Host
- Philippa Lamb
Guests
- Peter Davenport, Crisis Communications Specialist, Definition Group
- Michael Hoare, Director, Kekst CNC
- Neil Hare-Brown, Founder, Storm Guidance
- Nadeem Raza, CEO, Microlise
Producer
- Natalie Chisholm
Transcript
Philippa Lamb: Hello, it’s October now and it's Cyber Security Awareness Month. Not that any of us really need reminding just how big a threat cyber crime poses, given the incessant cyber attack headlines this year – M&S, Harrods, the Co-Op, hospitals, Heathrow and European airports, and right now, of course, Jaguar Land Rover (JLR) and Asahi. Those household names really are just the tip of the iceberg, because the effects of those breaches ripple far and wide across their supply chains too.
Neil Hare-Brown: I feel like really that we are at the same position that we were with health and safety back in the mid ‘60s, and that what is needed now is almost a simplification of the situation, and to bring in a single law, which applies to all organisations, very much like health and safety.
PL: So, what to do if the worst happens? What does a good response look like? And where do organisations tend to go wrong?
Michael Hoare
It's critical that you're trusted, that what you say is trusted, but you can't build trust in a crisis. You have to call down on that bank of trust you've built over years and years as a business.
PL: Michael Hoare is former director of national security communications for the UK Government. He's now with crisis communications advisors Kekst CNC, and he's here in the studio, as is Peter Davenport, former Times journalist and now crisis communications specialist with Definition. Joining us remotely from a business trip overseas is Neil Hare-Brown, founder of cyber security response experts Storm Guidance.
You have all worked with multiple organisations which came under attack. As we know, the number and disparity of attacks is on the rise. Michael, it feels like this is really accelerating at pace. But is that just because there's more reporting, there's more transparency about it, or is it really moving that fast?
MH: The capabilities of threat actors is definitely increasing, and we're seeing that the work on cyber security has improved, and we shouldn't sort of neglect that businesses have got better at taking some of the basic steps that they need to take. But unfortunately, threat actors haven't paused and waited for people to improve their defenses. So, now we are seeing more incidents. We're seeing tactics change, and we're seeing the impact, therefore, on businesses change.
PL: Yeah, they've really stepped up, haven't they? I mean, we know a lot of hackers are offshore. We know some of them are highly organised. Do we have any sort of sense of what sort of organisations they are?
MH: Well, I think one of the interesting things that we see in the incidents that we work on is that the threat actor landscape has fragmented a bit. So, there was a period where there were a few threat actors that really dominated, and we saw them repeatedly on incidents, partly because of law enforcement action and partly because of unwanted attention that these guys were attracting. They have fragmented, and you have seen them splinter and send out. There's more threat actors out there, unfortunately, with still a very high aggregate effect.
PL: Because Neil, I think a lot of us picture highly skilled hackers in darkened rooms, don't we? Is that accurate now, or is the new generation of hackers something else?
NHB: That still applies to what we call the apex threat actors, the apex cyber criminals. If you look at the top of the stack, the Russia-Ukraine war changed things quite considerably as well, because a lot of cyber criminals based in both of those countries decided it would be a really good idea to skip the draft and exit the country. That led to some of the fragmentation as well that Peter was mentioning.
So absolutely, you know, the threat actors have been developing new techniques, new methods, and some of that – specifically with some of the Western cyber criminals – is based in the UK, in Europe, in the US. They've begun to change their tactics, or focus much more on social engineering and deception, rather than just pure technical attack. Certainly, the numbers of attackers that are able to use easy-to-use software written mainly by the apex cyber criminals – sort of software as a service or malware as a service – and they're using those tools. That's expanding the number of affiliates and threat actors in the lower echelons that aren't specifically technically competent.
PL: Michael, outright bribery of individuals plays a huge part now as I understand it.
MH: Yeah, exactly, as Neil said, we're seeing social engineering being a much bigger proportion of the capabilities that people are using above just the technical capabilities. They can do basic research on the people that they're going after, understand their vulnerabilities, and really press on those vulnerabilities, potentially in pretty unpleasant ways. And you see that a bit in health – how their actors behave once they're into an incident and how they deal with the organisation that they're targeting and trying to extort ransom from.
