Christopher Schuetze: Prepare & Invest Now – And Survive an Incident or a Breach Tomorrow

Okay, so Ashford already introduced. My name is Christopher Schutze and I'm responsible for the practice cybersecurity at coping a call Analyst, which means I act as something like the bridge between events, research, and advisory for cybersecurity. I'm honestly very sorry that Mr. HUSA from URA is not able to speak because I was also very excited about his topic, but I hope I will also give you some interesting insight into cybersecurity, especially into the topic incident, response management. And honestly, this is really a good example for an incident. Being prepared for something is the core message and the headline is prepare and invest now and survive and incident or, and breach tomorrow. So first of all, we will start with the agenda at the beginning is chaos, and nobody knows what to do, who to inform or who is responsible. The second part will be drivers.
So why invest into incident response management? What are the benefits? What do I have when doing it? And then, and also very interesting part is questions to ask during an incident. Honestly, those questions are better answered before the incident, or maybe as a preparation for the next incident, but never during an incident. And last but not least, if I was not able to convince you, I hope the closing slide will do that. We will cover the benefits of investing into incident response management at the beginning is chaos on that slide. You see a lot of important people from the CSO team leads, PR external partners, data protection officer line of business manager, it operations for sure and security Analyst. Imagine you have something like an incident within your organization. So who to inform first who's responsible of all these people. And this is really something you need to prepare for an incident.
If you have something like an incident within your organization, something like the first step is to sit down together with all of your important stakeholders and create something like an Rocky matrix. So responsible, accountable consultable and informed and set up. Or first of all, identify the relevant stakeholder. Is it a line of, is it a line of business manager? Is it a C, is it a security Analyst or is it it operations? And if you have identified them, you can rate them based on the Rocky metrics. And this is something like the first step, but again, think about you are currently the victim of an attack or just a normal incident. So you also need to know how to start the communication path. You need to know how who to inform first in that case, in the core team, because the attackers, it is something like an cybercrime industry. They do not care about our European working hours from eight to nine to five and not at the weekend, probably they will attack at the weekend at 11:00 PM. And here, if you detect it here at 11:00 PM, you need some communications pass to inform your core team, which is able to do something against an attack. And this is something you can prepare. You have to prepare because if you do it during an attack, so Saturday in the evening, it will not work. So the core message do it before an incident happens.
Okay, next slide. This is more, why should you invest into the preparation? Because preparation is effort. Effort is expensive. That's the one thing. But honestly, this is a simple question. If you will not prepare and you will become the victim of an attack, this is much more expensive than taking care of some processes of, of some organizational stuff of the core team. And this will save you a lot of money. So here on that slide are four, five core items, which are also relevant drivers for you. And at the end, it's all about money, about costs. You will lose your reputation, just think about you are an organization which offers some as a service software via cloud provider, for instance, and you are the victim of an distributed denial of service attack and your service is not available. Your customer will not be happy about that.
And they will tell you that they will tell, tell others that, and you will lose customers and reputation. And at the end money, something I've mentioned on the flight before the quantity, we have a huge amount of attacks currently happening, and it is increasing year by year. For instance, in 2018 to 2019, we have an increase of 380% of ransomware attacks. So someone is blocking you from accessing your data, your service, your computer. And this is really a lot. It is almost four times. And the, the simple question to will I become victim. If it is worth it, someone will do it. So you should really prepare another important topic or driver for investing into incident. Response management is the digitalization with all its benefit. It also has some disadvantages because you as I'm or processes within an organization are digitalized. They are supported by computers by it.
And if one of those items of this software items is not available, you have to have on plan P for that. And this integrates almost into the hybrid model. Today is very complex. We have on premise, we have as a service, we have many interfaces and currently due to the pandemic crisis, a lot of people are working from home. They use their private networks. Are they protected enough or not? This is also something you need to be aware of. And at the end, the costs becoming, becoming the victim is really expensive. You have blackmailing, you have ran. If you pay them, you have the loss of customers. You have the forensic costs, or maybe you have the loss of important goods, like your construction plans for something important to summarize in, in one sentence, you will lose customers, reputation, knowledge, and at the end money. And this is why you really should invest into preparation.
The next slide is a little bit more about the, the hybrid topic. Honestly, it's really complex and the time will not be sufficient to discuss it in detail, but on the graphics on the right side is mainly described. You have a different level of re responsibility you have on premises. You have infrastructure as a service. You have platform as a service and you have software as a service and other on the other hand, you have it service plans. So from network system application to device to data level, and depending in what area you are working with in your hybrid service tech, you have different responsibilities, and this is really essential and important for you to know. And mainly you have to ask yourself three important questions here. First of all, do you really know all the service providers who are involved in your organization? Just imagine the typical new agile project supported by one of the sea levels, which have to have achieved fast results.
