Tarek Habib - Cyber Resilience: Focusing your resilience program on cyber-attacks

All right. And for our last talk of the day, we have TK presenting on cyber resilience.

Hello everyone. Um, so today we're going to talk about cyber resilience. Um, I'll be the first to admit it is a used as a bit of a buzzword. So, I'll try not to focus too much on that, but focus more on the concepts that are behind it. Um, my name is Tara Kabib. I'm a senior manager in the security and resilience group in uh in KPMG. Um, based out of Halifax. I studied here. I'm very happy to be back here. Um, and most most of my focus half of my job is cyber security. The other half is business resilience. Um, and the reason I put the quotes here is because it goes by a few different

names and we'll talk about what those are. Um, I do have some certifications in these uh in these areas. I'm not going to bother uh reading all of them. Um, but most of my work is focused on helping companies be more resilient, whether it's to not just cyber attacks, that's the most popular, most common type of disruption, but also to other types of disruptions, which we'll talk about. Um, I know it's a security conference, so we're not supposed to have QR codes, but I promise you that one goes to my my LinkedIn page, and I'll I'll have it again uh at the end. So the first thing I wanted to start with is just some context. Um we hear

about these buzzwords. We have business resilience, cyber resilience, anything resilience. Uh we have even personal resilience as humans. Um and there are a few related terms. So so in the old days it used to be called business continuity management. Um now the more common term is business resilience and it's all about making sure that your business can roll with the punches. Um there are other terms. So business continuity planning is let's say a subset of it. That's one type of plan that you would develop and I'll talk about the types of plans in a bit. Um and then there's also the concept of operational resilience which is not exactly the same thing. So I won't get into that but I just wanted

you to know that there are you know there's there's a slight difference between those. Um in government circles continuity of operations is a popular alternative term. But all of this is to say I want to make sure that my business can survive almost no matter what happens to it. on the on the other side, cyber resilience is a subset of it. And there's probably no like single definition for what it is, but the way that I would look at it is making sure that my business survives no matter what cyber issues happen. And um most of it is focused on, you know, my systems, my data not being breached as a business, but also the third parties that I depend

on. Um sometimes that's forgotten about. If that third party is breached and can't operate, what do I do? And so that's the the focus of cyber resilience. It's it's a bit of a subset that really focuses on on that scenario. Um, if you do risk assessments, you'll know that there are so many different types of risks, issues, the type events that could happen that that could impact your business. Um, one way to group them is deliberate threats such as cyber attacks. Um, accidental threats such as something catching fire, my data center catching fire, or natural hazards such as a snowstorm or a flood taking out my data center for example. Um, there are a ton of examples. The the distinction

here is that the most common disruption, the most frequently occurring one that I see is cyber attacks. Um, all of these different things, you know, fires happen, bad weather happens, but if you if you look at the news and what's happening around us, the most frequently the most frequent issue disruption that you find in the news is this company was hit with a cyber attack. And so that's why I wanted to focus on it. And that's where the field of cyber resilience comes in. Um, some recent local examples. So, how many hurricanes have we had that were very disrupt like major hurricanes that we've had in the in the last, let's say, five years? You can count them on one or two

hands. Um, communications disruptions, like, you know, not being able to to use our our our our mobility services for a day or two. How many supply chain issues have we had with global, you know, global conflicts, the pandemic, you can count those or, you know, the supply chain one is more of a slower burn. But then when you think about cyber attacks and how how often that happens. The other distinction that and these things all happen to all the companies around us whether it's in Atlantic, Canada, anywhere across the world. No company is immune to any of these types of disruptions. The specific thing with cyber attacks though is it's specific to one company or typically specific to one

company and its customers if it's a service provider. And the reason I wanted to point that out is you get less of a pass if you're the company that's impacted. So, if there's a communications outage, if there's a hurricane that swept through your province, you get a bit of a pass or most companies would get a bit of a pass on why you're not open the next day or the next day or two, unless you're a hospital or military, you know. Um, but if it's a cyber attack, you're the only company, the only organization that's impacted. So, there's a lot more focus and there's a lot less sympathy. Um, which magnifies the impact of of of that

