So, first of all, I hope that you had a good lunch. And for those who just joined my keynote before the note, you know what you can expect in this workshop.
Actually, I already mentioned the handout I created regarding the questions which you should find an answer before an actual attack will happen. And the idea of this workshop is now to go through all these kind of questions and to see how you maybe have already answered these questions within your respective companies.
So, it is a very, very interactive session. For the colleagues who are joined online in the stream, I will try to repeat all the answers you gave me. Like I said, it's a very interactive session. The focus is on the experience sharing. I'm also pretty curious to see how you have maybe done these things within your company.
Oh, this is working perfect. So, let's zoom in a little bit and then we can start with the first part, communication. Internal communication. We already talked about that topic, especially in a ransomware attack, in an emergency case, there's time pressure on this topic.
So, how is the communication done within the crisis or the emergency team? Question to you. Do you have some kind of answer, some kind of solution for that problem? Will you use your old, maybe compromised infrastructure? Do you have an additional tool outside of your regular environment?
So, what is your solution for that? It is a workshop. It's an interactive session. It's not that I will present two hours just to make that clear.
Otherwise, we would stay here for a very long time. Pardon? Okay. What does phone book mean? Okay.
So, you have a regular phone book outside of your environment. Okay.
So, you will contact them just by regular company phone. Okay. Other ideas? Setting up a meeting in person, yeah. But how will you contact them to set up the meeting? If your infrastructure is still available and still usable, yes, of course. Other ideas?
Of course, there are, yeah. You're so bad prepared, really. Wow. Okay.
Yeah, of course. There are companies available at the market who offer this kind of third-party communication tools which will help you in case of a cyber emergency attack to at least communicate with your crisis management. If you don't have that, your company's done. Then you don't need to work any longer because if you don't have the possibility to communicate within your crisis team, so what are you going to do now? It's over at this early stage.
So, I hope that you aren't that bad prepared. The cost-efficient way might be just to set up a signal group and to create some Google mail addresses for your crisis management team. Some of my CISO friends are also doing this scenario, but besides that, these kinds of solutions are that cheap.
Actually, we have 100 licenses for our crisis management team. Most important stakeholder, like the major IT colleagues, and we are paying 10,000 euros a year, which is nearly nothing.
So, therefore, it's very cost-efficient. It's not that expensive, but of course, you can also use signal, Google mail addresses, and so on. How are your employees informed? What kind of strategies do you have for that to inform your employees? The one in the office, but also the one who are working remote from home. Would it be possible to sit over there? Then I don't need to look every time at this. Thank you so much. It's easier for me than I can just stand here. How will you inform your employees? Pardon? By phone? Okay.
So, everyone has a company phone? How will you reach these without a phone?
So, they gave you their private telephone address. Really? Their private numbers? Wow. Okay. I wouldn't do that. Private email? I wouldn't also give my private email to the company.
Of course, but due to GDPR, they are only allowed to use this for that purpose. Yes. It's a discussion where the workers' council needs to be involved, because if you want to reach your employees, you should give them the necessary tools, of course. Any other ideas? Paper mail.
Yes, they will receive it in two to three days. Okay. What would you think? How many percentage of your employees know the number of the IT support? Do you know the number? Okay. What would you think? How many of your employees would? Really? Okay. I don't even know the number. That's a valid point. I don't even know the number. I have them in my phone, of course. It depends. For example, we are using Microsoft Teams and internet and, of course, email, but no one is reading the internet articles.
So, this is out. Email, yes. If the infrastructure is still available or the accounts are still available, this might be an option. But maybe thinking about when all the clients have already been encrypted. Okay. If they have a possibility to log on with another device, yes, it could be an option.
So, yes, we have talked about it, but it's more about the use case. Of course, yes. Just to give you an idea what could possibly scenarios be where you should at least think about. Okay. We'll start here. External communication. How do you communicate with your service provider, especially when you decided to go offline with your whole infrastructure and your IT service provider still needs a connection to your network? Your forensic company needs a connection. Maybe some official authorities need a connection. How do you inform your suppliers?
