Webinar

Crisis Simulation - Hacking and Data Breaches

Experience a simulated crisis scenario where an airline discovers their systems have been breached and customer data stolen by hackers unknown. Join the response team as they navigate how best to resolve the evolving crisis.

Hosted by: Jim Preen - Crisis Management Director at YUDU Sentinel
Expert guest(s): Amar Singh - , Richard Stephenson - CEO at YUDU Sentinel

Date: 05 August, 2021

Webinar Overview

In this crisis simulation, join the response team of a leading airline as they discover a significant data breach. Hackers have inserted malicious code into their booking system, and it now appears have harvested the data of some 3 million customers.

You'll follow our expert panelists - Amar Singh, Jim Preen, and Richard Stephenson - through initial crisis response efforts, and react to new issues as the situation evolves. During the webinar, you'll learn invaluable skills in crisis management and crisis response.

We'll cover:

  • How to react upon discovering of a data breach
  • Priorities in the wake of a cyber attack
  • When and if you need to contact an industry regulator
  • Crisis communications to customers and the press
  • Handling a ransom request from hackers and whether to pay
  • How to respond in the wake of a crisis

Host Profiles

Jim Preen - YUDU Sentinel

Jim Preen

Crisis Management Director - YUDU Sentinel

Jim Preen is crisis management director at YUDU Sentinel where he provides client specific advice on all aspects of communications and designs and delivers simulation exercises via the Sentinel app. Formerly, he was a journalist working at ABC News (US) where he covered stories including the Gulf War, the Bosnian conflict and the Concorde crash. He won two Emmys for his work.

Amar Singh - Cyber Management Alliance Limited

Amar Singh

CEO - Cyber Management Alliance Limited

Amar is a C-level Executive and Global Chief Information Security Officer. He is the creator of the UK Government's NCSC-Certified Cyber Incident Planning & Response (CIPR) and a trusted adviser to police forces, banks, insurance companies, the NHS and telecom firms.

Richard Stephenson - YUDU Sentinel

Richard Stephenson

CEO - YUDU Sentinel

Richard is CEO of tech company YUDU. He has run public listed companies, mid-market private equity investments and tech start-ups. His professional skills include digital strategy, crisis management, risk and digital document publishing.

Webinar Transcription

Jim: Not least of all myself, but good afternoon, and welcome to this crisis simulation webinar. I'm Jim Preen director of crisis management at YUDU Sentinel. For those who don't know, we make crisis management and crisis communication software. I'm delighted to say, and hopefully, you can see my screen. On the right-hand side, there is the BCI logo. I'm delighted to say that today's webinar is presented in conjunction with the Business Continuity Institute.

BCI has over 8,000 members in more than 100 countries, and is the world's leading resilient organisation. Today I'm joined, and I'm hoping you can see these guys on your screen. Today I'm joined by Richard Stephenson, CEO of YUDU, and cyber security expert Amar Singh. Yes, there he is. There's the man himself. Amar, do you want to-- Just put this-- You see I'm already getting behind here. Here we go. Amar, could you just tell our audience a little bit more about yourself. They can see a little bit about you on the screen right now.

Amar: Excellent. Greetings everyone. Jim, I hope you can hear me, and thank you everybody for taking the timeout. Every single gray hair you see here is a cyber attack.

Uncle Richard has lost all of his hair because the cyberattacks he's been in. I'm just joking. Everyone, thank you for taking the time out. I'm a cyber security executive. I love cyber. I love IT. I'm the CEO of Cyber Management Alliance. You can go and check out the website. Obviously, CM-Alliance, and we work in partnership with YUDU. It's an honor to be here. Crisis management, cyber crisis management. As you can see what it says on the tin, we have several UK's NCSC certified training on incident planning on how do you manage a crisis. We actually work very closely with YUDU when it comes to crisis management advocation, but also actually how do you get through a crisis. It's an absolute honor to be here. Uncle Richard, over to you sir.

Jim: Richard, go ahead.

Richard: Thank you, Amar. Yes, it's great to have-- I'm honest, and I think it's one of the things that we like to do is to really partner with some real experts in the field. As far as cyber is concerned, Amar is a leading expert and also a fantastic speaker at events. I would also say that for my background, yes, I'm the CEO of YUDU. Also, I got a lot of experience in running companies that have got high-risk profiles that many of you belong to.

Including one's that I've done before have been shared financial services businesses where there is a significant cyber risk and a data risk. Part of what I'll be commenting about is-- About looking at it from the company's point of view, and the way in which how we would simply responding to these types of incidents. Yes, YUDU is very much involved in cyber and cyber defense. Particularly, about communications when these things happen, that's the software we run. Principally, I'm here commenting based upon my varied experience in the background and hoping to bat against Jim on some of the question he's going to be throwing at us.

Jim: Okay. That's great stuff guys. Thank you both very much. I'll be back to you in a moment. Now, I should just say that I've run quite a few of these webinars, and it's a bit of a tradition when I run them, for those listening to post in the Q&A box where you're listening from. Why don't you go ahead and do that now. I like to get you used to using the question and answer box because we want you to do that as we progress today.

Why don't you tell-- the first one up, phenomenal. Sam is listening from Queensland Australia. Right around the other side of the world. People are really on the mark today. We got someone else from Sydney today. We got North, this is amazing, just North of Toronto. It's Mark. Hi, Mark. How are you doing? Just North of Toronto, Canada. We got Rochester. I know Rochester it is near where my sister lives in Kent in the UK.