Someone use his credit card to buy an cloud service at AWS, for instance, and for sure they use some real customer data to test something. And maybe you don't know about that. So this is really a critical topic, and this happens more often than one of us would believe. The second point is service level agreements. You need to have them depending on the responsibility model, depending on the services you buy and they should cover something like 24 times seven, for sure, a high level of availability and also some failover capabilities. And also for business continuity management, if you are not able to work anymore, some of these services is interrupted. You have a big problem, and this is why I should have a plan B like an prepared preparation. If one of the speakers is not available and last but not least, if there is an incident, do you have all the needed access to the cloud environments, to the platforms that are needed to recover your services, to recover the, the, the data, and also to get forensic information. This is honestly an one of the important questions on that slide, because in many cases, the, you do not have access on that level that is needed. So on the other hand, you need some SLA here. That one technical guy is 24 times sevens available for you. And this is something which must be covered.
And another important driver for incident response management is have, or other regulatory requirements. They are a good driver because they force you to do something, especially the GDPR is here a highly relevant topic. And an important thing. If you get the information that you have, something like a data breach, you only have 72 hours time to inform the regulator. And the interesting thing here is the lot or the regulation does not care who gets the information. If it's the man or the woman who is working at the reception of your organization, the 72 hour starts here. And then for sure there are some guidelines which information are needed. You can read them here or afterwards, but the core message messages really. You need to inform the regulations here and for sure, in a second step, you need to inform your customers about that.
And in general, when talking about regulatory and requirements, you can also use them to improve. You can learn from GDPR to ISO, to CRI relevant things, because they offer helpful standards and also blueprints, which can improve your security a lot. And maybe you are not under regulatory requirement today, but maybe tomorrow. And again, preparation is key here. And now we come to that slide about questions that come up during or after an attack. And as mentioned, when I was introducing the agenda, this is ideally something you did before something happens. The first important thing is who can help us depending on, on your organizational size. I'm pretty sure you do not have a specialized expert team for forensic analysts and things like that because that's again too expensive. And you usually do not have that much incidents. So this is something you need to check before who can help you. There are specialized companies who are experts in forensic analysis and things like that, but you need some contract with them, again, some 24 times seven thing. And this is something you need to prepare. The thing who is responsible is mainly covered with the slide about the people who are involved. So you need some core team and some responsible person and some communications pass.
Are we still able to work? This is more or less business continue team management. So for instance, if processes are not working or only working with an online tool or software supported tool, maybe the plan B is to have some printed out documents to do something. But this is again, something you have to prepare. You can be as resilient as you want, but during an incident on a check, you do not have sufficient time to do something like that. And also things like backups. You need to have backups of your data and you need to check whether your backups are affected during an attack too, because very often attackers spend a lot of time in the networks before they start to get visible for you. So maybe the backups that are four weeks old are affected too. And then another important question is what are the next steps?
So not only, okay, now I know I'm the victim of an attack. Also, what do I have to do next? Something like I have to call someone some, something like I need to isolate the affected systems. Maybe I have to do some recovery things. This is also something you have to prepare. And the next one is interesting because not always, you are forced to inform your customers. And again, think about the expenses. Maybe it is better sometimes to be silent, but if it is required by regulatory requirements, you have to inform your customers for sure. And then last but not least, should we pay the black mailer? Should we pay the Ransome? And this is honestly a question I cannot answer because I'm pretty sure there are a lot of organizations which paid the Ransome, but nobody knows. And this is we are coming to the end, the closing slide, mainly the benefits of having an incident response management, you will be prepared, you know what to do.
And if you know what to do, you are faster. You are better usually. And at the end, it's, it is a very highly related topic to the time. Because in the first hours, you can also destroy a lot of forensic information. And if you have no plan and not the, the sufficient knowledge, you can probably destroy any proofs you might need for later thing. If you have faster responses, you will also gain time to really focus on removing the or removing the incident, the ransomware or whatever is in detail. The ransomware, you will have backups. You can use them for sure. If someone stole your data or change the data, but you have them in general, fewer errors are related by an better incident response management, which leads to a better entire level of cybersecurity and an incident response management in general. Also a good communication is essential, especially about communication. I, we can talk hours about it because it's not only about internal communication. It's also about external communication. Just think about the C or CEO who shares some insights via Twitter. This can harm the organization a lot. And then if you have an incident response management, you plan something, you also have some corporation with externals and you know how to do things. And when the external knowledge is needed and last but not least, you will met national and international regulatory requirements. And that's it. Thank you.