Panel | The Roof Is on Fire - Ransomware Attacks and Their Impact on Companies

And it has a wonderful title of the roof is on fire ransomware attacks and their impact on companies. Now I'm really looking forward to this, present this panel discussion because each one of the members has agreed to talk about their real world experiences, either in consultancy situation or directly, those of you who were in this morning will have already heard from Stefan. So I'm just gonna ask each of the panel members to introduce themselves and just to have a brief statement on the topic and we'll start with Stephan. Yeah. Thank you very much.

My name, my name is Stephan Berger. I'm the CIO of the Mabu group. I'm a victim twice of a cyber attack. And now I speak a little bit how that impact means for, for a company and how you can go through the cyber attack and what the preparations for the next one. All that's great. And then Patrick, we should still have you there, what's your opening statement on this topic and what's kind of your skin in the game, so to speak. Okay.

So my understanding is in that, in that incident response situation, you wanna have a plan, you have a written plan, but you also want to be trained because this is very similar to any firefighter situation. You don't wanna have a firefighter that is working just with a written plan. So they do exercise that they training, and this is what actually the situation should be at it or at business dealing with an incident situation. Okay. And we should hopefully have Caston also waiting in the wings.

Hello, Caston, introduce yourself. And again, just give us an idea of, of your perspective and, and, and how you are able to contribute. Perfect. Thank you. So my name is Kawi I'm, I'm a lawyer. So I'm coming with a legal perspective. I'm lawyer with men. Besland Stuard. We are quite a, quite a big law firm with like 100 lawyers. I'm I'm partner in the it and data protection office.

And, and we have advised within the last two, three years, quite some companies within such incidents. And I, I think I would join in with my, with my pre speakers. The important thing is just to be prepared. We will go a bit more into detail. And I would like to add, especially we have the topic about insurance at the moment. One of our clients had a, had a big incident. They had big damages, but they were not too afraid because they had an insurance and now the insurance is not paid. We suing the insurance because of such and ransomware out tech.

So it's quite interesting case I will talk a bit about that later on. That's great. Thanks. And so the first, my first question to you, three, is do organizations typically underestimate the potential impact of, of a ransomware attack? What do you think, Stephen?

I, I guess, yes. So from my, from my view of, of cybersecurity, the, the ransom attacks or cyber attacks are the most critical thing at this point that the company can hit. So it all other stuff like fire or water or theft in the company is protected and the procedures are clear, but they don't know what happens when a cyber attack occurs. And from a consult stand point of view, KA would, would you say that's fairly true that most companies sort of underestimate or fail to understand the, the potential impact Carson? Yes.

Yes, absolutely. So, so as I said before, they, they they're, can you hear me? Yeah. They're the most companies are, are not really prepared and, and would prepare and see being prepared.

I I'm, I'm talking about three steps mainly. So first of all, really think about an insurance check. If the insurance is appropriate to yeah. To mitigate your risk, establish it security, and think that's the part where we all come together. That's on the one hand it's it's technical security, but it's also organizational security, especially regarding ware tech. You need really training of your employees.

And as, as we were before, you need an incident response plan to know how to react really fast in case of an incident. I think that's the, the most important major points.

Okay, great. Thanks Stefan. This morning, you mentioned that this, the two cyber attacks that, that you successfully fought off, but you didn't say whether it was a ransomware attack or not.

Was it, was there a ransomware component or There were both ransomware attacks. We have been headed and, and I totally agree. The three steps are completely necessary to do a cyber attack or cyber security is organizational thing. The it department technically assists the management and the rest has to be done by the management top down that the CU that the employees are aware what cyber tech means and they're how, how they proceed and that it's affecting the whole business, not only some departments.

So what if, if there were sort of two or three things that you would say, like, I wish I'd known this before I'd been hit. I mean, what, what did you learn from, from, from the ransomware attacks that you go, like, if I'd only known that or focused on that or taken that sort of more seriously, We are much more well known, prepared.

We, we, we have a measurement of, of our it security. We have installed a lot of software and procedures to be aware when something occurs in the network and then how we react after, after we have detected the ransomware.

And that's, that's for the, for the it organization, a dramatic change when you change from, I know nothing to, I know, much more than before, and then how to proceed and react Patrick, from your experience, what were the kind of things that you could do before and after a ransomware attack, that's kind of are the most useful or most helpful from kind of a real world experience. So I would add to that random situation that in, in quite often, the encryption is the last step and attacker us. So we had that situation twice.

