Convincing the CEO to budget for Cyber Security

www.CyberRescue.co.uk Page: 1

Convincing the CEO to budget for security -making it personal

Tallinn, [email protected] +44 79 20 76 65 3015th November 2016

http://www.cyberrescue.co.uk/

mailto:[email protected]



Cyber Rescue works in 9 countries

Executive Simulations

Crisis Response Plan

Coach for Cyber Attack Response

Protect & TestYour Suppliers

Protect & Test Your Staff

Protect & TestYour Network

Lead Recovery

Learn from those who suffered major attacks.

Prepare your team to make key decisions.

Reduce HarmMitigate vulnerabilities that can hurt reputation and revenues.

They’re not just in IT…




Option 1: Show market data

Typical Executive Response:“OK, the market must fix the problem”




Option 2: Show company data

Client

Typical Executive Response:OK, the IT Director must fix the problem




Option 3: Simulate a Breach

Typical Executive Response:OK, WE must work together on this




CENSOREDThe short, very basic simulation of a cyber attack used at this event in in Estonia is available only to Members of Cyber Rescue.

For the public, in this censored version, we are happy to share some of the information points and images used during the workshop.




Colleagues: Who gets told about their worst cyber security incident? CEO = 45%, HR =32%, Legal =28%, PR =24%. (Jan ‘16)

Police: 82% of companies don’t report breaches to police (May ‘16)68% of Directors unaware how to report cyber crime (March ‘16)

Pay Ransom: 91% of Executives say they won't pay a cyber ransom.But 64% do (June ‘16)




Consumer’s stated reactions to a data breach•91% say "24 hours or less" is acceptable for notification (May’16) •62% “would lose trust” if company didn’t communicate (Jan ‘16)•32% “would have diminished loyalty after a breach” (May ‘16)•11% “would quit doing business with hacked company” (April ‘16)

46% of Irish companies say they would not disclose a data breach to impacted third parties (July ‘16)

Among causes of a breach, the least harmful to consumer loyalty is Human Error (May ‘16)




Time: How long for IT specialists to respond to Breach (June ‘16)•201 days to identify a breach (range = 20 to 569 days)•70 days to contain a breach (range = 11 to 126 days)

Missing Info: Log Files “often” poorly configured or unavailable (Oct ‘16)

Capability: 45% of IT security staff say they “can determine scope of a breach” (Jan ‘16)




Insurance: 52% of British CEOs think their company is insured for cyber risks. Just 2% of large businesses actually have stand alone cyber insurance in UK (March ‘15)

“The market for cyber insurance isn’t sustainable” (Sept ‘15)

Why businesses say they do not have insurance (Nov ‘15) “Premiums too expensive” (52%) “Too many exclusions” (44%)

Companies with cyber insurance but not claimed = 81% (March ‘16)

$1m cyber policy costs $5 - 25k pa for “average” company (April ‘16)




$4 million USD is the average total cost of data breach (up 29% since 2013): more in Healthcare, Education & Finance.

Abnormal churn following a breach ranges from 6.2% in Finance and 5.3% in Health to 0.1% in Public Sector.

Cost is reduced most by: Incident Response Team (-10%), Encryption (-8%), Training (-6%).

$158 USD is the average cost per lost or stolen record (up 15% since 2013). (June 2016)

53% of Breach Notifications included an offer of Credit Monitoring, which was taken up by 10% of those consumers. – March 2016




55% pa increase in spear-phishing attacks on employees (April ‘16)

52% of IT professionals re-use personal passwords for business apps

41% of Millennials install apps on work PC without consulting IT

30% of Millennials email company info to a personal email address

30% of phishing messages are opened (April ‘16)

29% of companies with mandatory data protection training give an exception to CEOs (May ‘16)

Cause of breach (March ‘16): - 48% Current Employee - 31% Outside Perpetrator - 17% Related Third Party - 4% Former Employee.




CENSOREDThe short, very basic simulation of a cyber attack used at this event in in Estonia is available only to Members of Cyber Rescue.

For the public, in this censored version, we are happy to share some of the information points and images used during the workshop.




For source of these quotes http://www.cyberrescue.co.uk/library/response





Simulation Follow-up







Lead Recovery




They’re not just in IT… Call +44 20 7859 4320, [email protected]




Cyber Rescue works in 9 countries







Lead Recovery




They’re not just in IT…



Convincing the CEO to budget for Cyber Security

Business

Transcript of Convincing the CEO to budget for Cyber Security