PL: OK, so there's blackmail of individuals, but there's also just paying individuals, presumably to assist them with things like passwords.
MH: You do see inside a threat where people are paid, people either extorted or have, as you say, just paid to give access where the threat actor wants it. So yeah, all of the above, sadly.
PL: Peter, crisis comms is your area. How well prepared are most of the organisations you work with when they come under attack?
Peter Davenport: I spend a lot of my time with our team working with companies to build plans [and be] effective planners. Because the thing about a crisis, of course, is that you can't predict when it's going to happen or precisely how, but there are certain fundamental steps you can take, and that's about having a coordinated plan. So, if the crisis does happen, everybody knows what to do, who's going to be affected, both internally and externally, what the impact on the organisation is going to be, and some initial scenario planning around responses. This means you're not starting on the back foot, and it brings some order to what can be a chaotic situation.
PL: But clients who come to you that you haven't worked with before, who are under attack right now, how resilient are they?
PD: It varies. I looked at a report yesterday from the government, which said I think that this year, there'd been 612,000 companies who'd been the victim of some kind of cyber breach, and 61,000 charities. And I think a lot of it depends on the size and sophistication of the business. Some of them are quite naive. Others have got some level of defenses, and that's usually helpful.
But [we are] managing the narrative around the communication around the incident. We don't solve the incident, but we manage the communications, and that often means understanding where the story is heading, what the next day's headline is, and if that's going to be really important, so they can get ahead of that. And importantly, they need to be seen as a source of truth, having empathy and communicating consistently, not just once. I think [it’s a] big danger you can get into because cyber incidents, particularly, can be so fast-moving, something you say today, in all honesty, may be changing tomorrow by changing circumstances. So, it's caveating what you say with what we know now.
PL: I want to talk more about that in a minute. But Michael, before we do that, we've been talking about business. But what about the public sector? This is where your earlier expertise lay. Does the motivation tend to be different, or is it just the same?
MH: The motivation for the threat actors can be different, because when they're targeting the public sector, sometimes they're doing it for espionage reasons and looking for information, but often it's the same. Often it's for financial motivation [and]﹘preparedness can be a bit different.
The public sector does do a bit more of the readiness work. I worked in comms teams around government, where we had comms plans ready, exactly as Peter described, for different scenarios. And the responses can be a bit different than in the private sector. You see more payment of ransom [in the private sector], for example, than you do in the public sector. But the core challenge, particularly in the communication space, is the same, which is that you are in a scenario where what you think are the facts at the beginning of an incident quite often change pretty rapidly, and can be looked very different later on in the incident.
Communications handling is around incremental steps as you build up your confidence in the picture of what's happened, trying to put the audiences that Peter mentioned on a trajectory, so they feel like you're gripping the incident, and then comms is being integrated into the operational response. So, what you're saying internally and externally is totally consistent with the forensics picture. It is hugely important, whether it's in the public sector or the private sector.
PD: That's absolutely right. My internal and external [communications] have to be consistent.
PL: I’m interested to look back to the point you made about paying ransoms. Are public sector organisations fettered on whether they can do that or not?
MH: Some of them are. There are more limitations on what the public sector can do. And the government has just finished a consultation on broadening that group of public or linked-to-public sector organisations who might be more limited in their ability to pay.
PL: Yeah, because we've seen hospitals, big hospitals here, haven't we? Would they fall under that fettering or not?
MH: Well, I think there's a generally accepted principle that if there's a threat to life, then people will have the flexibility to be able to pay. What we have seen in the health sector, which is interesting, is threat actors backing out. For instance, we saw this with the health executive in Ireland, where threats [were made and then] having realised the damage of what they were doing, they actually pulled back and handed the decryption key over. I think the health sector is still clearly a target. There's a lot of data, there's a lot of vulnerability, but it's quite complicated from a threat actor's point of view as well.
PL: What does that say about those hackers? Because you think that'd be quite a predictable outcome, much like the nursery data breach that we saw recently.
MH: They're very strange organisations in some ways. Of course, they're criminal outfits. They and they do, they can be very reactive, and they respond to what they see in the media, the reactions they're hearing from people, and then respond, rather than going in strategically. And it's worth remembering, quite often, that with the targets that they hit, they may not have done so in a deliberate way. They may have put out an exploit, and then, they sort of see what they gather. So, yes, not always particularly strategic.