So it was not a pure ran somewhere attack, but was an encryption at the end of a journey. So this understanding was really new for us. And so that we have to deal with more than just the ransomware. And the other thing I would add to that discussion is the, the unlearn, even if we had some situation, we have to think about that the next attack would be different and not just deal, just doing the plan. So we have to, to focus on what is necessary for, for the moment, for the situation and not just working through a plan, and this can be done with a good training.

So because you have to get trust into your tools, your plan, your management team, your it stuff. This is what, what really is very important and can be prepared.

Thanks, Carsten, from a consultancy point of view, what would you say are the kind of, or what would you say is the single most important thing any organization can do to reduce the likelihood of, of getting hit by a ransomware attack? And then in the event of being hit to kind of mitigate that, that impact and, and make it be able to get back to business as usual, as quickly as bus as possible? Yes.

In, in the incident. So that the last case I talked about was our client thought it would be a best idea to immediately call the insurance because the insurance said, okay, you, you insured here, but we will send you our experts and stuff. And within the incident, so this insurance was, was called and was informed and they sent all the experts. And in the end, the, the insurance used the information they got by the experts to, to try to, to, to, yeah. To say they, they are not paying.

So, so I think it's a good, it's a good idea to really have, have a team of, of mutual experts to, to really help you in the case of, of an incident that mainly technical experts, but it's also legal experts. And that's another point I just shortly wanna like to mention what is really, really underestimated by some companies is, is the impact of the, of the GDPR, obviously, because in, in, in, in ware attack, obviously it's also about personal data. The attacker gets access or gets all the personal data of, of customers, of employees. Yeah.

And the problem is that the GDPR wants or has a specific yeah. Notifying obligation.

So, so first of all, we have to notify, or you have to report to authorities in most of the cases. And in some cases, if it's really urgent, and if it's severe tech, you also have to inform the data subject within 72 hours. So that's an application of the GDPR, which is totally underestimated because the companies, first of all, try to secure their business and stuff and, and underestimate the impact of the GDPR, which also wants, or, or sees obligations to inform either the authority or the data op subjects, which you usually don't want as a company. And it's a good idea to prepare for that.

Okay, great. Thanks Carson. I just want to remind our virtual audience to start preparing the questions now. So I'll come to you Stephen, this morning in your presentation, you said you managed to reduce the impact of the first incident from nine weeks to 48 hours, which is brilliant.

And, and that just goes to show how effective pre-planning can be. But if you were to, to, to identify perhaps the single most important thing you did between attack one and two, that that made the biggest difference, or like if, if you were told, like, okay, of all the things you did, you can only do one.

What, what would you pick as being like the most effective thing that you did? The, the most effective thing? What we have done in the organization is that, that we switched the responsibility for cybersecurity out of the it department, right into the management while they, the management decide all topics in the company and they, they spread out the informations and at least they give you the money that you need for the technical assistance. And that was the most important thing for us to do. Okay. That's great. Because we've only got about sort of four or five minutes left.

I'd like to ask the audience here. I mean, you've got three very experienced individuals. Who've now been through this. Stephan's been through it twice.

So, I mean, this is a great opportunity to, to ask questions so that if you find yourselves in a similar position, you're gonna know exactly what to do, because I think from the Smallings presentation, we just learned that experience counts for a lot. So we've got a question here in the room. Thanks. My name is Patrick. My question would be more around governance, because usually we say about texts like this ones is quite impromptu. You don't plan for it.

How do you go around the procurement and convincing your Exco to sign on any other supplier and by when you have chosen a supply in particular, and last question in that one, because of the sensitivity around the cyber, you have to publicize it to invite people for the RFP to give you solutions. How do you really make that kind of decision? Thanks. That's a great question. Okay. So the question was for me, Yes.

I Think, okay. Yes. Okay.

What, what we went into was into a business decision discussion because at the end digital or new innovative things have to correspond with security measures. So actually it's dealing with security should allow innovation and wise versa, innovative things have to be secured by design. So what we did a, a good conversation with our business units about security by design. And this will include during an evaluation of a new solution or during a contract negotiation that we have some guidelines and security is part of the decision at the very beginning.

Another at the end, just with testings, Is there anything that you would like to add? Castin No, not specifically.

