to get a better overview, to have a possibility to communicate.
Or, number three, you will declare the emergency, the crisis case, by writing an email or by phone. So who wants to do the number one, the contact to the forensic company? Please raise your hand. Your company. Okay. Number two, creating Microsoft Teams channel. Inviting relevant stakeholders. Okay. And number three?
Okay, that's the most of them. Perfect. All of these things are possible, but normally it makes sense to declare the crisis and the emergency at a very early stage, because normally this is related and combined to additional resources, to additional possibilities, what you can do next. And it will start a communication channel. So therefore, this is always a good idea to start first with declaring the emergency, the crisis. Time is still running, so you need to make your decisions fast.
From the beginning, we had 40 computers, 40 clients infected due to the fact that the employees at Monday morning are all starting their computers. We have now around about, not we, you, around about 130 computers infected and employees are affected from different parts of the organization. So be prepared for a global problem, a global crisis. Maybe you will receive an info mail from a CISO pro network saying, ah, some scanners find something within your network.
But to be honest, at this early stage, you don't have the possibility and the knowledge to take care of that because you're still trying to figure out what happened. Let's imagine that you have also some shops, some local shops, and some of them also start their computer on Monday morning, so they are also infected. Some of them are still offline due to a public holiday. But you can now imagine that you will have a customer impact very early, because some of the shops cannot work any longer. So think also about that. So what needs to be done now? Like I said, there is no right or wrong.
After that, I will give you some ideas what you could do now. But it's related to a specific case and your specific company. So ideas. It's an interactive session, like I said. What are you going to do? You're the CISO. You're responsible. Yes? So coming back to whose company it is, I'm just looking at something new. There's two requirements on reporting to your central critical facility. So depending upon what type of company, when you declare the emergency, under EU law, that's now going to start certain timing requirements.
So at some point in time, hopefully, the first thing the CISO calls was the general counsel. Mm-hmm.
Good idea, yes. Other ideas? Yeah? Containment, yes. Containment. So the first one for the people who are online with the stream. Containment of the infected computers, yeah. Other ideas, yeah? Starting to document the incident. Maybe another one, yeah? Mm-hmm. Infected customers, yeah.
Last one, yeah? Mm-hmm. Very good point, yeah. Thinking about PCI DSS. First of all, explaining the situation to the security management team. Getting an overview. Getting the right people, the relevant stakeholder, all together and validate action items and create a plan. Containment and defense, yes. Looking now in the news for the last weeks, months, years, this is the thing where most companies failed. They all try to, or they're deciding too late to disconnect the systems from the Internet because they think, we can handle that. The business impact might be too high.
And you can see every successful ransomware attack is based on this problem, that they decided this too late. Business impact discussion, yeah. Talk to the business, definitely. Initial stakeholder information, yeah. If you have some reporting requirements, do NIST 2 or maybe data protection because the attackers told you that they have customer data. I don't know if it's true. You don't know if it's true. Talk to the workers council, maybe to the employees, law enforcement, and so on and so on. But we will get to this point later on.
Core team, create an action plan, communication plan, and think about additional budget and resources. This will be extremely relevant in the upcoming rounds. There are some points which could also be relevant. Potential data protection impact, analyze other incidents, or engage a forensic company. Let's move on and let's imagine about that we handled the situation like nearly every other company. You did not decide to disconnect the systems from the Internet, but maybe you contacted your forensic company. Then you receive a security report.
In the security report, typically, there are some hints and some ideas what you could or what you should do next. They will also tell you, disconnect the system. We are not talking about shutting down systems because in this case, you will delete or destroy all the forensic evidences, but to disconnect the systems from the rest of the world from the Internet.
But if you are going to do that, please think about maybe you need to work with a forensic company who is working from remote or your IT provider, and they still need a connection to your company, so you just cannot remove all the cables and then you are fine. You still need to think about how can you work with the external companies together. Analyze. Analyze are new admin users created? Are the existing ones compromised? It's not that the attackers just installed ransomware and then they are fine. They are still trying to figure out, okay, can we implement a backdoor?
What kind of possibilities do we have to extract additional information, customer data, or maybe we will come back later in some months. So you also need to check are new admin users created or are the existing ones compromised. Check ransomware lateral movement. To get an idea how are the systems infected. So what is the way of the ransomware, of the malware? What could happen next? Further malware. Like I said, it's not that they installed the ransomware and then they are done with that. Maybe they installed additional malware. And check your backups for infections.