Do you have an overview about your suppliers, all of them? What are the small local ones where, I don't know, the marketing or sales or wherever had some contact with them? Do you have the contact details of all your suppliers to inform them, oh, we have been hacked. Please don't open any emails, any attachments which has been sent out of our environment.
And also, how are authorities informed? I hope that your colleagues from data protection know at least where they can report a data protection incident or something like that. But do you know from a security perspective which kind of authorities are responsible for you and can help you in the case of a cyber emergency attack? Do you have the numbers of them?
Of course, these are all information which you will find if you spend some time. But I don't know if you have that amount of time in this scenario. The faster, the better. The earlier you involve them, the more time you have. Any ideas to share? Any experience with that? Ever been in some kind of situation or maybe heard of a friend? What's in the situation? Asking for a friend. And how do you want to communicate with the hackers, if necessary? Like I said, please don't do it by yourself. They are experts in that field. You are not.
But there are companies available at the market who can help you in that scenario. I would say most of them are very open about that because they are very professional.
I mean, on the other side, for example, if you buy ransomware or malware at the darknet, they have a 24-7 support. And you have some kind of get-your-money-back guarantee if the ransomware will not start at the company you want to attack.
So, I'm pretty sure they have very good customer support. Like I said, in the end, there are people who want money to pay their bills, feed their families, and so on. Why shouldn't they answer? If this will increase the probability that you pay in the end, of course. I don't know if they are open for a local meeting, but maybe they have some kind of secure communication channel you can use. You can ask for evidences regarding the customer data they maybe have stolen, credit card data.
Of course, you need to check, or at least your colleagues from financial, HR, sales need to check, are these valid information? Are these information maybe old from another hack back in the past? And how are these samples transferred? From an external device, something like that, external service provider. We also talked about the press, how the press will be informed. I only can recommend that you have a very deep talk with your communication department, your head of press office, or whatsoever, to have some predefined samples for different kind of scenarios.
Not only cyber security related scenarios, every emergency scenario, natural disaster, terrorism, whatsoever. And like I said, at least you can say something like, at the current status, or the current time, we don't have any evidence that actually our customer data have been stolen, something like that. Like I said, in the end, it can also mean that your monitoring systems are so bad.
Sorry, yes? Yes, of course.
Also, the legal department, especially when you want to get in contact with the hackers, to involve the law enforcement, you also need to talk with them, if it will make sense to, I don't know, the English term, Anzeige erstatten. So, of course, legal also needs to be involved in that scenario.
So, when we talk about communication, communication templates, like I already said, press releases. Who of you has some kind of communication templates for press releases? Never thought about? Okay. Okay. But I'm not, no, no, no, no, I won't talk to the press. I would recommend don't let an IT nerd like myself talk to the press.
Oh, my God. That is the responsibility of the colleagues from communication marketing. Yes and no. I told the colleagues from communication that they need to have a plan for that scenario. I'm just managing the stakeholders, but this is one of the lessons learned. Please make sure you have a communication plan, how to reach to your employees.
So, in the cyber security attack, from a forward perspective, all communication will be in responsibility of the communication department. Every communication. With one example, one exception, sorry, when we're talking to the authorities, this is the only channel which is directly to us, but everything else, press, internal colleagues, and so on, only communication. And we told them you need some kind of predefined templates. We will give you some information, what could be a good, what a good answer could look like, but they need to create these communication checklists.
Who, when, how, with what are stakeholders informed. We created an emergency cyber security emergency plan. And of course, we involved the colleagues from marketing and communication and gave them these tasks. And the head of communication is also a member of our crisis management team, which only consists of five to six major people.
Board, CIO, communication, legal, governance. Service partners. Which partners are relevant in which scenarios? I already said you need to think about a forensic partner before that, especially when we are talking about a cyber attack, which will attack the whole peer group. When we think about three years ago, Lock4Shell, Lock4J, which was a problem for nearly every company. And normally these attackers are concentrating not on special companies, more on peer or different kind of companies from the same peer group, because normally they're using all the same software.