kind of disruption. Um same with you know like I was saying if you do risk assessments you know that there are so many different types of u types of impacts that you can assess there's the disruption of operations or services financial costs reputation but you can look at them in terms of if we talk about cyber attacks or disruptions the most immediate one that's felt is not necessarily the reputational harm that that happens a bit over time or the the the negative effects come come over time but the most immediate one and the one that that the resilience field deals with the most is being able to resume services. And so we start from that side

and then slowly try to work our way through the other categories. Um because we're talking about cyber attacks, um most of or half of the battle is how how does my business continue to operate while my systems are down, while the investigation is happening. And the other half of the battle is how do I rebuild those systems and get back to operation? And the reason cyber attacks are so disruptive is because there are extra steps um that that that slow you down during the uh during the recovery. So there's a concept of of disaster recovery and I don't know why this term caught on like why disaster um but disaster recovery spec is typically used

to refer to rebuilding your IT systems from backups for example. Um I don't know you know it's not the same as natural disasters. I don't know who picked the term disaster, but technology disaster recovery is the the most accepted name for for recovering your your IT systems. I have two scenarios for you. Um, we're going to talk about the the scenario of disruption and I'm really happy that we have all these screens because this is the only slide that I have with with small fund. Um, but we're we're going to talk about two scenarios. the the more traditional scenario where data center catches fire or you know a fire impacts your your your assets and then the second scenario

and what the recovery looks like in a ransomware attack in the and then they both end up with um a common objective of having your systems recovered in a traditional scenario. you know, fire happens, you have to evacuate people, you know, declare disaster, get the, you know, the fire the fire warden, whoever uh stabilize the situation. That takes a little bit of time. Um depending on whether or not you have infrastructure or assets in um in a separate data center that it may take you time to go procure assets to go um spin up a cloud environment. So that could cause a little bit a little bit of delay, but you can directly go start doing that. So

as the the the building is being evacuated, somebody on on the other side or in a different office can start working on that recovery. Then there's the backup retrieval. So I have to go get my backups. That might take time. If I'm transferring the backups from between sites and the data is pretty big, that takes a little bit of time. And then the users have to verify uh that that that the data the systems were loaded correctly. That takes a little bit of time. But when we talk about cyber attacks, the unfortunate part is that there are extra steps up front that have to be done to make sure that what I'm recovering can be trusted and that

takes more time. And the the tough part there is a lot of businesses think well you know we can recover in 4 hours. But if we think about the steps that happened the very first thing is figuring out what just happened. So quarantining the asset making sure that that we we we draw a circle around the assets that were impacted investigation. Um, so sometimes it takes some time to to to get the forensics people to start their job. So you can't really begin your recovery until you have someone that helps you understand, well, how far back does the does the does the cyber attack go? Um, that forensic investigation can take time. Um, and a

lot of the time that those assets uh that environment is reserved for that investigation. They still want to check a few things before they give it back to you to blow away everything and recover from backups. You also have to assess which you know how far back do I go in the backups and that takes time as well because you have to know how far back the breach goes and then we get into back to the common path of you know now I have to go retrieve the backups load them re-enter any data and so on and so you see those extra steps that happen in the case of a cyber attack that takes time and the main objective of showing

you this and telling you this is the business side has to be prepared it's always a partnership so the IT folks the security folks have a role to a role to delay. But then the business side also has has to be able to survive manually um to the greatest extent possible even if it slows them even if if they're operating slower manually. But they have to be able to do something in parallel while you're doing all of these steps while you're assessing the backups and doing the forensic investigation. They're not going to just sit down and sit around and wait. They're supposed to have their manual processes. And I'll give you some examples of that in a

little bit. And so this this kind of shows you the the current state of things uh you know why cyber resilience is is is a thing that we're talking about uh with the common delays that that that come out of it but what can we do about it and this is where the the planning side comes in and the whole planning life cycle um there are four domains um that are in the resilience umbrella so it's not just business continuity planning that part refers to how do I continue my business operations so I lost a supplier I lost a or I lost more traditional things like a building because of a weather or a fire.