We got 16 miles South of Cambridge. Steve, thank you very much for that very accurate representation of where you are. We got Oxfordshire, we got John. Hi, John. We got Lester, we got Stephanie. Hi, Stephanie. I'm glad you got on. You had some trouble signing up, but we fixed that one up. We got Anne from Leigh on Sea. We've got Rob from Cornwall. I think gentlemen, you can see we've got people from all over the world here, but keep them coming as well.

Thank you very much indeed. Talking of questions, I do want to make the point. As we go along, we really want you to put questions, suggestions, comment in the Q&A box. That's how these things work, and I want you to keep the panel on their toes today. I want to make this as interactive as possible. If you have a point to make, then don't hesitate. Just very quickly going back. We got Simon from Abu Dhabi. Francois in Southwest London, presumably not far from me. We got Rob in Cornwall. Perhaps, I think I mentioned that before.

Anyway, you're all entirely welcome. Before we get into the actual cyber simulation itself. I got a question for everybody here, and I'm going to launch the first poll. The question is, have you had any previous experience of handling a cyber crisis? I'm going to launch the poll now. A quite simple yes or no answer to this one, so I'm launching the poll. If you could vote on this, and I should just say while you're doing this, that our-- the event today is going to be--

There are going to be a various polls which help us progress through the simulation that we're giving you today, so I wanted you to get used to using the poll feature on there. People are indeed voting now. We got 84% have-- 86%, can we get any higher than 86%? I'm going to close the poll in a second. Anymore? Last dibs on this poll. I'm closing this poll now, and I'm going to share the results with you. There you go guys. No, people have not had any experience, but obviously, they're on this event, so they're concerned about it. That 63% kind of 1/3 of people have which is quite high. I don't know, Richard, is that pretty much what you expected?

Richard. Jim, we've been doing a number of these things. Actually, that's higher than on previous one, and that I think illustrating that we're in. 37% of the people on this call having had a experience of a cyber attack is I think quite high. Amar, you may have a view on that?

Amar: My answer, actually agree with you. It is a bit on the high side, which is good or bad, I don't know. I think cyber-attack could mean anything. I think a cyber crisis is probably more than just a cyber attack. On balance, I think it's a bit on the high side, which is I guess a bit good news because people are hopefully aware of the negative impact of a cyber attack. Absolutely, yes.

Jim: All right. We're already good, and just one more person. We got Matayas dialing in from Germany, from Frankfurt in Germany. Thank you Matayas for joining us today. Hang on. Oh, my goodness. We got another one in Australia. David from Geelong, and I hope I'm pronouncing that correctly, in Victoria Australia, and there we go. Right, I'm going to close this poll now, and we are going to get on.

We've actually had a couple of questions in already, but I'm just going to have to pause because we really have to get this simulation underway now. Folks, everybody present. You've all got a new job. You all part of the crisis management team at Beeswing Airways. Unfortunately, your job is fictitious as indeed is this airline. For the sake of this exercise, here is some information, which I'm hoping you can see now about the organisation that you currently work for.

This is Beeswing Airline. It's a low-cost airline, which is headquartered out of City of London Airport. It operates 150 aircraft. In 2019, carried more than 15 million passengers making it the third largest budget airline in Europe behind Ryanair and Easy Jet. Like so many others, in 2020, Beeswing grounded its entire fleet of planes because of the pandemic. With lockdown restrictions lifting, they're ones again in the air, and Beeswing has seen a surge in booking.

That's a quick snapshot of your new job and the firm that you work for. I'm going to start the exercise now with a start state, which is pretty much how I start every kind of exercise. Here we go guys. I would just say that you should get yourselves across this information here, and it might be worth you taking a screenshot of this start state, and the other updates that follow. We have newspaper articles and various things just so that you keep across all the information that I'm feeding to you. Very quickly, IT security has discovered malicious code embedded in our customer booking website. As far as we can judge the malware has been harvesting customer data for at least a month. As bookings have started to increase it's possible the hackers have seized personal information belonging to upwards of three million customers.

The data is thought to include names, contacts, passport number ticket and credit card details. It's not immediately clear who is behind the attack. As I say it might be worth you taking a screenshot of this but the upshot of the all this is is that Beeswing Airways has been hacked, there's malicious code in our customer booking website and perhaps as many as three million customers have had their confidential data hacked.

We're going to move. Now we're going to move on to our second poll of the day. In situations like this when you know that you have a potential emergency arriving on your doorstep, who do you activate who do you stand up in a situation like this? I'm going to launch our next poll, here we go and here it is. The activation. Which team needs to be stood up which team needs to meet right now? Would you say it's the very top team, the Gold team as it sometimes called, the senior management team? Or do you think it would be more practical when you know things are just kicking off to get the tactical team or the Silver team on the case?

Would they be the best team to start handling what looks like could be a serious emergency? You know you're going to have to communicate with people. Would it be the comms team or would it be better to have a customer-facing team in circumstances like this? Stand up the retail sales team. Who do you think would be better? Now, I'm going to leave that with you a second. People are voting well already. We have 68% of people have voted. I'd like to get that a little bit higher, please. If you could continue voting that would be great.