And when we think about a scenario where, I don't know, maybe SAP or Microsoft or whatsoever have a zero-day exploit and the companies will be hacked, then the number of forensics companies will be decreasing extremely. So you need to be one of the first persons who contact them, that they have the time to come to your company. So think about that beforehand. Which service partner that can act and support you globally?
Not only the forensic companies, but when we are talking about to restore all these systems, you definitely need additional support from your external IT provider, which will send you an army of people to restore all these systems.
The friend of mine, Ciso, who faced a ransomware attack, which cost the company 15 to 30 million euros, he told me that his two members of the board, his managing partner, took two of the company's car, company cars, and drove to every Mediamarkt Zaton and bought all the notebooks they just found randomly, because it was the only way to have at least some kind of infrastructure to work with. These are real scenarios, it's not science fiction, it's not that we are the paranoid people from the security.
And if you still think that you won't be the one who will be hacked, I can promise you one day every company will be hacked, including ours, including yours. Just go on Google, type in ransomware and click on use, and then you can scroll through the last months and years looking for successful cyber attacks.
Of course, you need an overview about your service partners. The service partners who are available, the service partners who need to be involved, who need to be informed. Like I said, you need to make sure that these companies are aware of that you have been compromised, that maybe out of your network emails will be sent to them, but these are not legit emails. Maybe they have some malware attached. It was really funny, there was one time we received an email from an external lawyer, but obviously this email was sent out automatically because it has a malware as an attachment.
And the funny thing is that this lawyer also offered a cyber security 24-7 hotline, and therefore I just called that number. And I said, yeah, hello, my name is Florian Jung, CISO of 4Walk, and I just want to inform you that you have been hacked.
He's like, sorry, what? Yeah, you have been hacked. We just received an email out of your network, which is a malware attached. And then it was silent. And after around about five to ten seconds, he's like, okay, I've never heard anything like that before, but thank you very, very much for that information. Could you please provide all the necessary information?
Yeah, of course, we'll send you all the emails, all the log files, and so on and so on. And I think it was one or two days later, we received an official email of the executive board from the lawyer saying, yeah, we have been hacked, sorry so much.
Of course, the protection of our data and the data of the customer is very important, and so on and so on. Yeah, but this was a very funny situation, telling them, yeah, you have been hacked. What?
Yeah, just received emails out of your network, it's very clear. Infrastructure. Infrastructure. SMS gateway.
Yeah, this might be a valid solution to send out SMS. Could be, but of course, you need to make sure that you have the numbers, the numbers of your employees. Like I said, I don't know if they will give you the private number. They don't need to. It's not in Germany. So maybe you need to give them a company phone. For our crisis management team, like I said, we're using a third-party tool for the crisis management communication. We have also all of the private numbers from the crisis management team within that tool. But we asked them, slash, recommended to do this.
And at that point where the executive board said, yeah, of course, all of our VPs and SVPs need to give their private mobile number, there was a discussion about that. And of course, when we are talking about people which are on that high level of the organigram, then they want to be informed. Even in the middle of the night, if something that bad happens, because it will have a direct influence on their department. Network segmentation. Network segmentation, one of the most effective ways to reduce the spread of an infection, the lateral movement.
But of course, it is linked with some workload, some involvement, some technical know-how. You need to do that. But in the end, it will definitely help you. So for example, not in the IT office, but in the OT environment, we have very, very strong network segmentation to make sure that our production side is at least secure in case of a possible attack. Backup and recovery. I said in the keynote before, this is the most important lessons learned of this keynote or this whole topic. Make sure that your backups are protected against malware.
There are different kind of fantastic companies available at the market. I don't know, Commvault, Rubic, and so on and so on. I don't want to make any kind of commercial. We did not work with them, so I can give you some names. Just check who's available on the internet, have yourself an overview, but at least take care of these topics.
Of course, it is more like a native IT operations responsibility, not a security responsibility. But of course, make sure that you have your backups protected. And when we're talking about backup, we also talk about restart plan and recovery. First of all, you need to make sure that you know if there is a specific order to restore your systems.