How do I continue operating? Then there's on the on the far right the disaster recovery planning for technologies which is how do I rebuild my systems? Both of those things are dealing with those two types of plans. They're dealing with recovery and resumption. Before that, there's a couple of things that have to happen. The very first one is damage control. So that's where we get into incident response, emergency response, depending on what we're talking about. So if it's um if it's like an IT issue, it's called it's an incident. If it's a fire, typically it's called an emergency rather than an incident. But it's that immediate damage control and that needs its own plans as well. And then there's

crisis management, which is basically as those people on the ground are doing their evacuation and everything, what does the management team do? How does the management team get together, talk to the media, manage this as a crisis before we even get to those other two types of plans to actually recover and resume operations? A more traditional example that I have for you here is where where you would have to use all of these types of plans is let's say there's a fire or an explosion at the main office site. Um people are hurt. You have to evacuate people. That's where incident emergency response are triggered. Shortly after you know the news finds out they start

to blame the company for being very careless. The management team has to manage this as a crisis because you know people are hurt. The media is saying stuff about the company. They have to manage manage the fallout there and direct the recovery effort. And then we get to business continuity, disaster recovery where the business has to continue operations because you just lost your main building. How do I keep serving my customers from from somewhere else? And then also my data center was in that building. So I need my disaster recovery, IT disaster recovery to rebuild or recover those systems somewhere else. And that's an example of like a combo scenario where all of these are triggered. Same thing with cyber

attacks, ma major cyber attack. It starts off as a security incident. It grows. The business has to keep working while the systems are not available. The management team has to figure out, you know, was data was data stolen? If yes, what do we do? What do we communicate? And so all of these four fields, all of these different types of plans have different teams uh executing them. And they all come together depending on how complex the scenario

is. And I talked a little bit about crisis management and and incident response. And they're typically two separate teams. the team that's on the ground that's doing the that's doing the the damage control, they're in the weeds. At the same time, the management team is is doing their part with oversight, trying to figure out uh you know, engaging the lawyers, engaging insurance providers. Those two teams have to be able to talk because they have the same objective. They they're trying to do damage control, contain the issue, contain the fallout. And if they don't talk to each other, it it it it it could lead to, you know, one team knows something or or has an update for for

another and it doesn't help the recovery effort. So in how do we approach developing these plans? The plans are not the first step. The plans are towards the towards the end of the life cycle. So I looked at a few different standards uh whether it's the ISO standard or you know different guidelines from the Canadian government and so on and they all revolve around the same set of steps. um it won't be worded the exact same thing if you look at ISO versus something else but these are the key steps that you have to go through what is starting with the first one what is the nature of the business how timesensitive are its operations can

I slice and dice this business into into different processes so that I can assess them figure out how to recover one by one that's the first box the second box which is probably the one that you've most mostly heard of is the business impact analysis and this is where we say okay you know if this if this process doesn't happen, what is the impact? How bad is it? You know, are lives in danger? Are we going to lose a little bit of money? Are, you know, is is nobody going to notice because it's a strategic type planning service. And you start to divide up the business into into or departments and their their activities into timesensitivity. So

sometimes people say, you know, the criticality of a business process, but it, you know, less criticality makes people feel that their process is not as important. So I' I'd rather focus on the time sensitivity. So how bad is it? What's the fallout if this doesn't happen in in in each time frame? These first two steps, even if we're talking about cyber resilience, have to be done on the business as a whole because this is the business requirement. And in the business requirement, if we go and say your scenario is only cyber attacks, people start to theorize and say, okay, well, you know, I only need like a cell phone for this process, so there's no

