© 2020 Deloitte LLP. All rights reserved.

Respond, Recover, ThriveChannel Islands Advisory digital

transformation webinar series26 May 2020

Responding to a Cyber

Breach

© 2020 Deloitte LLP. All rights reserved.

Contents

01

03

02

Introduction

• Introducing your team today

• Recover and Thrive through digital transformation

Q&A

Main Presentation

• The first few hours of a data breach investigation

• Operational challenges of responding to a cyber incident

1

© 2020 Deloitte LLP. All rights reserved. 2© 2020 Deloitte LLP. All rights reserved.

Introduction

© 2020 Deloitte LLP. All rights reserved.

Our digitally themed webinars focus on Recovery as a journey highlighting how having a clear digital strategy in place is more important than ever

1 – Understand the Required

Mindset Shift

3 – Embed Trust as the

Catalyst to Recovery

2 – Identify and Navigate

the Uncertainties and

Implications

4 – Define the Destination, and

Launch Recover Playbook

OUR WEBINARS SUPPORT FIVE IMPERATIVES WITHIN “RECOVER” TO GUIDE THE BUSINESS FROM “RESPOND” TO “THRIVE”

R E C O V E R

R E S P O N D

T H R I V E

Future of Work

Understanding RPA, Cognitive &

Intelligent Documentation RPA – scaling and digital roadmap

CBS – Building digital workflows

5 – Learn From Others’ Successes

Cyber Response

Intelligence Services

Customer Support

Future of Work

True Voice

R E S I L I E N T L E A D E R S H I P : B U S I N E S S R E C O V E R Y F R O M C O V I D - 1 9

3

© 2020 Deloitte LLP. All rights reserved.

Shaping the Future through Digital Business

4

© 2020 Deloitte LLP. All rights reserved.

Shaping the Future through Digital Business

5

© 2020 Deloitte LLP. All rights reserved.

Shaping the Future through Digital Business

6

© 2020 Deloitte LLP. All rights reserved. 7© 2020 Deloitte LLP. All rights reserved.

The first few hours of a data

breach investigation

8© 2020 Deloitte LLP. All rights reserved.

Cyber attack trends

What attacks are the most prevalent?

COVID-19 attacks

How is the pandemic affecting cyber crime?

Real world incidents

Recent examples brought to life

Questions and answers

Agenda

9© 2020 Deloitte LLP. All rights reserved.

Cyber attack trends

10© 2020 Deloitte LLP. All rights reserved.

Organisations that have not historically been targets now find themselves in the crosshairs of a new generation of attackers. You know it is not if, but when…

Your threat landscape has changed dramatically over the last three years

Mining

Industrial Manufacturing

Shipping/ Logistics

Consumer goods

Healthcare & Pharma

Financial Services

Military / Defence

Incr

ease

d fo

cus

on

pro

tect

ion

With lower threat levels and fewer digital processes,

manufacturing industries focused more on recovery from

physical events (floods, disk failures etc.)

Industries targeted

Increased

focu

s on

recoverab

ility

Energy & Natural resources

Previously

Consumer goods/ Shipping/ Manufacturing/ Mining

Healthcare & Pharma

Financial Services

Military / Defence

Incr

ease

d fo

cus

on

pro

tect

ion

Increased

focu

s on

recoverab

ility

Energy & Natural resources

Now

11© 2020 Deloitte LLP. All rights reserved.

Overview

NCSC top 5 main incident trends (Oct 2018 – April 2019) Deloitte CIR top incident trends (Jan 19 to present)

Office 365

Ransomware

Phishing

Vulnerability scanning

Supply chain attacks

Office 36511%

Network Breach11%

Phishing or SPAM22%

AWS22%

Ransomware

34%

12© 2020 Deloitte LLP. All rights reserved.

Predictions for the future

PhishingInternet of Things

Cloud

Supply Chain Ransomware

Operational Technology

13© 2020 Deloitte LLP. All rights reserved.

COVID-19 Attacks

14© 2020 Deloitte LLP. All rights reserved.

COVID-19’s affect on the cyber world

COVID-19 targeted phishing campaigns

Following themes of treatment, unemployment benefits, company memos regarding employment etc.