We do have to move on from this. 80%, all right. Last dibs on this anybody else want to vote on our activation poll which team needs to meet right now. Okay I'm closing the poll and I'm going to share the results with you now. Hopefully, everybody can see this and my panel can see this. 41% for the senior management team tactical team would be Silver, comms team just 2% and nobody thinks the retail guys should meet up now. I guess I'm going to turn to Amar for this one. Who do you think should meet now?

Amar: I hope you guys still hear me. I just wanted to-- before I answer this one I think Milena made an interesting point, maybe the 63% of the earlier poll probably don't know they have been hacked. That's an absolutely brilliant point, Milena Maniwa. Based on what we know I would say it would be the senior management team because if you read what you have shared you know that you have already been attacked, you know that upwards of three million customer data have been gone, so you need the crisis management team. Now Silver could be crisis management assuming but here I have made the assumption that Gold is crisis management. Jim.

Jim: Okay, great. Richard are you in agreement with that? I hope you're not going to be in agreement all today. I want to do a degree of dispute between the two. What do you think on this occasion?

Richard: Amar and I have got a history of disagreeing so you'll have now issue.

Jim: I'm pleased to hear it.

Richard: I think that's right. This is most likely going to be Gold team but of course, each one of people on the core will have maybe a slightly different structure in their organisation. Definitely from what we know from that information you put up Jim then it would be the Gold team that would have to be activated and then we'll cascade from there.

Jim: Okay good. There is a point I think it would be fair to say that some people might think that it would be the tactical team that would want to meet. Marcos is saying maybe the senior management team could be involved when we have more information.

Actually, Anne here is making a point, I disagree tactical to start, Gold informed so that they're aware of the situation. I think I would might well go with Anne on that one. I must say I'm always a bit leery of standing up the senior team straight away but I bow to your superior knowledge on this.

Amar: The only reason I would disagree with Anne, and again the assumption here is that Gold is crisis management, according to the slides you already know that bad things have happened. You're not yet in the middle of confirming bad things have happened. Anne, I'm always happy for you to disagree no doubt and thanks for actually taking part but in this case the bookings as far as we can judge the malware has been harvesting customer data for at least a month. That's one information. Three million customers have already increased, it's possible the hackers have seized personal information.

If this information wasn't clear at all and you are still in the discovery phase, I agree that the Gold team should never have been involved but I'm reading what I'm reading briefly and I've not read this in detail before. In my opinion is that because there's bad stuff already happened it's the Gold team.

Jim: Sam makes the good point. I'm not sure why we're just choosing one team, you could choose both. Simon is saying stand up Silver and Gold. I think we're going to leave that now. I think that's an interesting discussion and something you might want to take away to your own organisation. It's just to think [crosstalk]--

Amar: Just to say what Stephanie has said is by now you know the Silver would have already met. That's the assumption that I have made also, absolutely.

Jim: Stephanie is saying, I think we should all be informed in our organisation Silver would meet first. Paul is saying three million records has to be Gold, crisis can be escalated if required. I'm not quite sure where you escalate beyond Gold but there we go. Whatever you call it team must cover privacy, this is Mark saying this, privacy, legal, comms, insurance et cetera right away. He's spreading across a lot of disciplines there.

Steve is saying my view would be tactical with a link to the SMT. The SMT would dictate policy, the tactical team would translate into what needs to be done. Very clear Steven absolutely bang on there. What else have we got here? Senior management needs to know quickly, this is from Ravi, need to know quickly to orchestrate action streams including directions to Silver.

Dan is saying there should be immediate mitigation measures implemented. Indeed there should. Anne is saying tactical are there to get the comms and retail sales prepped. Then when tactical give the recommendations to Gold they can go and give the go-ahead. Actually, they would then sign off on that. I get that. All right folks. I've got to hide these results. We've got another poll for you immediately here.

This is to do with the regulator. I think this is an important issue here. Here we go. I'm launching another poll for you to vote on please, which is you appear to be the victim of a cyberattack, should you inform the regulator? You've got three options here. One of which is yes immediately. The second of which is no not yet we just don't know enough. The regulator will want to know more, there's no point in contacting them yet. C, honestly be quite honest about this if you're not sure about this then just say you're not sure. We'd be happy to discuss this.

You appear to be the victim of a cyberattack, what about the regulator? Regulator plays a big, big role in this. 72% of people-- very good, very quick at voting. I'm very pleased to see this today. We're into the 80s now. 85, should you tell the regulator right away? We seem to have stalled a bit here. I'm going to close this poll and I'm going to share the results now. My panel Amar and Richard. Yes immediately more than half but coming up on the inside on 41 is no, I need more information going to wait on this. Richard let me turn to you first on this. What do you think? What's your thought on this?

Richard: Generally speaking, the decision on whether you inform the regulator you should perform immediately a risk analysis on what's actually happened. If you describe they'd think that this is a severe breach then that's when the clock starts ticking. You've got a very short period of time of 72 hours in the UK and different things around the world to report it. Overall, this is from the data we've already got. This is a very significant breach and a significant hack and that the ICO in the UK, for example, will rather prefer to get it early rather than in fact even if you don't have all the information. The standard practice would be on something of this size, any risk analysis would pretty well come up to a red rating for this and therefore you should inform the regulator.

