Post-Cybersecurity Attack: What CISOs Need to Know

Post-Attack: What CISOs Need to Know

“You've got to be able to have the A-team at the crisis level.” From phishing cybersecurity attacks to crisis-simulation challenges, technology leaders share their experiences and strategies for an effective post-attack response.

Often do we hear what leaders should do to protect a high-risk environment, but what about immediately after a breach? These senior technology and cybersecurity leaders shared their experiences of the immediate aftermath of an attack—including what they don't tell you in all those webinars.

Cybersecurity attack: meet the panellists

With Keme Nzerem moderating, the speakers of this roundtable debate included:

• David King, former CISO, Legal & General 
• Thomas Zuliani, Global CISO, Arla
• Howard Pinto, Group CISO, Camelot
• Matt Hmoud, Head of Security Consulting, Adarma Security

Watch the roundtable highlights for Post-Attack: What CISOs Need to Know

Cybersecurity attack: key takeaways

1. Post-attack tales
2. Handling a cybersecurity attack and crisis
3. The human aspect and risk factors

Post-attack tales

Beginning the roundtable discussion, moderator Keme Nzerem asked the panellists what they have seen in the industry.

At one point in his career in the automotive industry, Howard Pinto witnessed one of his critical suppliers was compromised due to a simple vulnerability. The cause? People were caught sharing their credentials online, resulting in a simple “smash and grab”.

Howard discussed the spectrum of cybersecurity preparedness, from organisations with small IT departments facing “chaos” to highly sophisticated ones with well-rehearsed playbooks and boards that understand the risks.

On the other hand, he argued that “they've all got supply chains and that's often the weak underbelly.”

With a myriad of extensive experience across companies such as Siemens and Vestas, Thomas Zuliani recalled that he left Vestas one year before they were hacked. He acknowledged the challenges of analysing what went wrong in a cybersecurity incident. 

Offering his advice to the panel, he emphasised the need to keep the “two tracks”, technical and managerial aspects of cybersecurity, separate. “Our role is to bridge those two gaps and inform and get the technical knowledge and transform it into managerial information.”

Handling a cybersecurity attack and crisis

Former Legal & General CISO, David King, argued: “If you don't know what the processes are, then you need to review them and determine what you want to happen as a CISO.” 

David mentioned the importance of preparing for potential cybersecurity incidents and the need to establish a “crisis team” that is capable of handling various types of crises, not just the cyber-related ones. 

In addition to this, David emphasised the importance of integrating cybersecurity into existing business continuity operations or “set them up if they don't actually exist”. 

Sharing his insights from his teaching role at Oxford University, he argued that part of his CISO role is informed by academia and regarding human behaviour when it comes to dealing with crises. 

Matt Hmoud believes that all cybersecurity professionals are familiar with the idea that cybersecurity attacks never come at a convenient time.

Equipped with perspectives from “both sides of the fence”, currently Head of Security Consulting at Adarma, Matt picked up on some key points around crisis simulation and management. 

“We are, as an industry, pretty good at drilling our technical teams but it's when it gets outside of the realms of the technical, you know, who do you go to to get a sign off for a statement when Sky News have come asking?”

He highlighted the need for clear roles and responsibilities within the business during a crisis, acknowledging that communication is required between the technical teams and the Board. “Keeping the technical teams separated, part of that is the people challenge.” 

The human aspect and risk factors

Circling back to the human factor of this topic, Keme stated that phishing attacks often come down to the people, with the initial breach occurring due to human error. 

In agreement with Keme’s statement, Howard commented that throughout the years he has witnessed phishing attacks conducted through malware loaders such as Squirrelwaffle, which has been used time and time again for spam campaigns.

Recalling a specific cybersecurity attack involving phishing links, Howard said that it involved a link that, when clicked, downloaded a payload. Cobalt Strike, a zero-day exploit at the time, was then used, leading to malware spreading across the organisation.

Aside from the technicality of cybersecurity attack prevention, user awareness and training is considered a crucial aspect. “There's no substitute for user awareness training because a lot of the attacks to actually download the payload come in via phishing attacks.”

“How can we ask our users to be 100 percent alert when they get hundreds of emails per day?”

For cybersecurity professionals, keeping external and internal threats at bay is considered “everyday life”. Thomas argued that awareness and training would be “very difficult” to teach given the different curves of learning.

Thomas argued that by being consistent and sending simulations on a monthly basis, cybersecurity professionals can help keep their teams and organisations as a whole alert.

Are there certain groups of employees that tend to be more susceptible to this kind of risk?

David commented that part of an organisation’s security awareness training is to divulge who the “most risky individuals” are within the firm, as well as focusing the messaging to different audiences.

Frequent training is key here–but it is not enough. “People do get used to, you know, repetition in training messages… keeping it fresh is important.” This involves bringing in new ideas.

Going back to the human side of cybersecurity attack response,  David argued that the real issue around crisis management is the human piece and how people respond. 

“You've got to be able to have the A-team at the crisis level.”

This roundtable discussion was sponsored by Adarma Security.