impact. And we end up with a different set of of times sensitivity impacts um for those processes. So for the first two you have to say regardless of of what type of disruption how timesensitive is this business process for the for the remaining steps this is where we get to say okay you know I don't have that much capacity to plan for every scenario that I showed you on the list before I want to focus on cyber attacks whether it's just against my company against key vendors the next four steps are and sometimes those couple of steps are are glossed over which is the risk assessment and the and the resilience strategy um I I

find sometimes programs go from you do the business impact analysis, you have your your business requirement, you go straight to developing a plan, but there are prerequisites that you have to have in the plan that could make or break it. So, the reason we do a risk assessment is to figure out how exposed are we to these scenarios. Um especially you know if we're talking about multiple scenarios um for example if we're talking about my suppliers getting breached you you slice and dice your suppliers and and think about the criticality and how strong they are and and what's the likelihood of them uh being disrupted so that you can prioritize stuff in the next step which

is the strategy. Um another example that I'll use here is let's say we have a remote workforce or remote sites. Um we're afraid we're worried about telecommunications disruption because there could be you know someone needs to report a safety incident. Maybe we get them satellite phones. And so in the risk assessment, we say, you know, there's a risk of, you know, we have a single point of failure on communications. Um, in the strategy, my strategy is I have to go buy and train people on how to use these satellite phones. And then we get to the plan development where we say the this the satellite phone is on the wall over here. Here's how to how to use it if

communications are disrupted. Same thing with any type of disruption, especially for cyber attacks. There are things that we have to put in place. The easy example is backups. Um if we just go straight from business impact analysis, you know, my recovery target is one day. Um directly to the plan, the plan says go get the backup. But if you don't invest in the right backups, it's it's not going to help you. And so you have to go through the process of at least having that strategy to say we need to buy things. We need to put things, you know, whether it's um redesigning a process, buying something, setting something up in order for the plan to

succeed. And then we develop those plans. and once we develop them, we train and exercise them to make sure that people know how to use those plans. Um, zooming in on each of these boxes. So, in the business impact analysis, like I was saying, this has to be what we call an allhazards approach, which is, you know, regardless of why uh uh this why you can't do your work, why you can't do this particular business process uh such as accepting payments or paying your employees, you can't operate this process. What's the impact? How fast are people going to stop showing up for work? um how fast are customers going to go to your competitor if you

can't accept payments and so we divide up the organization into into into these processes. We have that list and we assess the impact of them over time to figure out at which point do I you know what's my business requirement for recovering this this particular process and risk tolerance comes into play here as well. If you have less risk tolerance those time frames are going to be shorter but then the investment is going to be bigger in making sure that those processes are resilient. The the the second bit is what are the resources that that I need? So it's not just enough to say you know my business impact analysis says four hours for that

for that process or you know five days for my payroll service. What do you need? What's the minimum that you need to make it happen? And when we talk about cyber attacks we're talking about you know I need this particular you know my time sheet data and I need my my payroll vendor my payroll processor. And so that's a vendor and the system each of which could experience a cyber attack. I need those two to be able to process payroll. Um, a bit of a pitfall like I was talking about, it should be um assessed in an allhazard scenario, but then when you get to that step of identifying the dependencies, that's when you can that's the line in the sand

where you can say, okay, now we can be specific to the scenario. So I don't need to know which building you process your payroll in. I just need to know what are the technology bits that you need and what are the third parties that you need. There are other types of dependencies like people. you know, this was a big one in the pandemic, like you know, only this person can approve payroll. Um, if you're doing the broader business resilience like for for for that program for the whole company, that's when you get into all the resource types, whether you have like specialized equipment, uh, a specific type of machine, a facility that you need. That's when you would expand it

and collect all those resource types. But specifically for cyber resilience, I would say, you know, definitely your systems and data, but also suppliers because or third parties because those companies are not immune as well or not immune either. Um, a bit of a tip for running the the business impact analysis. Um, sometimes I find people start it from the the the very back of back office of the company. They start with it and all the support functions and say, "What's your time sensitivity?" But it's very hard for them to answer that because they're a service provider internally to the rest of the company. And so in an example here, I have a groups of processes of a typical