You can always add to that information when you know more, but my advice is that people should get on the right side of the regulator and inform immediately. You're not necessarily informing on everything. If it's a minor issue, the regulator doesn't want to be overwhelmed with those, but just from the data we already know, this already is classified as being something that is a major incident, which I think you should inform to the regulator. That's my view. It should be an A on that point.

Amar: Excellent.

Jim: Amar, do you want to come in here please?

Amar: Absolutely, disagree. [laughs] Based on the question, I would say I need more information and this is really important for people. I haven't linked this to the three million Beeswing attack, if it is Beeswings, and you know that the data is gone, then I would agree with Richard. However, looking at the question on its own, I would urge maximum caution, get obtain all the facts. F-A-C-T-S. Please, that is one big mistake a lot of organisations are making. I'm not saying don't inform the regulator. Let's be very clear.

Do inform the regulator, but once you have enough information to call it a breach of personal information, in this case, I'm assuming it's GDPR. I think the question could be phrased Jim, if you don't mind slightly better, do you inform the privacy regulator? Do you inform whatever regulator that needs to be informed? Overall, I would say folks, unless you have all the information, the factual information do not panic. Only panic when you have enough factual data to tell you what's actually happened.

Jim: Okay. Thanks so much. In defense of my question, knowing that we would have people from right around the world, I was not going to say the Information Commissioner's Office, I kept it vague, but I take your criticism. Well, not surprisingly, we have quite a few comments here. Steve says under data protection, that's in the UK, I think he's talking about it's a legal requirement to inform the regulator if there's been a loss or a potential loss of personal information, which an attack on an airline would probably in involved.

Simon is saying risk analysis could lead to other risks. People, flight paths and seats known could be sold to a terrorist, for example, very Easy Jet, he says. He says that the regulator should be informed.

John is just agreed with you, Amar. He's saying, "Yes, Amar." There you go. You've got at least one fan on our feed. Fabrizio is saying, "Regulators should be informed immediately given customer data or at risk, although it might depend on the internal rules of the company." Anne Clark is saying, "I agree with Amar."There you go. All right folks, I'm going to hide those results and we're going to move this thing along here. Richard, I'm sure you've got fans as well.

Richard: Amar is moving up the thing I've got to catch him up.

Jim: Okay, this is kind of a Fantasy Football we're on here. All right, guys, let's get back to the story here. I'm afraid to say that Beeswing Airline is now in the press, and when you're in the press, there's always risk of reputation damage. Reputation management might be in order here. Very quickly, hackers is suspected of accessing email and travel details of more than three million Beeswing customers said two sources familiar with the investigation, a cyber attack disclosed by the British airline earlier today. The sources said hacking tours and techniques used in the attack pointed to a group of Russian hackers.

The news of the data breach could result in a hefty fine for the budget airline, which is struggling having seen flights and passenger numbers decimated because of the global pandemic. A Besewing spokeswoman declined to comment on the extent of the hack or who was responsible and the boss, Derek Witacker, Beeswing's Chief Executive said there was heightened concern about personal data being used for online scams with more people working at home because of the pandemic and because of lockdowns.

Although, I must say in London, that does seem to be changing a little bit. There's some more information, not huge amounts of new information there, but as I say, the fact is you're now in the press and that can cause you problems as well. What do I have for you? Well, of course I have a poll for you, but if you want to take a screenshot of that, just get across those facts that I've given you there. We are now coming to, what is your top task right now?

Here, I've got various tasks that you might think might be your top task. You might say to me quite respectively, "Jim, we would probably be addressing quite a few of these tasks," but I want you to make a decision and take your top tasks right now. However, if you don't think any of these should be your top tasks, well, you know where to go. You go to the Q&A box and you put in what you think your top task should be. I'm going to launch our latest poll here, which is what is your top task and you know what to do.

I want you to vote on this, but as I say, if you're not happy with any of the tasks that I've given you, you tell me what you think. I'm just looking at, we're getting some more questions come in. Can I just leave you to vote on this at moment? People are considering this. Good. That's great. 50% of people have voted. Keep thinking about what your top task would be. We're up to 60%. We would like to get a few more people in first, please. Okay, up to 70% quick on the buttons here. All right, guys, it's last dips for voting on what I know. We're rushing you along here, but we only have gosh, we've only got a half an hour left. We do need to move things on a little bit.

We're up into the 80s now. Anybody else want to vote on this? I'm now going to close the poll. It's closed and I'm going to share the results with you. Okay. Hopefully, everybody can see this and we're quite split here. Let me see. First up, reassure customers that we take security seriously, speak to the media only 10%. Find out extent of the data breach, that's the biggest one. We've got open communications with the hackers, nobody wants any part of that, or send a memo to staff, which we have 5% on that. Amar, would you care to take this one please? Can you hear now?

Amar: Hello?

Jim: I couldn't hear you right then.

Amar: Okay. Based on this slide, I will still say what you have of actually offered as an option, I need to know more information based on the slide because there is a lot of room for conjecture. There's a lot of room for rumor they're suspecting that--

Jim: Amar, sorry, I'm not going to let you get away with that. I want you to take-- if you were running Beeswing Airline, what would be your top task right now?

Amar: Right now, find out. Give me the facts before I go and tell the media anything. There might be rumors circling around. I've been in these situations many times folks. The media, the rumor may already be circling around. People are going to be telling a lot of other stuff. Ooh, Russians, have attacked you. Ooh, my email's gone. Before you open your mouth, in my professional opinion, you better have as much factual information because once you speak, you can't take it back.

