Cyber events have typically demanded that organizations quickly defend against a breach, and determine the extent of access granted to customers’ personally identifiable information and the company’s own intellectual property. A new twist to the situation asks — what if access to that PII and IP means that physical injury to customers is a possibility?
That is the scenario that cyber experts – and these were the *official* experts in dealing with data breaches — grappled with this week at Advisen’s Cyber Risk Insights Conference in San Francisco. They included Bo Holland, founder of AllClearID; Lara Forde of ePlace Solutions; Joseph Abrenio of Delta Risk; David Dahlquist of Advisen; and Brian DaCosta of Kivu Consulting.
They handled it calmly and with aplomb, as befits the level of expertise on the panel. Any other true organization would likely not have the skill at hand –which is instructive in explaining to clients and companies that may be at risk for a breach.
The event asked participants to deal with the hypothetical scenario involving Aston Maureen – a California-based car company that began its Monday morning by learning from the FBI that its intellectual property had been discovered on the dark side of the internet. It’s a moment that every organization dreads. As Advisen’s assembled team members discovered, the situation can get worse very quickly, as breaches turn from purely data-based to operational concerns.
This event was the second such simulation held by Advisen, designed to explore what it’s like to be in the trenches of an organization during a security breach. For this exercise, we invited the Blue Team – a group of cybersecurity professionals – to pose as the CEO, general counsel, communications lead, and other executives of a company and respond to a suspected breach in relative real-time. The exercise was designed to test their skills and call upon all their resources to make the appropriate decisions.
In this event, the Blue Team decided communication and dedication to customer safety represented the key to weathering the security breach. Details regarding the breach were sketchy. The FBI found that proprietary vehicle designs of Aston Maureen’s were discovered circulating about the internet, but offered few other details. This situation escalated rapidly, with company representatives quickly learning that a database of personnel records had also been compromised. Oh, and one prominent security journalist came knocking within short order, to heighten the pressure for Aston Maureen “executives.”
The first step, per the Blue Team? Identify the stakeholders. Not surprisingly, customers came out on top of this list. This exercise went beyond the type of data breach that has become commonplace. Employee information was compromised, yes. A breach had occurred. But this breach delved into the area of potential physical harm relating to a cyber attack. The intellectual property that had been stolen related to “smart” vehicles with computer-programmed engines and locking mechanisms. It quickly became clear to the exercise participants that consumers could be harmed not only via the release of their personal information but also by the fact that the safety of the cars was no longer in the hands of the manufacturer. Without that assurance, the participants noted, “We are no longer in control of the quality of our vehicles.”
And that’s where the digital rubber met the road. Participants understood that it does no good to portray the organization that experiences a data breach as the victim, even though it is the company that calls upon its cyber insurance policy and pays out the costs and completes the public relations tasks. The customer is the victim. And in this case, the consequence represented not financial loss, but potential personal, physical harm. This is the reality of security breaches. This is where they could be heading. Cyber criminals, while in many cases very interested in personal financial gain, also view the disruption of economic security and public safety as a pretty reasonable goal.
As technology advances, security breaches will reach a level to which corporations have to consider not only their only financial and reputational risks, but the risks to the well-being of their customers. It’s a new world of threats for security experts to consider. And the experts involved in this exercise agreed that the way to prepare and protect must include this type of cyber attack simulation. The time to prepare for a breach is well in advance, while the situation is calm and, above all, theoretical but realistic. Corporations will only survive security breaches by hoping for the best-case scenario, expecting the worst-case scenario, and planning to respond to every eventuality in between.