High utilisation of infrastructure

The pandemic has caused a spike in online activities causing many service providers to take action

Rapidly deployed services

New infrastructure has been rapidly deployed with functionality in mind and not security

Working from home becoming the new norm

This introduces new blind spots onto an organisation’s endpoint and network security

People are uncertain

Users are more likely to click on links, answer phone calls and make mistakes

15© 2020 Deloitte LLP. All rights reserved.

Real world incidents

16© 2020 Deloitte LLP. All rights reserved.

Malware

Analysis

Root cause

Analysis

Incident

Investigation

eDiscovery

Forensics incl.

Chain of

Custody

What are your first steps?

17© 2020 Deloitte LLP. All rights reserved.

Malware

Analysis

Root cause

Analysis

Incident

Investigation

eDiscovery

Forensics inc

Chain of

Custody

What are your first steps?

Insight, Co-

ordination and

Leadership

18© 2020 Deloitte LLP. All rights reserved.

Malware

Analysis

Root cause

Analysis

Incident

Investigation

eDiscovery

Forensics inc

Chain of

Custody

What are your first steps?

Insight, Co-

ordination and

Leadership

Regulator

Communications

Internal and

External

Communications

Legal

Counsel

Activities

Take-Down

Notice

19© 2020 Deloitte LLP. All rights reserved.

Malware

Analysis

Root cause

Analysis

Incident

Investigation

eDiscovery

Forensics inc

Chain of

Custody

What are your first steps?

Insight, Co-

ordination and

Leadership

Regulator

Communications

Internal and

External

Communications

Legal

Counsel

Activities

Take-Down

Notice

AD Recovery &

Hardening

System

Hardening

Technology

Rebuild

Service

Recovery

Priorities

Data

Recovery

Platform

migration

(e.g. O365)

Helpdesk

IT System

Recovery

Implement &

Test New

Security

Controls

20© 2020 Deloitte LLP. All rights reserved.

Malware

Analysis

Root cause

Analysis

Incident

Investigation

eDiscovery

Forensics inc

Chain of

Custody

What are your first steps?

Insight, Co-

ordination and

Leadership

Regulator

Communications

Internal and

External

Communications

Legal

Counsel

Activities

Take-Down

Notice

AD Recovery &

Hardening

System

Hardening

Technology

Rebuild

Service

Recovery

Priorities

Data

Recovery

Platform

migration

(e.g. O365)

Threat

Intelligence

Protective

Monitoring

Helpdesk

IT System

Recovery

Vulnerability

Management

Implement &

Test New

Security

Controls

21© 2020 Deloitte LLP. All rights reserved.

How do you prepare for the chaos of an incident?

“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

Abraham Lincoln

Maturity Assessment Process Development

Training and Awareness Simulations

Threat Hunting

© 2020 Deloitte LLP. All rights reserved. 22© 2020 Deloitte LLP. All rights reserved.

Operational Challenges of

responding to a cyber incident

23© 2020 Deloitte LLP. All rights reserved.

Regulatory observations and challenges

What are the operational challenges?

Operational Complexity

Scaling your business to respond

Questions and answers

Agenda

24© 2020 Deloitte LLP. All rights reserved.

Current trendsand Regulatory considerations

25© 2020 Deloitte LLP. All rights reserved.

Predefined text levelsData Breach Figures 2020 projection

*

Average total cost of a data breach

$3.92M

Cost per lost

record

$150

By 2021 business will fall victim to ransomware attacks every

11 Seconds By 2021 Cyber crime estimated to cost the world annually

$6 trillion

Records breached in February 2020 hit 67% percent of data breach costs occurred in the first year and data breach costs in the second year were

22%

Global Averages and projections

By the end of 2020 the average cost of a data breach for a major organisation will exceed

$150 million

$623 million

The industry with the highest number of attacks by ransomware is the healthcare industry.

Attacks will quadruple by 2020.

By 2020, the estimated number of passwords used by humans and machines worldwide will

grow to 300 billion

83% of enterprise workloads will move

to the cloud by the year 2020.

Worldwide spending on cybersecurity is

forecasted to reach $133.7 billion in

2022

26© 2020 Deloitte LLP. All rights reserved.