If you want to take one lesson learned from this presentation, from this workshop, it's that one. Make sure that your backups are resistant against ransomware.
This will, sorry for saying that, save your ass. Definitely. This is the most important lesson learned. There are a lot of different providers available at the market. Choose one, but please take care of this. There was a question, yes?
Yes, yeah. Yeah, we will talk about that. Thank you. So backups checking for infection. For infection, first of all, that your backups have not been encrypted and that you do not back up infected files. So these things make sure. If you have already think about that and you have a solution, plan set up of new network segments, you cannot restore your data within your old infrastructure because it's totally compromised. You need to build up your whole network infrastructure.
Again, as a new segment where you can later on restore your data and your information. More PCs are infected. The employees are still starting their computers. We are now talking about roundabout 300 PCs. And due to the fact that you probably did not decide to take the whole company offline, congratulations, your server are now infected as well. SAP is not working any longer. Customer relationship management system is not working any longer. We are now talking about over thousands of employees of users who are affected.
At this point, what could now possibly be the worst thing which could additionally happen? What do you think at this point?
Of course, it's going viral. It's going viral. The customers are now complaining. Their devices are not working any longer. They cannot board your products in the store. And now there's pressure on this topic, definitely. But there's also pressure from the inside. For example, the sales department contacted you and said, CISO, the CRM system is not working any longer. SAP is not working any longer. The shops cannot work. But I need to sell products. I just bought a house. I have a wife, two kids. I need to pay my bills. So what can I do? When can I work again with the system?
Of course, you could tell them, Do you have a workaround? Ah, this was part of the BCM project. This is continuity management. This was a project we skipped last year because it's too much work and nobody wants to take care of that. And it's not really part of the CISO environment. And due to the fact that it's getting viral, now the newspaper is asking your head of communication, I found something on the internet saying, Your company has been hacked. Please provide some information about what happened. Why did that happen? Are customer data impacted?
And please do that within the next 60 minutes. Otherwise, we will write something by ourselves. This is also fine with that.
So, like I said, the mood is getting lower. That's fine. What are you going to do next? The list of tasks is getting longer, definitely. But what are your initial steps now? Just raise your hands. Like I said, there's no right or wrong. It's about an interactive sharing of ideas. Try to increase employee morale and not regret all the decisions that are made.
Okay, increasing. Partially a joke and partially not. Because if you don't do that, then you're going to start making bad work decisions instead of making the right decisions. Increasing the morale of the employees, yeah. If you have a possibility to communicate with them. Because imagine Microsoft Teams is not working any longer, Outlook and the intranet.
So, how are you going to reach your employees? Interesting question. Yes? Marketing people involving, yes. Anything else? Any ideas? Yes? You should now contain, okay. At least at that point, yes. Yeah?
Oh, talk to your insurance. If you have one, there are pros and cons, yeah. Maybe they have a forensic company which can help you.
Yeah, last one. To isolate the attack vector, yeah.
So, first of all, advise the shops to take the systems offline. Definitely at this point to contain the possible infections. Are there alternative work scenarios? Maybe they can still sell their products and write it down with pen and paper. And after that, you will get an army of students within the company. And then we'll just type it within the SAP system. Possible scenario. Isolate all infected systems. Separate the relevant network segments. Request proposal for emergency operations from IT services and from business. I will talk about that on the next two slides, what that means.
Like I said, make control or make sure that there has no admin users been created. Ask group IT service provider to check availability of the unencrypted backups. Lessons learned for this one here. But then you also need to prepare a clean network segment where you can restore your data. Evaluate contact with the hackers.
Yes, this is a possibility. But the important thing here is don't do it by yourself.
Please, don't do it by yourself. There are some specialized companies available at the market who are expert in talking, discussing with criminal subjects. Definitely. So please don't do it by yourself. You can talk with that. Absolutely. I have seen some real screenshots of a ransomware attack where they have given a Christmas discount of 10%. So to be honest, on the other side, there are people at the end and they are working.
Yes, of course, it's a criminal business, but they are working. They want to create revenue and you can talk with them. It's business in the end. I will talk about that. Thank you. Evaluate necessary steps for potential Bitcoin payments. I will also talk about that in detail later on. Communication strategy. Watch on social media on how to reach your employees. This is a very interesting topic. So how? Just answer the question for yourself. How can you reach your employees when Microsoft Teams, the intranet, and Outlook is not working any longer?
I am questioning this every time and there are different kinds of answers. There was one guy who said we will send them an SMS. Every employee has a company device. Wow. I have never seen a company where this happened. Then another one said we have an app developed where we can send out messages to all of our employees. Does everyone have a company device?