[Laughter]
PL: No, obviously!
NHB: That's what we are used to and it makes it very hard for government as well, because of the international nature of the cyber criminal community, and the very fact that they are extra jurisdictional makes it very hard to bring them to justice. And that's exactly why they operate in that way. But certainly it makes it very hard for governments to, if you like, ring-fence the problem because it's outside of their jurisdiction.
Lots of these attacks are not specifically targeted. They're a little bit like burglars that drive down the street and happen to see certain properties that are vulnerable and or break into those, but they haven't necessarily targeted those organisations first. That's changing a little bit with some of the social engineering attacks, where the attackers actually do know the organisations that they're attacking. But when it comes to the technical ‘drive-by' type attacks, they only realise who those organisations are once they've actually compromised them.
PL: And of course, planning for an attack is very different to actually experiencing one. So let's hear now from Nadeem Raza, his fleet logistics firm Microlise was hit by a ransomware attack in October last year. The attackers gained access to their network. They changed all the admin passwords, disrupted pretty much everything for them and, of course, some of their worldwide clients. Fortunately, the company did have a good plan, and it worked well, but as Nadeem explained when I spoke to him earlier, there were still unexpected problems.
Nadeem Raza: Now, the fortunate thing is that none of our clients' data was actually taken. So essentially, the extortion was all about ‘We've got some of your corporate data’, which from our perspective, wasn't really that valuable. The bigger impact was that the malware that they launched impacted our corporate network, but also bled through into our data centres where we run systems for our customers. That essentially had the impact of bringing those systems down and impacting the operations of quite a lot of our customers. Not everyone, but quite a lot of our customers were impacted because of that.
PL: You obviously had a defense plan in place for this sort of attack. All organisations think about this right now. Can I ask you, how well, how well did it perform in real time?
NR: So I would say, generally, pretty well. And obviously, we were able to recover and bring systems back online and restore things for some customers, within a few days. I think the longest downtime a customer experienced was three weeks – just to say that, the industry average is about a month for systems to come back online. So I think, we were at a pretty good place there.
The thing that we learned, that I think it's worth pointing out, is that we have plans, and we executed those, and all those things went very well. But what we hadn't anticipated was the security protocols that some of our customers had, that we also had to go through to enable those systems to be recovered for them. And a lot of our customers have their own security protocols.
For example, one customer said, ‘Well, we can't allow access back into your system unless we change all of the passwords for all three or 4,000 users that we've got using your system, right?’. So, that in itself caused three or four days of additional downtime for that customer, because they had to redo all of those passwords and communicate to all those users. It was those sorts of things for individual customers that we just hadn't anticipated.
PL: Neil, it's interesting, isn't it, that they had good preparedness, and their insurers, as I understand it, provided a range of external experts to help with various aspects of the breach, but they still ran into this unforeseen issue at the interface of their own systems and their clients systems. It is very hard to scenario-plan for every potential problem.
NHB: Absolutely, [with] the cyber incident exercises that we do, we're an insured service provider by the National Cyber Security Center, and we really do try to put together scenarios that are both realistic and take into account all of these issues. It's absolutely the case, though, that just like any plan never survives first contact. So, it's really useful to run these exercises on a regular basis, so that you can learn about those potential choke points early on and obviously in a controlled scenario, rather than an actual incident. And that's certainly something which I think has become clear, looking at the way that incidents have played out at M&S and JLR, and some other incidents, that it doesn't appear that they had really had thorough cyber incident exercising to test their plans.
PL: Obviously, we don't have time to get into the ins and outs of all the major UK attacks we've seen this year, but I would be interested to know your thoughts about pulling out lessons from them. Michael, which ones would you pick out as having responded particularly well, or, dare I say, poorly?
MH: It's always interesting to hear a company's pet talk about an incident. And there are a couple of things in there that really struck me. One is that point about the link to clients, and it's true in operational terms. It's during comms terms that you are so dependent on the system in which you operate. And it's true for all firms, and particularly true for accounting firms. And really having gamed out how people are going to react, and how you're going to reach them, even if your systems are properly disrupted. And then the second was the point at the beginning, about the difference between data loss and disruption. And those two beasts can behave really independently in a cyber incident. So really interesting to hear that.