If you start changing information, there are many, many case studies out there. Yes, I think Daniel has said, many of these things would be happening in parallel, however, you've got to have facts before you make a statement, because once you say, "Oh, there's nothing to worry about," or if you say, "Yes, your email, your data is gone." Then two days later you say, "Oops, sorry your data isn't gone. It's actually, okay." You've dug yourself a hole. It's very difficult to come out of folks. That's my opinion.

Jim: So, of all those selections, it would be find out the extent of the data breach or you would think even wider than that, what would you recommend.

Amar: I think wider like I said, give me all the facts. You can put out a holding statement, "We are investigating," that's about it in my opinion. Because if you say the clichéd, we take security seriously, you're going to be made, in my opinion, that's not the right thing to say because everyone there's no person ever going to say, "Hey, by the way, folks, we don't take security seriously," right? It would be funny if they said that, but there is no one ever going to make a statement saying we don't take it seriously.

Jim: Well, I can tell you that Fabrizio doesn't agree with you, Amar. I'm going to tell you how he disagrees. He said you should at least go out--

Amar: I love people to disagree.

Jim: Okay. Well, I'm just going to tell you what he says. He says, you should at least go out reassuring customer and the public that you have the situation under control. This is also considering stock market and reputational damage.

Amar: I'm sorry, but that's what I meant, holding statement, yes but don't close anything, speak to the media could be holding statement, I agree, but at the same time in the backend, you've got to make sure you have all the facts. Once you do, then your narrative is ready to go fully.

Jim: Okay, Fabrizio forgives you and he now agrees with you, Amar.

[laughter]

Richard: Jim....

I'm going to come to you in one second, I just-- there's a heap of questions here. Honest communications with others, everybody other than hackers, and continue to find out the extent of the data breach. I think it is okay to say you don't have a definite answer right from the word go. Okay, John is saying, the question was top task. All of these may happen and you have to prioritise. I totally buy into that, John, I think a lot of crisis management is all about prioritisation. Richard, would you want to come in please?

Richard: Well, I hate to do this, but I am going to agree with Amar on this. The thing is that if you just look at it, we just don't know enough. The real focus, the energy should be to get a real handle on what's happened because when you do speak and I'm all for the holding statement by the way, but when you do speak, you want to be seen as being the trusted source of the truth. You've got to have positive information, actually, real information.

I think you also need to be rather careful about saying it's all under control because that is actually making a statement that it is under control. Of course, that's what people want to hear, bu there's other use of words you should be using here. That you got full, very competent investigation teams who are working through to actually establish the fact, but it's really important to go with some meat when you eventually stand up there and take them on. I think somebody who said that, it's okay to say, you don't know, that is absolutely fine.

That honesty in communication has proven to be the best model as you go through it. As Amar said is that if you make statements too early about something, actually make a statement and then have to roll back, your credibility is gone very quickly and your credibility is on the line right away, because you've been hacked. It's really important to manage that, but the focus is getting more information, Jim and therefore C, for me, is the right answer.

Jim: Okay. I've got that. Thank you very much, Richard. Anne good point that she feels all social and web-based sites with customer-facing web-based and social sites should be getting updated. The social media team will need to be on this, but obviously, you'd have to work out what the messages are that you want to get across. Steve is saying reassuring customers speaking to the media is pretty pointless unless you have the facts to give them. Totally agree with not opening comms with the hackers. This is the last thing you should be doing at this stage.

Marcos is saying a generic message to calm the media. If we don't position ourselves, the media speaks what it wants. That's an interesting point which we could discuss possibly. Anne is saying a holding segment is paramount while you get the facts. That's why I said to speak to the media. All right. Okay, now this is an interesting point. Verag makes a good point. Would be nice if the experts chose to agree on one option only. If I can just say, Verag, the point of this thing here is that there isn't always just one option, and that's why I like to see the experts disagreeing here, because you're going to be in a situation-- sorry, go ahead.

Amar: Sorry, Jim. Sorry to interrupt you. It's a good point, but the too many moving parts in a crisis, right? You have to juggle, it's a sad reality. If you're all wanted one choice, then obtain facts before you say anything. To Anne’s point, if I made the last one that you were about to read Jim, hiding, we're not hiding which is where the holding statement comes from, that we are investigating, but the minute you say, "Oh, we've been hit by something." The minute you say something, if it's not factual, then you're going to have big problems.

Jim: Okay. All right. Good. Richard, did you want to make another point or are we good on this?

Richard: No, we're good. I think.

Jim: Okay, excellent. Hang on. We're just getting it. Let me just close these out. Simon is saying a whole pattern. Hacker may need to be communicated if it's a destructive attack where the time limits actually hold that thought. If you do not have cyber recovery capability or critical data, you may just lose access forever. Okay, Anne is saying, I agree it has to be factual, your holding statements. Okay, Verag is saying, one choice from the slide, there's always a multipronged approach.

Well, all I would say Verag, is that I'm used to be a crisis comm-- well, I suppose I still am a crisis comms person. People used to say to me when I was training them, "Just tell me what to say, Jim, in any circumstance." It just doesn't work like that. You have to respond to the facts on the ground as they arise and it's would that it were simple, but I'm afraid, that's one of the things that we know about this is that we don't know.