No, no, they need to install that on their private device. Oh, the workers' council is going to love that. They are going to love that, that employees need to install a company app on their private devices. They will love that, definitely. So you need to think about it. I had one situation from a season within my network who told me that their IT department printed out posters and they just put the posters within their company building to make sure that when their employees will come to the building that they will directly go to the field support and not start their computers.
Yeah, communication. Yes? This is a part of the external communication.
Okay, you received feedback from your IT department. The server has been shut down. Employees were sent home and all other systems also shut down or disconnected from the internet. On the other side, the infection party is still going on on the clients because your employees who could not be reached are still starting their computer. But congratulations, your backups are safe. They are not encrypted so you can use them to restore all your data. We just talked about, or I just mentioned the point about additional resources, additional budget for the IT colleagues. Let's just do the math.
Okay, the IT colleagues told you installation of PCs and laptops eight hours per device. The shop systems have less software. We're talking about five hours.
Server, two days per system. SAP, three days per system. And now do the math within your head. So how long will it take to restore all these systems? Your IT colleagues will be working overnight. They will work for 10, 12, 14 hours. This is a realistic scenario. They need to do that. But if they do, then you need to make sure different things and additional questions will now appear. Where will they sleep? Who has some beds where they can sleep? Who has a credit card to pay for the food when they still sleep in the office and restoring all the systems?
I just talked to a friend of mine who is a CISO who went through a ransomware attack. He's a company with around about 1 billion revenue and 5,000 employees. And then he told me that their responsible top management took two cars and drove around Nordrhein-Westfalen and bought all the notebooks they get from MediaMarkt and Zaton because they had not any other devices where they can restore their data. And this is a realistic scenario. So there are additional things you need to take care of. Due to the fact that it went viral, it's now in the newspaper, of course.
And at least at this point, you need to involve the law enforcement. I personally think you should do this as early as possible. We are working very close together with the State Office of Criminal Investigation, LKA, Landeskriminalamt, and especially with the colleagues from the ZAK, Zentrale Ansprechstelle Cybercrime. We work so close that we invited some of the colleagues to our awareness session to share some insights how we are doing this as a company. But you only have advantages if you do that as early as possible. Because first of all, they need to take care of the confidentiality.
So they will not tell that you have been hacked to other companies or to the news, of course not. The second thing is they probably know already this attack surface, this attack vector, because you are not the first company who has been hacked. So they can give you additional information. What is going to happen next? What is the goal of the attackers? Are they from Russia? Are they from China? And they can also give you some additional information. Maybe if Europol had found your customer data in the darknet or something like that. So involve them as early as possible.
You always have a benefit of that. It was now in the newspaper.
Of course, then your supervisory board has also taken knowledge that there is something going on within their own company. And yes, they are asking you, okay, what happened? Why? How could that happen? We are paying so much money every year investing in security, in IT security. I thought we have 100% security. But they want answers from you. So what are you going to do now? Any ideas? You're the CISO, not me. Not in this case.
Oh, quit, okay. You should have done that earlier. Yes? We talked about earlier with engaging external experts. Part of that would be I think they could help perhaps with the messaging to show that this is not unique even though we have this much that we're still in the process. Showing what is going on. Getting that information from your peers with similar stuff. To show the board that it's happened to other companies. Other companies have succeeded. It's just part of us being successful. Mm-hmm. Yes.
Oh, this is part of the business continuity management. Yeah. Yeah. Yeah.
Yeah, of course. But you need to make sure that you have that before. Because if you ask now the business, what are your critical systems? Everything. Everything. We need to work. We need to work now. And then this is a funny situation we had at Forward Group. We had last year indicator of compromise that our web shop could have been infected, and therefore we decided to disconnect it from the Internet Friday evening. And the business was not very happy about that. And they told us, oh, we need that system on Saturday. There is an event and so on and so on.
And then we contacted the respective, the relevant IT provider who told us there is no weekend support within the SLA. But nobody was aware of it. Maybe the business was back in that day when they signed the contract and decided, oh, it's too expensive to have a weekend support. And this system, we don't care if it's not available on the weekend. Yeah. Yeah. Of course. Yeah. So you need to make sure from a security perspective that you have some kind of manager on duty 24-7 concept. What needs to be done now? Business impact analysis versus Bitcoin payments.
