Risk managers from all sectors gathered for an in-house simulation of a cyber attack. They didn't know what they were in for...

Marco Gercke, from the Cyber Crime Institute invited them for an unexpected trip into the - daunted - future.

Here is a short review of the presentation:

Cyber attacks cost companies billions of dollars. In virtually no time banks are robbed, companies are brought to bankruptcy and there are very limited possibilities to track down the offenders. Social media represent underestimated risks. From cyber risks we move to intangible risks.

Victim companies call for free rein to fight this new kind of crime. New developments in that crime sector are popping up at high speed. It is a real challenge to keep up with them. From a company perspective an individual risk assessment is needed. One needs to go into depth and analyse the risk landscape which is different for each and every one. It is useless to copy/paste, but it can be very useful to learn from each other. One should bear in mind that there are general threats, company related threats and individual threats.

In order to fight this crime and be well prepared for this risk, management involvement is required. There needs to be a decision-making strategy. Here lies the responsibility of the risk manager: to convince the C-level management.

In order to feel what it means to be confronted to this kind of crisis and to deal with it efficiently, a simulation was set up.

In a role play with a CEO and a CFO of an imaginary company, several situations were dealt with.

First question asked is what kind of attack one is expecting: client data theft, identity theft, shut down, …

Second question is how one (as CEO or CFO) would react to it: contact security, the police, the risk manager, external experts, check insurance coverage, set up crisis cell, …

Then the “game” starts:

A threatening email by Anonymous is intercepted. Is this a real threat? Is it worth checking? The IT department is consulted.

A press release is intercepted which was not sent out by the company’s communication department… false rumours are spread

The Communication department is consulted.

CEO’s daughter has problems at home with pc connection.

The head of IT is sent out to check.

IT department explains there are two options: protect ourselves with all our resources or protect the clients. Question: would you disconnect your clients from the network? (Check your legal basis: maintenance clause in contract).

Data centres are quickly slowing down.

IT department explains there are again two options: controlled shutdown to prepare a counterattack with 4 hours down time or defend ourselves, if we’re down it will be for 24h and it will take longer to repair.

IT department warns for an unusual outgoing traffic of dataflow out of the company.

CEO & CFO decide for uncontrolled shutdown.

In the meantime journalists are picking up the story. There’s serious reputational damage risk.

Head of IT believes there’s an insider at work. In order to find out they need specific information through the HR department. They have to take into consideration the privacy rules.

CEO decides to surpass privacy rules in line with Legal department and police.

The Communication department receives a false tweet. The company Twitter account is blocked         . Investors are getting nervous. Stock market is reacting.

Will the board stand up…?

Obviously tensions rise and it is clear that everything is interconnected and that one decision opens new possibilities with new risks and dangers. Therefore, the time used for the decision taking is crucial. If the board hesitates in taking a clear decision this can double the company’s loss in no time.

At the moment there are no clear guidelines on how to deal with this topic. Big data are hot but do not necessarily help. The high grade of complexity of these attacks increase the complexity of dealing with them. After an attack it can take months to recover: this implies extra costs/losses.

How can one be prepared? Prevention alone is insufficient, although it is crucial. Recovery policies and detection methods need to be put in place. Risk assessment is essential.