Breach notification requirements during the coronavirus crisis

A legal perspective

The ICO’s approach to regulatory action will follow the theme of reasonableness, empathy, and pragmatism according to ICO’s latest guidance*. Five key points with regard to the enforcement of regulatory action:

1. Data Breach Notifications: 72 hour threshold remains but ICO will recognise that the current crisis may affect this reporting time period and will assess on a case by case basis.

2. Investigations: ICO continues to conduct investigations into serious non-compliance but may give organisations more time to respond.

3. Fines: The ICO will consider the economic impact of the ongoing crisis on organisations, which means we will see a drop in the level of fines issued by the ICO.

4. ICO reaffirms its commitment to take strong regulatory action against any organisation breaching data protection laws to take advantage of the current crisis.

https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf

The JOIC states that “As our Island responds to Coronavirus, we would like to reassure our community our office is continuing to operate and provide all of our regulatory functions as normal..”

1. Timescales– Statuary deadlines will not be extended, however, there is recognition of the challenges and delays that the crisis may cause

2. Communication (DSARS and breaches)–Communication to data subjects must continue, although, they are likely to understand the difficulties your business is facing. “You should ensure that you continue to communicate with the data subject, explaining any delays and advising them when you hope to respond to their request”

3. Existing legislation and legal obligations continue to apply - the data protection legislation provisions remain unchanged.

https://www.inforights.im/organisations/covid-19/

27© 2020 Deloitte LLP. All rights reserved.

Fast-evolving, complicated and involve ransom demands

Complex stakeholder environment with high expectations

Victim vs. villain

Facts are often unknown resulting in confusion

Uncompromising timeframes

Technical response but non-technical audience

Data Breach characteristics

28© 2020 Deloitte LLP. All rights reserved.

Additional COVID-19 ChallengesLockdown Challenges

Customers – what additional support might they need? What sensitivities are there for customers currently?

Financial difficulty / Healthcare challenges

Complexity – Response requires large scale operational infrastructure and technical expertise. In house or third party.

Can you manage this in the current conditions?

Scale – Can you scale up your capacity to respond to a surge in calls, when many of your are unavailable? (furloughed / working reduced hours / unwell / childcare)

Continuity – To what extent can you continue to operate effectively with you BAU core functions under the current crisis conditions and manage an additional large scale incident?

29© 2020 Deloitte LLP. All rights reserved.

Managing operational complexity

30© 2020 Deloitte LLP. All rights reserved.

Operational realities of a breachA limited view of what you need to consider

Operational challenges

31© 2020 Deloitte LLP. All rights reserved.

SOC

Tech Response

IMT

Customercentre

Comms

SocialSensing

Credit monitoring

Forensics

Insurance

Threat intelligence

Dark web monitoring

ID Protection

Privacy Legalcounsel

Vendors

PR support

Investor Relations

Board

Markets

Cyber Incident Response

DPO

Customers

Regulator

A complex stakeholder environment

Exec CMT

32© 2020 Deloitte LLP. All rights reserved.

Ensure your customers feel informed and supported

The challenge – a good customer experience

How should you support your

Customers in the event of a Data

Breach?

Communications

Develop customer messages and the customer engagement strategy

Capacity & Capability

Provide guaranteed, retained engagement capacity using our trained and prepared call handlers

Speed

Provide customer notification without ‘undue delay’ informing customers by letter, email or other means

Identity Protection & Repair

Provide identity protection and repair services with multiple layers of professional multilingual customer responders

Professional Expertise

Upscale quickly with a dedicated team of experts to explain the ID risks and remediation options, assist with protection and identity repair

33© 2020 Deloitte LLP. All rights reserved.

For further information please contact

Nick O’Kelly Head of Cyber Incident ResponseDeloitteEmail: niokelly@deloitte.co.ukTel: +44 20 7007 0136

Simeon MossDirector, AdvisoryDeloitteEmail: stmoss@deloitte.co.ukTel: +44 20 7007 6317

Angus BromheadCustomer Breach SupportDeloitteEmail: abromhead@deloitte.co.ukTel: +44 20 7007 3046

Steve BarreyDirector, Risk AdvisoryDeloitteEmail: sbarrey@deloitte.co.ukTel: +44 20 7007 7971

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 1 New Street Square, London, EC4A 3HQ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2020 Deloitte LLP. All rights reserved.