manufacturer. Let's say, you know, you have a factory, you're producing something, you can group it down into, you know, if you start from the end of the process, um, we have shipping and typically that's the easiest one to answer the criticality for because you have contracts that say you have to ship out the product this fast. you have uh before that warehousing, you know how much inventory you have. So if I stop production for two days, I run out of inventory. And so that gives you clear lines in the sand for for time sensitivity and how long shipping can be delayed, how long you can stay without your inventory. And you work that backwards towards well, okay, I have to

replenish that inventory, how time sensitive is manufacturing, planning for the production, getting m raw materials in the door, and then all the support functions basically inherit those time frames. So let's say you have a you know a week's a week's worth supply of your products um and then you have to ship out every two days. you can focus on making that shipping process more resilient and having that customer information and the and the routing tables, the routing um uh plans and then manufacturing can actually survive a few more days longer because you already have that minimum inventory at all times and you start working backwards which alleviates some of the pressure on the the support functions because they don't

have to recover as fast as those processes at the end at the end of the chain. And then we get to exposure assessing the exposure which is basically the same step as the risk assessment. So we just talked about you know slicing and dicing the organization assessing the time sensitivity figuring out the dependencies. Now that I have all of this as the business requirement how exposed are my assets. So I depend on this system internal system I depend on this outsourced to external system. I depend on this particular third party. um you would look at it and say okay you know step one identify the threats you know to to each of those assets mapping

that you know these assets are supporting those five processes what are the safeguards I have in place so that I can start by investing in the the most exposed assets and then figuring out a plan which is the strategy on what to do about it um an example of things to look at if we're talking about an internal system you can actually do some scoring uh for all of these things so if a system is used across the whole company the risk score for it goes up and therefore or it's more important more more more more business critical um if the current recovery capabilities are low the risk score goes up because the system is now more exposed if I have

manual alternative the risk score goes down because I can I can I can make do without the system um similarly if we look at third parties um do I have contractual safeguards that push the third party to give me u an exercise result uh every year showing that they do have these resilience capabilities in place that they have their own disaster recovery in place do they have a good track record because if they have a bad track record, their risk goes up and they need more attention. They need more more of your time to to either plan around them being being disrupted or being able to make them help them figure out how to become more resilient. The

example that I'll use here is um for the for the last criteria, the availability of alternatives. H how difficult is it for me to switch suppliers? I had a client that was in the manufacturing industry and they had a really they they only had two suppliers that could service them for starch and you know what does the starch have to do with it? Not much, but it's it's a it's a company that that that gives them a raw material. And if that company can't do their production, if that company gets breached, all of my clients production would stop. And the alternatives in the market, well, there were only two of these producers and it was already

starch. For those of you manufacturing, you would have known that that starch is in high demand. And so, it's not very easy to replace them. And so, that can't be my strategy. My strategy has to be focused on well do I stockpile more starch in my factories or do I you know can I work with the supplier to make sure that their process is more resilient to cyber attacks because they're a critical supplier. Um when developing a strategy there are three pieces to look at. Um as we talk about the typically prevention we don't want the cyber attack to happen in the first place but if it does we have to have response plans in place as

well and that's where we develop the plans and then recovery capabilities. you need to have the prerequisites such as good backups, tested backups to be able to to do that response. On the prevention side, this is all the typical security guidelines on, you know, segment, make sure that you have uh make sure that you have you reduce your attack surface, all of these typical security guidelines to make sure that the breach doesn't happen in the first place. That's pretty interrelated with a resilience strategy. And so you don't really have to double up, but if you identify more exposures, that's when there's there's overlap with the uh with a with a typical security strategy. In the middle part, that's where planning