I'm getting this question every time. What should I do? Should I pay or should I not pay? There are pros and cons for both decisions. There's one pro or one argument for paying a ransom if you don't have any money. If you don't have any money. If you don't have any money. If you don't have any money. If you don't have any money. If you don't have any money. For paying a ransom. If you don't have any other idea what you could do now. If your backups have been encrypted, your whole infrastructure has been encrypted and closing the whole company is the only alternative, then you should pay.
But on the other side, there are more points why you should not pay. First of all, you are talking to criminals. And I don't know how trustworthy they are. So will you receive your decryption key? Will they delete the customer data? Now you might say, okay, Florian, but that's her business model. And if they will not give your data back and delete the customer data, then your business model is gone.
Okay, then they will be back next day with another name. We don't know. So this is the first thing. Second thing is you will be on a list. You will be on a list of the companies who are willing to pay. And the criminals are very good connected. They are talking to each other. Not like the security persons within the companies who sometimes don't want to share their knowledge, which is, from my perspective, a bad thing. And the third thing, you also need to restore your whole environment. You need to build up everything new because it's compromised. It's infected.
It's not that you will receive a password and type it in and then, okay, let's go back to work. We're fine. We just paid.
No, no. You need to build up everything new from scratch.
So, therefore, it is a good idea, from my perspective, not to pay. But if you want to or if you decided to pay, there are questions which need to be answered. First of all, who has access to Bitcoins? Who is the owner of the wallet? Who has the accounts on different platforms? You cannot transfer 20 million U.S. dollars on a Binance account. What about tax? Anyone thought about tax when we send Bitcoins? I don't know. But you need to think about that.
Of course, yes. Depending on the country you are working. Yes. Yes. Absolutely. So you need to think about that before. Back up. We talked about the production discussion.
Currently, you are not selling your product. So why are you going to produce them? Maybe it might sense to talk to the production and tell them, okay, send your employees home.
Currently, we don't need to. Yes. If you have the possibilities. I don't know any company who has the possibilities to do that, to be honest. And the problem is you don't really know who is the attacker. You know a system. But if you are trying to attack this specific system, maybe you have now another problem because you attacked them. Yes. Yes. If possible. Yes. If you want to, you can contact the hacker group and ask for an example of the stolen customer data. Maybe it's not true. Maybe it is true. I don't know. But like I said, don't do it by yourself.
There are companies available at the market who are experts in that. And, yes, how to reach employees. We already talked about that. Round four and, therefore, the last round. If you receive an example of the leaked data, the business have to check, are these real credit card information or are they fake? Maybe they have been stolen two, three years ago. I don't know. But you need to check that. Let's suggest that there had no admin users been created. Workers' Council is, of course, asking you send all your employees home, but they will receive their monthly salary.
Please, we need to document that to make sure that they still get their money. And, of course, the sales department is still asking when they can work again.
So, yes, like I said, you need to make sure that the business is now checking the data. If these are true customer data, data protection, you need to report that. If you decided to restore the systems, you must think about a plan. Which system can be restored first? Maybe there are some dependencies. Maybe you have a system which needs to be online before another one can be restored and can be started again. You need to talk about that topic with your IT.
Of course, scan your network. Ask IT to prepare a comprehensive recovery project.
And, of course, progress communication to the stakeholder. We at the Forward Group had done this simulation. And if you take a normal size company, the conclusion after four weeks, roundabout took you or it will take you four to six weeks to recover. Social media went calmer. There are still data gaps due to the fact that you write down information, maybe while using pen and paper. And the servers were up and running roundabout after nine days. We had done this in nine rounds live for four hours. And I can promise you after four hours, we were so exhausted. We were definitely.
It was done together with an external company. And they had a clock. And after all 20 minutes, they said, okay, round is over. What are your next steps? What are you doing to do now? It was high pressure, high stress. But this is a real situation. This is a real simulation. As you can see here, these are the exact slides I used for this presentation now. We had a lot of participants, especially from the top management, our COO, CFO, CIO, IT security, data protection, head of communication, all involved. And after we had done it, we received two major benefits.
First of all, especially due to the fact that there were so many participants of different kind of departments, and ransomware attack or crisis is a situation where nearly everyone is involved and has to do something. It's not that, okay, ransomware attack and IT security is taking over and tell us when we can work again. Everyone has to do something. Head of communication needs to talk to the newspaper. Data protection needs to contact the authority. Finance needs to maybe think about potential Bitcoin payments. COO has to make a decision about the production.