In terms of lessons learned, what we have seen, we talked earlier about the extent to which your understanding of what data was affected can change over time in an instant. We saw that in the TFL [Transport for London] case, of course, where they had to readjust their position on that. I thought we did see some best practice in those instances with M&S at the beginning. The way they reached out to customers where they were through Instagram, etc, and their leaders took personal accountability, which was an impressive bit of comms.
PD: I agree, I thought M&S handled that pretty well, actually, by using multiple channels, whether it be face-to-face in store or with the leaders using their own personal channels. I thought that was quite effective. I think one of the issues, getting back to the actual physical communication, is making sure that you have an alternative communication channel, because if all your entire system goes down, that may also include your communication channel. Having a shadow method of operation, I think, is quite critical. So, it's obviously the last thing people think about. It should be the first thing.
The other thing is to make sure the comms are embedded in the business continuity team as well. They are trying to put the business back on an operational footing, so they understand, as Michael said, changes can be by the minute, almost by the hour. [This is] to make sure the comms you're putting out aren't hostage to fortune for changing circumstances later.
As I said earlier, it's also about caveating what you say based on what we currently know, this is the consensus, and it's making sure you understand all your different audiences, how they may be affected, the best way to reach them and communicate. And picking up Neil's point, test out the plan, I would say, every six months, just desktop exercises to run through that [because] personnel changes, circumstances change, business changes. So it's important to do that, not just put it in the drawer and forget it.
PL: It's really interesting. You talk about shadow communication systems, because Nadeem ran into this issue too. Let's hear him talking about what he learned about that particular issue from his own breach.
NR: I think there's two aspects to external communications with customers. One is there's public communication, and secondly, there's private communication. So public communication, unfortunately, has to be very, very limited, because the hackers are going to be listening in on that. So, you can't let them know what you know, because they may still be within some of your systems. People ask the question, ‘Well, what happened?’. And you can't say, ‘Well, this is what happened’, because that tells the hackers you know certain bouts of information that you don't want them to tell them.
So, there's a lot of public information and I really feel for M&S and some other people that have gone through this recently, because that does really limit what you can tell. Everyone's crying out to find out more about what happened, and you can't tell them anything because the hackers are listening in on that, and you don't want to give them that advantage. The private side of it is that we set up secure channels.
We set up, you know, alternative communications to our customers and security teams, because the biggest concern that they had was how it impacts them. Are any of our own systems at risk because of this cyber incident? Because obviously we have communication links into lots of our customers in all sorts of different ways. So, we had to set up other secure channels into our customer security teams to keep them updated about what we actually knew and what we were doing to ensure that they were protected, what advice we could give them, for them, what to put in place to avoid that kind of incident happening at their end, etc.
Overall, when we did a review with a lot of our customers two or three months after that, we had really good positive feedback on how we had handled that communication. A lot of our customers, particularly their security teams, were very complimentary about the fact that we'd given them a lot of insight and information about the incident, what happened, how to protect themselves, and so on. So there are two aspects to it, and I think you do have to be careful about how you handle public and private communication with suppliers and partners.
PL: It’s interesting, Michael, isn't it? This tension is like multi dimensional chess at the moment, isn't it? Because, obviously, particularly for an organisation with such a social contract like M&S, they need to be talking to their customers and their shareholders, but with this issue of how we don't want to be informing the hackers of what's going on under our roof right now. How do you contend with that?
MH: It's fascinating to hear him being talking about that, and it's totally spot on about this distinction between public and private. Part of that is about a threat to listening. As I say, we are increasingly seeing threats as we try to force the issue into the public domain, either by engaging with journalists or making threats to members of staff.
So, if [the hackers] want this public debate, for prudent handling, as Nadeem says, keep that out of public and engage people in private, explain to them what's going on as thoroughly as you can. Of course, there's always a chance that things might sort of leak out. You've got to do that judiciously.
But we find the incidents where people handle them well, and the noise and the reputational damage around them is minimised, is where they've done that engagement. They've spoken to clients, they've spoken to suppliers. They engage their own people and they do it incrementally.