As I said, I think it's always important to not, I think we need the, the it part. So we always have the technical questions and we have the organizational questions and we have the legal questions, I think. And it's good to have experts from all of these, these, these, these specific fields together because lawyers obviously can, can judge contracts and legal questions, but it ends with some technical specifics. So it's good to have the team together and to work together, I guess.

Okay, great. Thanks. Are there any more questions in the room? Come on. This is a great opportunity to speak to people who've been in the trenches have been ducking and diving the bullets and, and can tell you really what worked and what didn't work. Because I think that's one of the things that we, when we went through the ransomware workshop yesterday, a crucial point in a ransomware incident is never let a good incident go to waste, make sure that you analyze it and, and take away the learning. So that next time you'll be better.

And, and I think from this morning, Stephanie, you were great. Testing me again.

I, I think that's fantastic. Nine weeks down to 48 hours.

I mean, that's just brilliant. Yeah.

That's, that's hard work to do so we, we have free structured everything. So from scratch. So after the first one, we have nearly had a green, green field approach. So we have lost everything and then we could establish a new security layer and migrate all systems to zero trust. So that effects after cyber attack. And we have also a lot of lessons learned from the second one to adopt our security strategy. And we will learn with the third and with the fourth and with the fifth. Okay. Now that's great. So now Caston, I have a question from you from our online audience.

Can you tell us what a ransomware attack means for you as a lawyer? What are your responsibilities? So usually the lawyer always gets asked as a last, so, so we only come usually in place when it's too late, when, when the incident occurred.

And, and at the moment, as I said before, it's especially, it's a question of data protection. Most of course, first of all, it's, it's a technical question, how to handle such an incident, but in the end, it's also also legal question, especially regarding the GDPR. So usually we are, we are asked because of this reporting obligations with 33 and 34, the GDPR, which as I said, if there's a likelihood that some third party gets access to your personal data, either customer data and or employee data, you have to report in most of the cases to authorities, which the company doesn't like too much.

And then as I said, some severe cases, you also have to report to the data subject. So you have to inform your clients. And that's a CV matter. It's a question of, of how, how fast, what do you tell them first of all, to, to inform them properly, but also to prevent any claims by them because that can go come afterwards.

So, so you see it's, it's full of legal questions as well, and that's where we can usually. Okay. Now that's great. Thank you. I just wanna check quickly whether there's another question in the room, otherwise we'll just ask each one of you to briefly sum up or, or just tell us what your, your key takeaways are. Any questions in the room going, going? Yes.

Yes, we do have a, we have a question in the room quick, Quick question for Patrick. You mentioned security by design. Can you elaborate a little bit on that? How do you go on with this prospect?

Yeah, it actually, wasn't an outcome of all those situations we had, we did a good job in the it department. We had emergency plans. We had all prepared. We had the detection tools and testings and all this stuff, but at the very beginning, security was not part of any business decision and this is what we had to establish.

So that is a process we are right in the middle of, we did a new global security framework approval just a few weeks ago and thought we have some new roles and we really focus on security as a built in measure and not as a separate policy organization or something like that. So in, in it terms, it is more the SecOps approach, but then we have development teams and we also have to bring in security into that discussion. And this is what we are going through right now.

Okay, great. Thanks. Unfortunately, we've kind of come up to the end. So just parting shot from, from you Stephan, sorry, just parting shot. You kind of take away key takeaway. Yeah. Be sure that you can be heated anytime. So cybersecurity is an ongoing process And Patrick, I wanna double that. So it's not the question of when we become, if we become a victim. So it's just a question of when, and if you go into that preparation, I would say, don't believe that this is an it thing. So it's more a management, a business, the user part of it, because they have to be aware.

They have to take the risk. They have to decide about it. And at the, at the end, it's, it's a lot of work for the it department, but really it should be a business decision. And if you could prepare not only it as well, the business units and divisions, then I would say you are well prepared. Okay. That that's fantastic. Last word to you. Custom. Yeah.

I, I try in what pet just says. Obviously it's a, it's a management decision, but you, as it department, you, you should have, should erase the awareness because you should explain why it's, why it's dangerous, what can happen, what the results could be.

And it's, it's important for you to prepare a plan. But as, as we heard before, it's, and in the end, it's a decision of the management to, to give money for that, to give resources for that, because usually most of the companies only learn when it's too late. So it's good to raise awareness before. Okay. That's great. Thanks. Very much wonderful presentation from all three of you guys, and I'm sure we could have gone on for a while, but unfortunately we have to kind of move as swiftly.