Everyone is involved, and they all need to work together. And the second benefit is I've always been asked, okay, Florian, how do you get budget? Budget for employees, resources, for systems. And we decided when we're in a communication with a top management, we are using a fictional KPI. So it's not the real KPI. It's just for our communication strategy. And our benefit is based on this KPI, the return on damages not incurred, to make sure that we are a preventive department. We make sure that specific damages will not incur. And this is our benefit to the company. And this helped us a lot.
I went through a similar situation working for my last company, a chemical company, Lanxess, based in Cologne. We had some indicators of compromise of a Trojan software within our systems. And due to the fact that we could not make sure that the malware is only in the software and not within the hardware, we decided we will change all the hardware from our network.
So our IT colleagues, it took around about six to eight months, traveled around the whole globe and changed all our servers, racks, and the whole network infrastructure because we could not make sure that the malware is not within the hardware. I know these are a lot of information and a lot of questions. And to make it easier for you, I just created a short handout. If you want that, just send me a short LinkedIn message, click on the three dots, connect, and then please send me a message that you want this handout, not only the invitation. On these seven pages, you will only find questions.
There's not a single answer within this document, only questions. How are you going to reach your employees? How can you pay bitcoins? What does disconnect mean? Am I going to pull out a cable while standing next to the router, to the Fritzbox? And who is going to do that? Who is allowed to do that? What does that mean? Where are the IT staff sleeping while they are restoring the systems? Who is contacting the hackers? Who is talking to the external providers? And so on and so on. You are responsible to find answers for all these questions.
We still have some time left, so I will pick out some questions of this handout, and I will ask you that we continue with the interactive part, and I'm looking forward to share your ideas, to share your insights. How did you something within your company? So therefore, first of all, thank you very much, and then we will continue with some questions from the handout. Okay. So... I need to share this. Perfect. It's working. Okay. Perfect. It's working. Okay. Let's start with the communication part. Internal communication. How is communication done with the crisis emergency team?
So how do you solve that within your company? Let's think about Microsoft Teams. It's not working any longer. Outlook and intranet is not working any longer. Maybe someone is now saying, okay, but the probability that Microsoft Teams is not working is very low.
Yes, but it's compromised. It's totally compromised. The attackers can have a look within your communication. So you cannot use it.
Yeah, of course, it's still available, but you should not use that because it is an unsecure channel. So how are you working within your crisis team if your infrastructure is not available or compromised? Emergency contact list?
Okay, and then by phone? Okay. You have that printed out, right? Because on the SharePoint it's... Perfect. Okay. Other ideas? Yeah. Have you been in contact with these people? It's almost like a fire drill when you leave.
The thing, I want every supervisor to report to me, have you been able to contact? How many people are responsible? How many were you able to contact via phone, which everyone should have?
Yeah, everyone should have company phone. No, no, perfect. But how do you get the personal numbers? So I think this goes back to the point of a supervisor interacting. You go to softball leagues, sports, social events. I would say in most companies, and then the flip side is, on Monday morning for those people who physically come into work, that's probably your best bet. I would say in Germany it's not very common that your company has the personal or the private phone number of your employees because the workers' council will not like that.
But yes, it's a possibility, of course. Yeah? Meet in person, but how will you make that sure? Because first you need to contact them. This was one of our lessons learned we had.
Sorry, one thing. We licensed, we call it third-party communication tool. There are different kind of tools available at the market, Fact24, Alert Media. So we have a tool only with 100 licenses, and when we press a button within our app, we will create a telephone conference and invite all the necessary relevant stakeholder from the crisis team. Another very cheap solution that a CISO, a friend of mine, told me they created a signal channel. They just installed signal and created their own Google mail addresses, which is a valid scenario, and that's the cheapest one.
Just create a signal channel, invite your crisis management team, and in case of use, this scenario, of course. Top numbers and random numbers, and then you print it out on paper. Yeah. And then everyone's calling everyone and saying, please, please, please, the numbers are there or not. Whatever you can imagine. There was a hand. Signal group. More in case of use WhatsApp. I know data protection and so on and so on, but we are talking about a crisis, an emergency. Yeah.
Yeah, they should be involved, of course. Yeah. Different things you need to think about before that happens. Okay. External communication. How do you communicate with your service provider? How are authorities informed? How you want to communicate with hackers? How will the press be informed? This is an interesting topic. Has someone ever talked with your communication manager, head of communication, and do they have some kind of prepared templates, something they can give out to give you some additional time, something like nonsense.