You don't pretend you know everything that's happened immediately, because either you don't or it turns out to be wrong, but you give people information on a rhythm that you can engage in where you have the right level of confidence to share that information, and you do it in private, and then the incident is much better contained, exactly as Nadeem has described.
PD: Can I just pick up on a point there? I think something you mentioned earlier, I think the important thing is that when you're the victim of the attack and you're trying to communicate, it's critical that you're trusted, that what you say is trusted, but you can't build trust in a crisis. You have to call down on that bank of trust you've built over years and years as a business. I think that's why M&S was so successful. Their customers want to believe them. They trust them. And I think that's so critical in a crisis.
PL: That's an interesting point. Neil. Jaguar Land Rover is going through this right now. I don't know what your assessment will be of the level of trust and social contract they have, but do you feel they're handling it well?
NHB: I think with both M&S and JLR, from a sort of technical standpoint, it's clear that their recovery has been significantly affected. For every cyber incident that occurs, there is an investigative aspect to the response, and there is a recovery aspect to the response. And actually, it's very important to ensure that those technical folks who are dealing with the first responders are separated from the executive team, and that there is a go-between. We find that that works.
I'm not sure with M&S and JLR whether they have got a very tried and tested response process, but one of the things which seems to me very evident, is that when it comes to their recovery, they haven't – although they may well have – data backups that are appropriate for the recovery or the restoration of specific systems as would be affected on a normal day-to-day basis, but not in the case of a cyber incident. One of the things that we're seeing here is that when they lose all systems, when all systems are affected, it really challenges them. It really challenges their recovery process. And that can often be very, very complex. Sometimes, if they've actually lost data and they haven't got good backups, they then need to think about what they're going to do with the threat actors. Are they going to negotiate to be able to recover the keys to decrypt the data that's been affected?
So, all of these things, I think, add to the length of time, and that's very important from a comms perspective, so that the comms experts who are advising the senior management of these organisations appreciate how long the timeline is likely to be. Obviously, that can change all of the time, but if they do appreciate that, they can actually step their communications at that same cadence, so that they're following the recovery as it proceeds. Obviously with M&S and JLR, these have both been quite extended recovery times.
MH: That's such an important point that Neil makes about the timing there. And this would be particularly acute for accounting firms, but we see it in a number of sectors. When your clients know that something has happened, it could affect their operations. It could affect their data. They won't have answers as quickly as possible – and there's a real temptation to try and meet those requests and provide answers as rapidly as possible.
But as Neil says, it's really important from a comms perspective, to come at it from a perspective of saying we are going to get you those answers as soon as we have them on a decent level of confidence, and that we know that what we are telling you has a reasonable chance of being accurate. And so that is a crucial balance in handling an incident that Neil flags.
PL: We are a bit tight for time, but I do want to ask you about the role of government here, because we've been talking about large organisations, household names, obviously, for business generally, and for the public sector. As we said, this is feeling like the new normal. So, in terms of countering the threat, is there a role for government? Michael, your ex-government, what might we look for? There's been talk about cyber czar, there's been talk about possible legislation, there are issues around reporting. What might they do?
MH: There is a role for government. There clearly is a role for government in a number of areas. Government brings huge expertise to this and the National Cyber Security Centre’s phenomenal repository of expertise can provide valuable advice and support. There's prosecution. We've talked about that being very difficult because so often the threat is in different jurisdictions, but that is a component of the government reaction. And there is regulation. There's regulation around the minimum requirements for cybersecurity and security by default, how we try and build that in, regulation around handling. It's really interesting.
There is quite a big emphasis at the moment on data loss and how companies are held responsible for data loss. I think we'll increasingly see a focus on company responsibility for the impact of disruption as well, but that is all to come. The government has, just as we mentioned earlier, recently consulted on the handling of ransomware, potentially expanding the bits of the public sector that are caught by limits on payments, and requirements for companies to report to government as they consider paying ransoms.
Those kinds of steps, I think, could all potentially help. It's something that the government will have to feel its way through, because this isn't straightforward and there are sort of pros and cons either way. There's an education piece as well, and bits of the system do a great job in terms of trying to raise awareness of cyber security basics.
