Test Cyber Breach Exercise Reveals Gaps in Planning

By Denise Johnson | January 12, 2016

The chance of a cyber security breach increases each and every day, according to Jim Satterfield, COO and president of Firestorm, a national company specializing in emergency response, crisis management, crisis communications and workplace violence.

In addition, it takes about 240 days for companies to recognize a breach has occurred in their system. As a result, a business’ response to a cyber breach is not an IT problem, but rather a business problem.

As an example, one Firestorm client purchased flash drives from a big box store and found them all to be infected with malware.

Last month, Firestorm offered an exercise for participating companies to test their response plan in the event of a cyber breach to identify gaps and the impact to business.

According to Satterfield, a predict, plan and perform process provides a roadmap when responding to a cyber breach.

The exercise was recommended for senior crisis team members, business continuity teams, crisis communication team members, senior leadership in IT, operations, internal audit, finance, human resources, security and other departmental business units that want to work together more effectively during a crisis or disaster.

The cyber breach exercise was hosted by JLT Specialty USA, a U.S. subsidiary of Jardine Lloyd Thompson Group plc, a specialty-focused insurance, reinsurance and employee benefits provider. Panelists included Stacey Giles, director of Enterprise Solutions MIRS; Shannon Groeber, SVP, Cyber/E&O practice JLT USA; Thomas Tollerston, manager IT Advisory Cyber Security at Dixon Hughes Goodman and Jack Healey, managing director at Firestorm.

The interactive exercise was designed to help businesses identify potential gaps in their cyberattack plans through a simulated cyber-crisis. Through the interactive exercise, participants learned the warning signs and indicators of a cyber breach, encountered various crisis scenarios and evaluated what participating companies are doing currently to protect themselves.

“With the increasing risk of cyberattacks, businesses need to be prepared and ready to take the appropriate course of action in the event of a cyber-crisis. These simulated exercises will not only help businesses determine if they’re equipped to handle a cyberattack, but provide them with useful tips to identify potential problems and put realistic crisis plans in place,” Steve Bridges, SVP of Cyber/E&O Practice at JLT Specialty USA, said in a statement.

The Exercise

The company COO works on the 2016 budget and places it on a thumb drive. A Human Resources employee takes the thumb drive and works on the budget from both home and work. HR is also working with a new agent on all company insurance coverages. The agent uses a direct interface and all employees can access it via dual authentication.

The crisis begins on a Tuesday when the company’s HR department uploads the personal information of all employees to the agent’s website. The business also notices its system is sluggish so the helpdesk is alerted. The business’ finance department is alerted that a fraudulent wire transfer was stopped by its bank.

Questions to ask:

  • What do you know?
  • Are you concerned? If so, about what?
  • What is your plan?
  • What are you going to monitor? How? Who will do the monitoring?
  • What are you going to communicate? How?

Tollerston said that if this constituted a data breach then bank providers should be contacted in order to investigate further.

This is the time to review insurance policy notice obligations, according to Groeber. She said that it is a good idea to include this task in any business response plan. Also, at this point in the exercise, she recommended getting the insurer involved.

On Wednesday, comments about HR’s relief at passing the higher rates of insurance on to employees appear as posted by the company on its social media accounts: Twitter and Facebook. In addition, the agent portal experiences issues.

Questions to ask:

  • What changed? Exercise participants indicated that a hack occurred at the company and its vendor. Malicious intent was also noted.
  • What is the plan? What will you do, monitor and/or communicate? Participants noted that it might be a good idea to notify executive management.

Healey said that 60 percent of cyber breaches occur within the supply chain, 30 percent occur as a result of an inside job or by a disgruntled worker and 10 percent are the result of an anonymous hacker.

On Thursday, a news story reports on data breaches at local schools and businesses. The company is alerted to its employee information being available on the dark web. Insurance coverage is denied. The company also receives alert that its funds were transferred via ACH, so no recovery option is available.

Panelists say the decision to bring in law enforcement is a strategic one. While the situation is getting more complex by the moment, the company has to decide on whether it should wait to collect more details before communicating the breach to the public. In addition, reporting requirements vary by state.

According to Healey, the decision to report the incident to law enforcement can be a tactical strategy. For example, when a company is trying to stop a wire transfer the FBI or Department of Treasury will need to be contacted.

Tollerston recommended face to face, phone meetings or communication via Google Hangouts created specifically for authorized personnel only to avoid hacked email issues.

On Friday, all of the company’s systems are shut down and it receives a ransom demand requesting money in exchange for system control. Law enforcement wants to investigate. The agent/insurer traces the breach back to the company.

Before a company agrees to pay a ransom it must seek approval from the insurer, said Groeber.

Turns out that all of the thumb drives were infected by an offshore criminal network with various malware along with a key stroke logger. The spreadsheet with the employees’ personal information was intercepted before encryption. In addition, an email that contained an infected video was opened by an employee. The fake social media messages were created by the hackers to cause chaos and confusion. There were also several phishing emails sent to employees.

Accountability is the key factor. Tollerston outlined the failure in administrative and technical control highlighted the need for a remote access policy, vendor vetting policy, as well as the value in using antivirus systems to scan USB thumb drives.

Groeber said coverage might not cover all areas because of the unique exposure of the business and policies aren’t one size fits all.

Companies need to stay vigilant and look for clues, signs and markers of a data breach, said Healey. These include such things as a system running much slower than normal, receiving an emergency request which circumvents normal protocol and a social media disclosure of leaked information.

Giles recommended the three C’s of crisis communication:

  1. Coordination: Be cautious on who is sending the internal message about a cyber breach and determine whether there will be a response option for those affected.
  2. Crisis: How and what information will be communicated to maintain consistency with brand/reputation.
  3. Compliance: Serves the dual purpose of notification and remedy actions to mitigate/limit impact. Also informs vendors.

Companies can download the brief from session by visiting: http://firestorm.com/cyberexercise or for a guided self-assessment of existing programs contact webinars@firestorm.com and reference the exercise.

Next month, Firestorm will present an active shooter test exercise for businesses and schools.

Was this article valuable?

Here are more articles you may enjoy.