Yes, there is. But you need to think about this. First of all, from a technical perspective, so which kind of system must be online before you start another one? We're talking about middleware and so on and so on. But also from a business perspective, which system is more business-critical compared to another one? And then we are back at the business continuity management. Because only if you have a prioritized order, which system is more business-critical than the other, you know which one should be the first back going online.
But this is a decision which needs to be done by the business itself. We had one situation where we had some kind of indicators of compromised in a web shop and we decided we are going to take this web shop offline. It was Friday evening.
Of course, on Saturday, there was a big marketing, advertising campaign plan, something like that. And the business told us this web shop needs to be online as soon as possible. And we contacted the external IT provider, said, okay, we found this and that. Please fix that. Install this patch and then we can go back online. And he told us, you don't have any kind of weekend support in your contract. Sorry. Why? I don't know. I just can't imagine what happened back in the days when they decided to sign the contract and realized, okay, weekend support, how much does it cost?
No, we don't need it. It's not that important. It's always the same thing when you say, okay, your application, how critical, important is it? Very critical, highly sensitive, confidential, secret data, high availability.
Okay, it will cost that. It's not that important. Not that money important. It's more like internal. It's not secret. It's internal. Availability, 90% is also enough. At least it's cheaper at that point. But most of the business colleagues are not aware of the SLAs within your contract. They don't know what kind of RTO, RPO is really in the contract. They know how business critical their application is, but they have no idea what's behind them and you need to talk about that with them.
Of course, OT security is a very important topic. I don't know if you have some dedicated colleagues responsible for OT security. I'm very happy that we have that colleagues because when we started with OT security within my team, we realized we don't have any kind of knowledge about OT security. This has nothing to do with IT security or information security. It's far away from Windows web interfaces, something like that. The company I worked before, Lanxess, a chemical company, for example, they had machines in their chemical area, chemical park, which were over 100 years old.
They don't have a web interface. They have nearly nothing. But of course, they are part in this OT security environment.
Therefore, it's a dedicated topic. We need special knowledge and it's also really hard to find trainings or certificates for your employees. How do you protect it? Talk to colleagues who are specialized on this topic. There are also companies available at the market. What we actually did was we had a look at the website of the BSI, Bundesamt für Sicherheit und Informationstechnik. They have a top 10 list of the most top 10 OT security risks. We just took this list and checked if we have thought about all these topics. For example, secure remote connections to your machine.
We're talking about updates, firmware, and so on. Blocking USB ports. Backups is another topic. I still cannot remember the other ones. This was our first start. Besides that, we had found one training for employees. I sent two of my colleagues from my team to this specialized training. But I would recommend to have a look for specialized companies in that, because it's a different kind of topic. Nothing to do with Windows Office environment. Testing. Testing is a fantastic word. Some companies have some kind of restore plans, disaster recovery plans.
But I would assume that just a very small number of these companies actually tested these plans. I once participated in another keynote. There was a colleague talking about emergency plans.
He said, okay, it took us three months to create an emergency plan, and then we wanted to test it. We started the test, and on the first day, we came to 0.1, and then we failed.
0.1, then we failed. Okay, we went back. Four weeks later, we started again the test, and then we could make it to 0.2. This is realistic. This is realistic. In every scenario, and we are testing our plan four times a year, we find something else.
Okay, an old email address, a number which is old, something we didn't thought about. For example, that we know which kind of priority our systems have in case of business criticality. Then we did a test with our external provider, and he told us, we have never seen this list. We don't have them.
Okay, here, this is our priority regarding restoring these tests. Or just a small availability test. Try to call your crisis management team in the middle of the night. We have also done that. Because in the end, it's better just to say, it was just a test. You can now go back to sleep. Sorry for interrupting. Instead of saying, okay, we have now a real take. You need to come to the office now. But you need to test these. And of course, these disaster recovery testing backup plans, you need to store them also offline.
If you just have them on the SharePoint, and the SharePoint has been encrypted, it's done. Print them out, put them in the office.
Oh, that was good. Crisis documents, where are the printed crisis documents located? Asking you, who has actually printed the crisis documents?