We are securing our company based on best practice approaches, and currently we don't have any information about that. Our customer data had been stolen, which means that your monetary systems are so bad that you did not get any information, but you did not say anything which is not true. Okay. Wow. And it's also important if the press or the employees or the supplier needs to be informed, don't let the IT guys do that.
They say, I'm an IT guy by myself. I don't want to do that. I just send all the relevant information to the marketing and communication, and they will write something. They will create a fancy statement.
Otherwise, we will give out too many information. Yeah. Communication template, a communication checklist, who, when, how, with what are the stakeholders informed, and maybe you will then realize, okay, in IT, we have 24-7 security. Maybe we have 24-7, we need 24-7 in marketing and communication, in HR, workers' council. Like I said, it's Saturday evening, and we cannot wait until it's Monday, so we need to make sure that the people are available. Service partners, overview of service partners globally. Who has a list, an overview of all your service partners or think you have most of them?
Okay. And the ones the business had contracts with, applications on a cloud platform you've never heard about, typical shadow IT.
Yeah, that's also a problem. Which additional external parties are required? Forensic service provider, this is also very useful to get in contact with forensic partners before something happened, because especially when you have an attack or something like Log4J, which infected or affected nearly all companies, the number of forensic service provider is limited. So it makes sense to have someone in mind. Maybe your cyber insurance company will have someone who can give you access to.
One of the things that we advise when you're doing supply chain risk is just talk to your accountants and do a budget analysis of where you spend your most money on third-party services. And that usually indicates a heavy dependency based on the proportion of the amount of money spent. So the accounting department can also help you provide some basic information. This also relates to business continuity management. What are your relevant providers? What are the business-critical processes? And therefore, what are the business-critical systems who are supporting these processes? SMS gateway.
Maybe this is a possibility to reach your employees if they have company devices or they give you their private phone number. Network segmentation. Backup and recovery. We also talked about that. Like I said, make sure that your backups are protected against ransomware. Not only that the backups cannot be encrypted, but also that you will not backup infected documents. Restart plan and recovery. This is also very interesting, especially when you talk about the priority of the systems. So sometimes if you...
Well, not sometimes, very often. If you ask the business, what is your critical system? What are the critical processes? Everything. We are the most important department within the whole company and all of our systems are business-critical.
Okay, okay, okay. Then you will tell them, okay, these are the requirements which need to be fulfilled because the classification is, I don't know, confidential or secret and availability and integrity is very high. And they say, ah, okay, we are not that business-critical. We are not that business-critical. We are more public classified, maybe internal.
Yeah, but there needs to be a list together with the colleagues from IT how they are going to restore the system, what is the priority, what is the right order, what systems need to be online before you are going to start other systems. Yes? But also backpiling. I've seen companies where they say, we're not a critical system and then they look at the data and they... Yeah. Especially when you tell them the price, okay, you need MFA, you need encryption, this and that, and then it's getting more expensive and then they decide, okay, we are not that critical. We don't have that money.
Yeah, of course. You need to talk with them. You need to create the awareness for this topic and you need to make sure that they have a realistic classification. Yes? So where in the recovery plan would you cover the aspect where you said for sales you started taking stuff by hand or one of the things you talked about was manually processing as part of the recovery. So when you start doing manual stuff that is not using EPR, PSD2, so when you collect a lot of that data that potentially opens up another channel... Of course.
How in the recovery process do you account for closing those loops and perhaps doing triaging? Where does that fit in the recovery process? As early as possible because we are talking about workaround and this is also part of business continuity management. So we are here talking more about the technical recovery process. Crisis documents.
Oh, this is a lovely one. Who has a crisis plan? Emergency crisis plan? Okay. Printed out? No? Oh! I like that question because some of them have crisis documents stored on the SharePoint and then they are encrypted. I have printed out version 0.3 and the newest one is, I don't know, 4.something and most of the people who are on the contact list has already left the company. Crisis documents. You ever tested it? Okay. Perfect. Very good.
I was once on a conference and there was a presentation about crisis plans, emergency plans and the CISO told, okay, we created a very good crisis plan together with external consultants. It was a really good plan. It was six steps to be coming back on track and then we tested it. In the first test, we came to step one and then the whole thing broke together and then it took them two months. They changed some things, they implemented things and then they tested it again and then they came to point two.
Yeah, but this is a realistic scenario. It will also fail at the point when you cannot reach the people from the crisis management team on Saturday evening because they are on holiday. They don't have access to their computers, something like that. Then you realize, okay, we need to make sure 24-7 availability and then you, okay, next time maybe you have the possibility to create a conference call and invite all the relevant people from the crisis management team. The next step would be, okay, let's contact our provider.