We don't always know the right thing to do, but what we're trying to do today is figure stuff out. Okay. Steve is saying, Steve, thank you though. One of the things I love about the YUDU webinars is the variety of points of view, coupled with different experiences from around the world, so thank you very much for that indeed. All right guys, I'm going to hide these results. We are now going to move on and I've got a crisis update for you.

We have another update from IT security who say this, we have received a ransom demand from the hackers saying that unless we pay them 10 Bitcoin immediately, they will start to drip-feed customer details, including names addresses, and credit card numbers onto the dark web. If we don't pay them within the hour, the ransom will increase and they have indeed sent us several examples of the stolen data, which as far as our tech team is aware, do appear to be genuine.

You guys, on the crisis management team, we have received a ransom demand from the hackers, 10 Bitcoin, a substantial amount of money. I'm sure you all immediately know how much that is and they say that we have to pay this within an hour otherwise it will increase. It looks like the genuine-- that the data that they have stolen appears to be genuine. Inevitably, I have another poll for you.

This is, I don't know, I've done a lot of work with banks and so forth in the past running simulations and exercises. It's quite surprising how many people don't have a policy as far as a ransom demand is concerned. That's something we want you to think about now. I have a poll number five, what's your response to the ransom demand? Would you suggest to your bosses that the ransom is paid? Would you contact the hackers to try and discuss the situation?

Would you, I like this one, would you ignore it? Just ignore this threat. It's just nothing, we're not going to deal with this or would you, if you haven't done so already contact the police. I'm going to launch this and I would like you to vote on this, please. There you are, poll number five, what's your response to the ransom demand and gosh, we've only got 20 minutes left guys, and we got a fair bit to do so if you could vote on this, I would appreciate it. We've got half of people have voted already, which is good news. Can we get some more people voting on this? I like to get it. Yes, we're getting there now so we're up to 70%.

Amar: Well, while this was going on, Jim, we can save some time. I can tell you most people in terms of clients and other people we know, their default position is never pay until they get hit. Then suddenly the options that they promise that they will never consider, they start to consider, which is really sad, but the truth. It's very easy for those who have never been in that situation to go, "I'm never going to pay ransom." I can tell you from real-life experience I've sat on crisis actual attacks where they previously held the position they would never pay but now that they have been hit, they are pondering and wondering if they would pay, which is really interesting.

Jim: It is indeed. Thank you for that, Amar. Quickly return to I guess I gave you kind of an easy option here which most people have gone for, which was contact law enforcement, which I guess you would do, which you probably may have done already. 2% said they would suggest paying the ransom, 8% said to discuss with the hackers and 2% would say to ignore the threat. Richard, in general terms, do you have any thoughts on this, please?

Richard: Of course, a lot of companies now have got ransom insurance, and in some of that decisions, and that's actually driving a lot of us in the States about whether ransoms are paid, and the insurance companies are more driving things to pay ransoms than the individual companies. I think that the ethical people that are on this call are right in saying-- a very few people are suggesting paying the ransom because you're just funding crime and funding lifestyle.

You've got a business to run, and your business has just potentially ground to a halt. I'm a black and white sort of person, I'm along with saying do not pay the ransom. However, there are a lot of organisations who have, as Amar has just said, who've had that position, and then faced the entire shutdown of their organisation. I think that the first step would probably be exactly on this, what people have put on this chart, I don't think anybody at the beginning when they receive their threat like that would suggest paying the ransom.

That might increase as the impact is, in fact, extended during the process. I think people do engage with hackers, number b, they do do it, but these are people that are not easy people to negotiate with, they operate lightly just like any Mafia organisation would do. The chances of you getting a decent agreement is pretty slim, but people do. Generally, you should not do that unless you have absolute professional advice and support.

Certainly, it's an illegal act, contact law enforcement. I would say though, law enforcement's capabilities for actually resolving your issue is extremely limited. That's the whole thing about cybercrime is that they can sit in jurisdictions that you don't have any control over, law enforcement doesn't have, and they can do these criminal acts without any fear of being caught. A law enforcement definitely should be informed, but that's not going to solve your problem.

Jim: Okay, great. Amar, before I turn to you, we got a bunch of thoughts here from people listening, which is pretty interesting. Robbie says, "Do not pay the ransom. It's a slippery slope, put out a statement so customers are made aware of malicious contact." Stephanie asked the question, and maybe, Amar, you can help with this actually, "How many companies actually pay or pay on the first threat?" Do you have any thought? Do you know about that? Do you have any information about that?

Amar: There is some stats floating around, Stephanie. It's a very good question. I can tell you from experience with clients and potential clients after they were hit, many do consider, some do pay, not very happy in terms of paying, many of them don't get their data back. I'll be honest with you, it's an unwritten rule, they get put on the suckers list if you want to call it, the folks who pay, and then they are attacked again and again. We have one company who had become a client, they were hit by three ransomware attacks in two years, and then they became our client. They paid twice. Well, what more can I say, right?

Jim: Great. Amar, I just pause for a second. Dan is asking "Do we have enough Bitcoin or do we know how to buy some?" A lot of people wouldn't have a clue, but I'm sure the hackers would be very helpful in that.

Amar: Sorry to interrupt you. I can tell you one strategy some clients are using. I'm not saying you use that, please. Because they are directors, they cannot engage in illegal activity, but what they have done is, believe it or not, I couldn't believe it, but that's what they actually have done, they have put in place a process to buy bitcoin, they put the funds aside and if they do get hit by ransom, they will say no, but somebody else will buy the Bitcoin and pay.