No one, right? Yeah, that's actually not a surprise. Who has some crisis documents? When was the last update?
Okay, that's pretty close. You're still thinking about back in the days? Five years? Ten years? Okay. Especially when we're talking about contact details, which should be in the appendix of the plan to check, oh no, these colleagues are not working for us any longer. They left the company years ago. There needs to be some kind of update review test on a regular basis.
Of course, also about when we're talking about the IT landscape. It doesn't need to involve a lot of workload. Just to check it, I don't know, every six months, something like that. Just to check it, take your time, half an hour, one hour with the colleagues from security. Just fly through, see if it's up to date.
And then, of course, print out the new ones, not the old ones. Processes. Business continuity management. We also talked about that several times now. One of the most important things. If you think from a more theoretical perspective, information security should be part of business continuity management, not the other way around. Because in the end, the only thing we want to make sure is that the business can work. And therefore, information security is something which is helping the business continuity, not the other way around.
Sometimes, some C's also said, yeah, I now have the responsibility of business continuity management. I cannot understand why. Because I don't think that I should be responsible for, I don't know, the restore of buildings when they, I don't know, had a natural disaster or something like that. It's not my responsibility, but this is part of business continuity management. So therefore, this should be the number one. The information security strategy should have one goal only, and this is to support the business strategy.
So from that perspective, it would be more useful if the information security might be part of the business continuity management. Emergency shutdown plan. What does shutdown mean? If you want to, you can have a talk with your colleagues from IT. Ask three different kind of colleagues, what does shutdown mean? You will receive three different answers.
One said, I will press a button, I will unplug a cable, I will click on shut down the system, hibernate, stand by, and so on and so on. But you need a definition for that if you are going to shut down the system or at least disconnect your whole infrastructure from the rest of the world. Define what disconnect means. Who is allowed to do that? Who is allowed to give the order to do that? Who's responsible? Who is accountable? They're all things you should be very clear of before that.
Do you have the possibility to do that, especially when we're talking about software as a service solution stored on a system of an external provider? Have you ever tried to contact them in the middle of the night? We need to take our webshop offline. How long does it take? Do they have a 24-7 number? Are you aware of this number? I don't know. Who starts and controls the shutdown procedures? Is it IT? Is it security? Is it the executive board? And when we're talking about all these stakeholders, you also need to think about a 24-7 availability. Maybe some of these departments want that.
Maybe communication wants to be involved in this scenario. But okay, fine. But then they need to give you a 24-7 number. They need to have someone on duty. Maybe they need to hire new positions. Or of course, you can also say, Friday evening, we can wait until Monday. Doesn't matter what happens over the weekend. It depends on your risk appetite in the end, or at least the risk appetite of your executive board and their accountability.
So, yeah, that's it. Do you have any questions about all these things we talked about? Any experience to share? Any insights? I have a question for you. You work at Vorwerk SE und Co. KG. How did you come to these topics and not to other things? I imagine Vorwerk SE is doing something else. How did you come to cyber security or such things? How did we come to these exercises?
Ah, okay, okay. So, the whole information security project approach started around about three and a half years ago. The Vorwerk family, which is actually owning the company, did a PwC audit and we received a big report with a lot of fields for improvement, to say it in a very political way. And therefore, they decided, okay, we will hire a CISO, which was luckily me. And I started to build up the team, defining the policies, setting up a strateger, implementing different kinds of technologies.
And after, I don't know, it was around about two and a half years ago, we decided, okay, let's have a check together with an external consultant and to make sure that the executive board is also more aware of this topic. Let's just check how good we really are in a simulated scenario. And that was the reason why we did this tabletop exercise to see how good are we working under pressure. And I still can remember when this external consultant asked me, Florian, do you want to be one of the players or you want to be one of the people who are doing the simulation?
I said, no, of course, I want to be one of the ones working under pressure, because in a real life scenario, I'm also one of the hackers and I want to challenge myself how good I am performing under pressure. So therefore, this was the idea behind it, to check how well prepared after, I don't know, two years of setting up the whole information security things regarding ISO 27001, how well prepared are we?