Okay, number is not available. We now have a problem and then you will move forward and forward and you need to test it, test it, test it.
Processes, who can declare a crisis? Is it the CISO? Is it the CIO? Is it the top management? And when someone is not available, who then can declare a crisis and what are the points that we are talking about a crisis and not a problem, not a major incident? You need to document that within the crisis plan. Business continuity management, emergency shutdown plan, defining what shutdown means, unplug server, rack, shutting down the system, cutting the energy connection. I don't know. What about Microsoft 365? How are the service provider integrated?
If you decide to disconnect or shutdown systems, maybe your IT colleagues will not have the possibility to do that because it's all in the responsibility of the external service provider. So even if they want to, they cannot technically do that. They need to call their support of the external service provider and tell them, okay, we need to disconnect the system.
Yeah, okay, it will take eight hours maybe. I don't know. You need to check that. Okay.
Yeah, like I said, the mood is at the lowest point. I'm very happy. So do you have any additional questions, anything you want to share with this audience, your insights, your ideas? Yes? Okay. Yeah. This. There are.
Sorry, there are two additional things, especially focusing on the people. One of the lessons learned from our table top exercise was that we have now a written approval from the top management that we, information security reporting to the governance and the colleagues from IT are now allowed to disconnect any system from the internet without asking the top management. It's based on professional judgment because the top management realized, okay, we need to have more time or time is the important part, so they should not ask us.
These are the experts, and if they decided, okay, we are disconnecting this system, then they need to do that. And the other thing, the friend of mine who went, who went through a ransomware attack, which costs the whole company, including the loss of production, like I said, as a company, 5,000 employees, 1 billion revenue. It costs them around about 15 to 30 million euros, all inclusive, the whole ransomware party. And he told me one thing, which I found extremely important.
The employee who had local admin rights combined with some other rights who clicked on the link within the phishing mail, which leads to the whole ransomware attack, does not know that he was the one who clicked. They didn't tell him. They know who it was, but they did not tell him. And I really like that idea because on the other side, there is no benefit. So why you should tell him, but on the other side, I think the pressure is so high for a single employee. What is he going to do with that? That his decision, his failure, cost his employer 15 to 30 million euros. What's the case?
So they did not tell him. They know, but I really, really like that, that they did not tell him that he was patient.
No, no, no, no, no. No, no, no, no, no. It's a combination of different things. Local admin rights. Local admin rights, I think is a pain point within every company. We have developers who say they can only work with their own programs and their own systems. They have admin rights, or there are people who have admin rights for years. They did not need them, but they always had them and they don't want to give them back. And so it's a combination of different things and you cannot judge just one single employee for his action. Yes? Which policy?
Yearly, like all of our documents. Yearly, together with our policies, we have some kind of circle to control and update them and we do that on a yearly basis. How often do you practice this again? Because usually you practice it one time. We just tested this last year, but to be totally honest, we are still working on the lessons learned. So for us it does not make sense to do the whole tabletop simulation, but we will simulate an emergency call this year. I think next month. Next month, definitely.
And we will just try to get the relevant stakeholder from the crisis management team together in one conference call. And I'm pretty sure this is not going to work. To be honest. Yes? So the solution must make sure two things. First of all, that your ransomware, that your backups cannot be encrypted and that you do not backup infected files. There are different providers available at the market.
Convort, Rubik, Dell. Just have a look. Choose the one you ever prefer. I don't want to do some kind of marketing. So there are different kind of companies available at the market. The important message is that you think about that, that you are aware about that there are solutions available and that you need to check your backups. Yeah.
Of course, but unfortunately I have to say you need to define that for yourself. It's the same when we talk about, okay, which application needs to be restored at first and then we find out, okay, what is middleware? Is the middleware as application?
Yeah, not in a classical way, but then IT colleagues say, okay, but first we need to start the middleware, which we had not on screen, for example. Yeah. So we can use internal communication. For example, we can check one infected PC. Like this was just an idea to do that. There are tools available at the market, FACT24, Alert Media, where you have a stand-alone solution. The signal solution is just something a friend of mine who told me they used this one. But this is something you have to decide for your own company. I'm just sharing ideas. Like I said, there's no right or wrong.
There are, I don't even want to call best practices. There are ideas how you can manage this system. There are possibly answers to these questions, but there's no right or wrong.
Yes, of course. Like I said, the probability that Microsoft Teams is not available is very low, but the probability that it might have been compromised, this is a valid scenario.