I'm telling you what's happening on the ground. Absolutely, I'm not supporting it. I'm not saying you do it. Please, for the record, don't do it because you are going get put on the suckers list and there is no guarantee you will get your money back, but just to let you know. Richard, as you were saying, in many countries, it's becoming illegal. AXA, A-X-A, has said in France that they would not pay ransomware-- what do you call it? Ransomware insurance. They're stopping ransomware insurance, AXA Insurance.

Jim: Great, guys. I just need to move things along because we have more questions but I'm going to pause those for a second, because we only have a few minutes left and we've got quite a bit more to do. I'm going to launch our next poll, not going to give you any more information, just going to launch our next poll which is about your external comms response.

The question here is, what is your external comms response? Do you draft a detailed statement and send it to the press? Do you draft a detailed statement and wait for the press to get in touch with you? Do you contact the media to say your chief executive will be holding a press conference? Do you provide something much more limited, provide a briefing to the social media team? Or do you send out a message to update customers?

Once again, it could be several of these and it may be none of these. We would like to hear what you think, we'd like you to vote on this please, about what your external comms response is. As I say, if you don't like any of these options, then you know what to do, you put it in the Q&A box, and we'll discuss what you have to say. Please vote on external comms. See what you have to say here. Would you say draft a detailed statement, send it to the press, wait for the press to get in touch, maybe holding a press conference or provide a social media team briefing or message to update customers?

We've got 50% of people who have voted here. I'd like to get through this as quickly as we can, please. If you could vote on this, I would appreciate it. All right, we've got 66% here. Anybody else? Last dibs on this. I'm now going to close the poll here and I'm going to share the results with you. We're fairly evenly split. 24% go with draft a detailed press statement, send it to the press. 16% say draft a statement and wait for the press to get in touch. 20% go for a press conference with the chief executive. 10% go with provide briefing to social media team, and 31% message to update customers. Amar, I'm going to ask you what did you think were your top tasks for external comms would be?

Amar: In parallel, obviously, there are certain caveats here but you got to tell the customers first. In Beeswing's case, you've got to inform the customers first, followed very closely by obviously sending it to the press. Your customers should not find out from the press, very simple. This is caveat to all your facts, et cetera, et cetera. I'm giving very simple, short answers, because we're running out of time.

Jim: Okay, that's good. Richard, go right ahead, please.

Richard: The press will get it from the customers for sure because you're pushing it out to the customers. Actually, this airline has to be a customer-focused organisation. They're the lifeblood, they're the ones who are going to stay with you and keep you going. Just by crafting the right message to the customers, that also is a way of actually pushing it out to the press in the same way, but you're putting the customers ahead of the newspapers, which is a very good thing to do.

I just made a comment on the-- I can see a lot of people-- I'm a great believer in leadership being seen, the CEO being seen or the top people being seen in any crisis and not hiding behind things. It does depend upon who you've got there who's leading that. Not all CEOs got to that job by being great in front of a camera. You just don't want to put somebody who is not really good at this into that position. That doesn't really help at all. I am vehemently agreeing with Amar in terms of customers being right up there for the way you communicate to the outside world.

Jim: Good. We got a few comments on this. Ravi is saying message to customers is more personal shows Beeswing cares and gives senior management to demonstrate empathy, remorse, helps in the long run, then a press release to follow. Of course, don't forget that anything that is internal is made external straight away. If you do contact customers, they very likely be talking to the press anyway.

Stephanie is saying a difficult one. Our customers are more important to us, but I would also add B, so drafting a statement there.

Simon makes a good point. You can't contact three million customers. A press statement to the press is a way of contacting customers. Anne is saying it's a combination of all deliver statements to customer, then go to the media shortly afterwards.

That's great folks. That's great. Thank you very much indeed. I'm just going to hide those results and we're going to move on to actually our final piece of information, which is a another press story as which you hopefully you can see in front of you now. Beeswing Airways is in chaos following revelations that it is the victim of a ransom demand. Hackers, who say they have stolen thousands of customer details are threatening to post a range of this data online unless the ransom is paid. We know that already. The data is sought to include customer names, addresses, and credit card details.

Cyber experts believe customers trying to book flights on the Beeswing website were diverted to a fraudulent site where the transaction details were harvested by the hackers. There's a reminder that British Airways, a similar circumstance faced to a fine from the regulator of 183 million. With Beeswing, typical newspaper stuff, Beeswing teetering on the knife-edge, will this push the struggling airline over the edge?

Oh dear. You'll all be out of a job then. There we go. Now, what I want you to think about folks now, and I am going to, have we got time yet, I've got time to launch one more poll. At the end of exercises, amazingly, we've almost come to the end of this one. I like people not to think in the moment, but to think ahead. What's going to be happening in the next days, weeks, and months ahead.

Once again, I'm going to I give you some suggestions here. I'm going to launch this poll and you can see the suggestions here. What are the big headaches you're going to face? That maybe you were forced to pay the ransom, maybe that bounces back on you, maybe be you are struggling to build back trust with your customers. Perhaps there's a bunch of customers get together and they're pushing for compensation because of what has happened to you. Perhaps there's a threat of a big fine from the regulator and perhaps something very simple, but deeply scary that the data loss turns out to be far more far greater than anticipated.