But when we ask about the role for government, we do have to keep coming back to what all companies and organisations can and should and, frankly, must do to make sure that they're protected from a cyber security point of view, prepared in terms of readiness, whether their comms plan is going to be in an incident. I think there's responsibility all around.
PL: I want to ask you all for your top tips, actually, to wrap up with. But before I do that, how much appetite do you think government has clearly, critical infrastructure, national infrastructure. There's a key role for government to protect its own infrastructure. How much appetite do you think it has for interfering in the private sector management of this?
MH: I’d say generally that the government doesn't want to have to intervene. It would much rather that the private sector saw the importance of its own cyber security and prepared itself automatically, and that the insurance industry worked in a way that didn't propagate a vicious circle of cyber security incidents. Unfortunately, at the moment, we are seeing that there's pretty high volume. Security isn't where it should be, uniformly across the place, and we are still grappling to find the right balance there.
NHB: I agree with that. I think that we're actually at an inflection point. I've been in this field for 40 years now, and I think sometimes the government can have a problem with taking its eye off of the prize, and the prize is to significantly reduce the amount of cyber crime, the number of incidents. And I feel like really that we are at the same position that we were with health and safety back in the mid ‘60s, and that what is needed now is almost a simplification of the situation, and to bring in a single law which applies to all organisations, very much like health and safety where, essentially, executive management are ultimately responsible for acts of gross negligence, for cyber insecurity. And I think until we do that, we will not actually see organisations raise en masse, raise their defenses above the level where they can be easily compromised, which is the current situation.
PL: That will be a very major step, wouldn't it, Neil? But, slightly reining it in, are organisations spending enough on this right now? Because I know that you have a question in mind about that.
NHB: Yeah, we find, with many, many years of work in this area and responding to hundreds and hundreds of incidents that if you were to look for common problems with all of those victims of crime, one of the we've got seven key issues that we find coming up time and time again is budgeting for IT security and cyber security. And that for those organisations, it's generally below 1% of their annual revenue. And when you think about the level to which those organisations are reliant on digital services and information systems, it probably needs to be revised. For many organisations, they're simply not spending enough.
PL: Peter, would you echo that?
PD: I would. And I just think, from my point of view, essentially [you need to] have a plan. Be prepared from all aspects of what we've been talking about. And I think just talking about the private and public communications, no comment doesn't mean no story. It's about saying enough, not saying too much. And as Michael said, doing it in a measured, consistent way. But have a plan. Test it. Final thing, never lie. You will be found out.
PL: I don’t want to market your businesses, but I'm going to say this isn't core business for anyone, is it? So, do they need to accept that they're going to need expert assistance with this now? Is it just too sophisticated to manage on their own?
PD: I think even if you have a plan, engage external advisors to test it, and they may have more knowledge than you – and wider experience. I think that's really important. And if you haven't got one, get one.
PL: Michael, final word.
MH: Cyber incidents are different to normal crises for all the reasons that we've discussed. I'd say for an accounting firm listening to this thinking, what does this mean for me? Test yourself on three stomach-dropping moments in a cyber incident, the moment the disruption kicks in, how are your clients going to respond? How do they feel? What does that mean for them? As we heard from Nadeem, really gaming out what that's going to mean with them.
Second, with that decision about whether you're going to pay a ransom or not, it's amazing how often we find clients where it's like they're having that discussion for the first time, [instead of] really thinking about the difficult elements of that discussion ahead of time, so that you're ready for it.
And lastly, the moment we have to notify the data subjects. Tell them, ‘I'm sorry we lost your data.’ Work through that moment in peacetime, before you're actually in an incident. If you thought through those three moments, you'll be better prepared psychologically, and almost certainly operationally, for an incident when it does come.
PL: There’s so much more I want to ask you guys, but I'm afraid we are going to wrap it up there. Thank you very much, everyone. Next time, we'll be looking at the best and worst generative AI models for spreadsheets and the worst one may surprise you in the episode. After that, we'll be looking at the FRCS take on guidance around AI in audit, and pressing them on how well it will work in practice. Do not miss the latest tax track. Our sister podcast is currently digging into some of the big concerns around the draft legislation for this year's Finance Bill. And finally, remember you have been doing CPD simply by listening to this episode, so be sure to log your listens on the ICEAW website. Thanks for being with us.