And like I already said, we had some fantastic lessons learned regarding the predefined samples for the colleagues from communications, setting up a third party communication tool, setting up an email template to send out to all employees in the case of cybersecurity attacks and so on and so on and so on. So this was the whole idea behind that. Here was another question in the first row. Yeah. So this is like a small handbook of topics to look at. I don't want to be hacked, so these are more preventive things to do.
So when my project is limited, what would be the top three that I should really be doing instead of all this? I want all this, but my CEO will say, okay, you just have to limit your project. Can I give you an answer independent of these things? Priority number one, first of all, patch your systems. I would say it's the most important thing. Patch your stuff. There is a reason why the providers, the suppliers will publish a new patch, a new update. Patch your systems. That's the most important thing. The second thing is use multi-factor authentication.
I think this will prevent most of the bad password problems we have. And the third thing is, because this is one of my major topics, raise the awareness of your employees. Because still today, depending on the studies, 70 to 90 percent of all cyber, whatever cyber means, security-related attacks are still focusing on the human factor. And only 10 to 30 percent are focusing on the system. So therefore, it's the biggest lever you have within your company to raise the overall security level. Yeah.
Okay, so thank you. So the first two, IT already managed, right? So... Pardon?
First two, patching and authentication, IT already managed. We told them that. I hope so. And then CTO, human factor. I'm very interested in the human part.
I mean, we do awareness, but awareness is just, I know, I want them to act, say. So how can... Test it. Test it. For example, we still have some enough time left. So awareness is actually my major topic when it comes to information security. I also wrote a book about that, The Human Firewall, if you're interested in. But unfortunately, it's only available in German. For example, we hired an actor. We hired an actor, and we gave him some kind of task with different kind of points.
Turn, for example, get access to the building, steal a prepared laptop, place a USB stick. And after that, we published these results to make our employees actually aware of there was some external, some foreigner within your building. And he did all these things, and nobody recognized that. There are so many fantastic possibilities in case of awareness, what you can do. We created some podcasts. We showed a lot of life hacking, because for those who are not that technically familiar, this has some kind of open eyes effect.
We created a whole campaign regarding information security for family and kids. The idea behind that is when you see something which is so important for you, that you will teach it to your kids, the probability is very high that you will use it in your daily life. And you will act like a role model, because I can ask you for those who have kids, when did you start wearing a helmet again while riding the bike?
Of course, when you're outside with your kids. And that's the idea behind this whole information security for family and kids campaign.
Of course, we are also doing phishing tests, which I really, really like. And I only can recommend on a regular basis doing web-based training. So in case of awareness, there are so many very, very fantastic possibilities. And in the end, compared to the colleagues from data protection, we are very lucky that all the things we teach our employees they can use in their daily life. So I would always focus on the human factor part. Any other questions?
So first of all, we don't really have a monitoring system in place which can check, I don't know, this colleague failed 10 times, 12 times a phishing test. In the end, it doesn't matter for us. We want to raise the overall security level.
Of course, we cannot make sure that everybody else is following the procedures, the requirements. So the first question would be, do you have a monitoring system in place? Do you know?
Okay, you talk to him or her, what was the reason? Then you talk to the next person in the organigram. Sometimes you need to escalate things, of course.
Yeah, sometimes you need to escalate things. I mean, in the end, most of these things are policy requirements. And of course, you need to talk with your colleagues from HR. What are we going to do if someone is not fulfilling our policy requirements over and over again? It's the same like stealing, I don't know, office equipment. That's the same thing. We need to escalate it. And I'm pretty sure your executive board is also aware of these things because in the end, they are accountable for this stuff. But I would always recommend to try to explain why is it important.
Of course, there are still some people which don't care. You cannot save everyone. All right. Good. Then we still have one hour left for networking. So grab yourself a coffee, have some talk with the other colleagues. Thank you very, very much. Like I said, I'm available on LinkedIn. This might be the easiest way. So feel free to contact me.
And yeah, I still wish you a fantastic event the upcoming days.