Now folks, that those are just some suggestions that I'm going to make to you. If you want to think about what other-- if there's something else you would like to talk about, some other headaches, some other problems that you feel might be coming in the next days and weeks and months ahead, then please put that in the Q&A box as well. If you could vote on that and then this will then turn into our final discussion as to what will happen in the days and weeks ahead. Sorry, Amar, were you trying to get in there?

Amar: No, just because of time constraints. That's all.

Jim: No, please go ahead. Go ahead. Go ahead.

Amar: I think of a lot of things here, but since your question is in the next few days and weeks, I think the fine may come, but it takes a long, long time. Building trust because it's an airline, so people are still going to maybe book, but they will still have to build that back. I think data loss may be far greater than anticipated, that always comes in the next few days and weeks, but there is no right answer.

Many of these things are all pretty much on the same. A couple of things before I-- I know time is up and running. Folks please, it's been a pleasure for you to get me here. Please do connect with me on LinkedIn if you want to. Absolutely happy, but there are too many moving parts and you've gotta build muscle memory. Using applications, using practice, using tabletop exercises, you must build muscle memory to deal with these things, because this is a brilliant exercise, but actually, a lot more happens and everything happens in a different manner. Over to you.

Jim: I totally get that. Here we go guys. This is what you guys think. The big one they think is struggle to build back trust with customers, and the second one, 26% is that the data loss is far greater than anticipated. Richard, do you have any thoughts on this, please?

Richard: Yes. You mentioned on the previous slide about the fact is that the airline is in financial tender hooks really. That would be a concern, a lot of customers that we seen a lot of airlines go down. Building back that trust with the customers that you are a viable airline is probably going to the biggest thing that you've got to do after this. These cyber-attacks are desperately destroying so much of the fabric of a really great organisation.

As I might have said, the effect of a cyberattack takes a long time to really figure out. All this happens in the first few days, et cetera, but the data loss could well be greater. Those two being the highest bigger ones, I think is right, but the biggest focus in anything like customer-facing organisation will be to build the trust with the customers going forward.

Jim: All right. Very good. Thank you very much indeed. We've got a few points here from our listeners. This is from Ravi. Every other scenario can be somehow addressed through comms and mitigating controls. Trust is hard to rebuild. Indeed it is. That's a good point. John is saying excellent session. Thank you very much John. Stephanie is saying all of the above. Well there we are guys. We seem to have rushed towards the finishing line. We do actually have a couple of minutes left. Amar, did you have any other points that you wanted to make on this scenario or indeed any other points you want to make about handling a cyber crisis?

Amar Singh: Well, thanks folks. Like I said, everyone, thank you for taking the R out or you can see my miniature Yorkshire carrier. That's the one to compensate for those looks. Absolutely, muscle memory, muscle memory for crisis. I think I can't say that too many times because you may have all the best documents. You may all the best plans, but if you can't access those documents, that's where YUDU crisis management approach comes in.

If you don't have muscle memory, if you don't tabletop it, if you don't practice it, you are going to make mistakes. Like I said, I've got some grey hair here, and if you see that, it's because we've been through that many attacks almost, I will make mistakes because you are under pressure, people are shouting at you. You've got to build that muscle memory and you've gotta have the app.

You've gotta be able to do out of email. Email is not a crisis management tool folks. Remember that, please. Especially in cyberattacks, email is not a crisis management tool. Get an app. Talk to us if you want about tabletop exercises, incident response planning training, et cetera, et cetera. We can work with you on all of that. We have a free incident response plan template that you can use. I'll keep quiet for now. Thank you, everyone. Thank you, YUDU.

Jim: Thanks so much. Richard, do you have a final thought for us before we close?

Richard: If you look at the story of so many of these attacks, is that communications or communications failures is one of the main things that somebody points out, how do you talk to three million customers? Maybe you, as Amar is saying, if you've got a cyberattack, they've been in your system for maybe three months, four months, who knows, you should assume that all of your communications are probably infected. They're reading the email chain you're doing.

There's lots of instances where the whole of the crisis response being communicated by email is just being read by the hackers and you're just being tracked around and they're ahead of you. You need to be thinking about your communications that need to be parallel and independent from your existing ones because those well, could be compromised and you may well not have access to your broadband. You may not have access to internet because that's all been-- that makes crisis management in a cyberattack hugely more problematic.

We talk about a lot of things we did today. We assume we are able to communicate, but that isn't often the case. It's a really tough ask and cyber is the challenge that we have got now for this year and for 10 to 20 years ahead of us. We've got to get on top of it.

Jim: All right. Thank you very much, guys. Thank you very much indeed. That brings us to the end of this cyber simulation. I hope you find it fun, but I also hope you found it very useful as well. Maybe there's some thoughts and ideas that you can take back to your own organisations that you need to think about. Good. There will be a recording of this made available shortly, but in the meantime, I'd like to thank the BCI for hosting this with us. Thank you very much to them. It's goodbye from Amar, it's goodbye from Richard, and it's goodbye from me as well. Thank you very much indeed.

Amar: Thank you, everyone. Sorry, not sure what happened there. Catch you later.

Back to Resources

Your Privacy

We use your information – collected through cookies – to improve your experience on our site, analyse how you use it and show you personalised advertising.

You can find out more in our privacy policy.