No, because we don't have a cyber insurance, and I don't want one. I don't like the whole concept, because from my perspective, I think the money you give to a cyber insurance company might be better to buy some new technology or invest it within the awareness of your employees. So the cyber insurance is good for the last, I don't know, 5%, but most of the companies do not reach the 95%. And I can say it also for us. We are not at that point that I would say, okay, we still have 5%, let's get a cyber insurance.
So therefore, when I have the budget, I would always invest it in the people, because still, depending on the studies, 70% to 90% of all cyber-related attacks are still focusing on the human factor. So you have the biggest leverage to increase the overall security level or implement it in maybe an audit or maybe in a tabletop exercise, something like that, or new technologies. There are so many possibilities where you can invest your budget compared to a cyber insurance company. But this is just my personal opinion. I have a follow-up on that.
Have you heard anybody being contacted by the banks where the lending criteria requires certain types of security coverage because they're worried about their exposure and things, and this goes down, and then this goes back in their life? No. Yeah. Okay. Yeah.
Because those are the two lever points from the external parties where the actual cost of the budget, where it's insurance or the lending that's challenging, where we had a discussion one time with the airline years ago where, you know, you point, you say to a banker, you point to an airplane in the sky and say, that's a security for your loan. You'd be unhappy if that thing fell out of the sky. So the airlines were not really interested in making their airplanes more cyber-secure. They didn't have the money to fuel those types of efforts.
So you get the leverage point from the banks to say, you know, you want to borrow money from us. You need to make sure that the thing stays on the sky. Back in the days, I think it was three, four years ago, there was a company in Switzerland, I think it was called Mendeleev, which is related to Milka, the chocolate company, and they have been hacked. And after that, they asked their cyber insurance, okay, can we get some money, some additional help?
And the cyber insurance told them, due to the fact that this attack came from Russia, we are now in some kind of war scenario, which is not part of the cyber insurance. So if you have insurance, make sure what is covered. For example, CEO fraud. Mostly CEO fraud is not covered within your cyber insurance because it's not related to IT system. When someone is taking the phone and calling your financial department asking please transfer, I don't know, 10,000 euros to a bank account.
Okay, I don't know, okay. But the insurance companies always find a way not to pay. It's their business, so who's judging them? All right. One last question. The answer is simple, practicing, practicing, practicing. When we organized this real tabletop simulation, I was asked by the external company on which side I want to be, if I want to be some kind of the moderator and the lead through the tabletop simulation. I told them, no, of course not. I want to sit on the other side because in the real scenario, I cannot be the puppet master in the background. So therefore, you need to practice this.
Practice, practice, practice. One final question. Is there any organizations or certifications that you would encourage CISOs to participate in to share this knowledge? Is there any organizations or trade associations you would recommend? Organizations in which? Trade associations or professional certification bodies where other CISOs can work together.
Yeah, there are a lot of different conferences available. I'm a huge fan of networking. So this is one of the reasons why I'm speaking very often at conferences and security conferences, and I'm trying to build up a network because like I said, the criminals are very well connected and they talk to each other. What company did you attack? Was it successful? And so on and so on.
And we, from a security perspective, as a person responsible for information security, needs also do the same. So participate in conferences. Share the LinkedIn details. Talk to your colleagues. Maybe build your own network. There are different kinds of conferences available.
Yeah, try to build your own network. Stay in contact, but also share your own knowledge. Maybe if you create a template or an Excel file, a PowerPoint presentation, small things, or talk about a good process maybe you have implemented, a good incident process, simulation you had done. Share this knowledge with other CISOs and other information security because we are all sitting in the same boat. We are all working on the right side, on the good side, and the information security has only one goal, and one goal only, and this is to support the business strategy.
So what we are going to want or what we want to achieve is that our colleagues from business can do their work. This is our only goal, and if we share all our knowledge, I think we can all improve our overall security level. Just send me a LinkedIn message.
Yeah, just send me a LinkedIn message. Connect, and then please send me a message if you want this. Just don't only send the request, otherwise I have no overview, and then I will send it to you.
All right, we have still 10 minutes left for coffee. I will be available the whole day, and of course tomorrow there will be two slots, a panel discussion, and I will do the presentation in a shorter form again tomorrow, but if you are here today, you are not going to miss anything. So tomorrow we will just skip the whole discussion part within the handout.
So yeah, if you have any questions, like I said, I will be here today and tomorrow. So have a great conference. Thank you very much.