comes into place. So we want to make sure that we're ready to respond when a cyber attack does happen. And on the recovery side, this is where, you know, how do we activate manual workarounds? Um do we reallocate personnel? Do do I get temporary staff to help me with manual processes? Um making the decision to rebuild systems and all the prerequisites. And all of this has to be addressed in the strategy. So if I have a lot of gaps around recovery, that's where the strategy would focus. There's the two con the concept of two safety nets. Um and I I alluded to this earlier when I was talking about that the business side the business

operations side has to do something. If you think about it, resilience in two safety nets. The first one is you know the systems are not available. What does the business can the business keep going manually? The second safety net is recovering the systems and and we always want to have redundancy in our controls. We don't want to have a single point of failure in those controls. And so in the first one um you can have uh depending on the type of operation. You can have paper forms. You can have uh different alter like there's a whackload of alternatives for being able to do something manually. Um even if it's manufacturing, there are some some machiner there's machinery that can run

uh manually. You can print manually your your labels and stick them on the products. if you have a pre-built template. And so there's that whole first safety net of the business has a responsibility to do to to be able to survive at least a day or two, for example, uh after a cyber attack. And in the meantime, at the same time, the second safety net is all the IT and security folks working on quarantining, investigating, and and bringing back those systems. And both of them work together at the same time. Nobody should be sitting around and doing nothing. There's always a piece to do under those two safety nets. Um there's also the concept of a couple

of uh big red buttons. Um and and I I quote I take this from a from from a previous client. Um they were asking me, you know, is there a big red button I can just push and it does something and it saves me. And while that doesn't really exist, there's there's a couple that I a couple of ideas that came up out of that conversation where I think they're worth mentioning. The first one is the concept of site survival. And the idea here is that um especially for um if you have a lot of branches or if you have a big geographic footprint or or your network has a big footprint um the concept of isolating an infected part of

the network. Uh so we talked a lot about segmentation but you you can't always segment everything so that it doesn't talk to each other at all. Um, wouldn't it be great if you had a button that you can push that says, you know, this this branch has been infected. Just just just chop off their access so that they can't infect and spread to the rest of the the the the rest of the corporation, the rest of the network body. Um, we ended up establishing basically a protocol where if one of my clients factories were uh if they detect a cyber attack in one of them, they would basically turn that off uh turn off the connection. Um

and if it was in the head office, they would basically terminate the connections with all of their factories. So that you know, even though corporate is is experiencing um a cyber attack and it's the most important, you know, ERP system, there's a protocol manually for how the factories can continue to do their thing, survive as a site um without the support of head office for several days. The other concept or the other big red button is um alternative communications. Um in in in several cyber attacks you see uh communications are compromised email you know the attackers have access to your email and so you need a way to coordinate to be able to um notify people issue

instructions out of band. So um you can use cell phones if it's you know if it's a small group of people if it's a bigger group of people there are services out there that are completely out of band not connected to your to your network um that help you communicate with a mass group of people. So we talked about doing the risk assessment. You have your business requirement, assess the risk, develop a strategy, then we get to the planning and sometimes I see plans that go straight to the procedure. So you know it's a checklist or you know one two three do these things but there are more things that are needed in in a plan. Um

setting the context and scope of a plan the authority to activate the plan because sometimes activating the plan has a financial impact. There's a cost with dropping what you're doing and switching to this temporary mode of operations. um roles and responsibilities so that you know who's responsible for what uh for for doing which part uh and executing which part so that you know we're not running around as headless chickens. um the required communications. So not just like the um sort of the minimums but but what are the communications channels? So you know the when the plan is activated the person occupying this role or filling this role has to notify these people. This person goes and talks to

the media, this person does this and and and that and so you need to have and what are the approved uh channels to do that. And then we get to the detailed recovery procedures which is the bulk of the plan which is where you say you know step one you know that the systems are not available so grab grab the printed forms or the printed uh whatever it is that you need to do and start operating that way and here's a guideline on how you operate that way. Um sometimes I see plans that say you know here's a list of all the alternatives that are available but that doesn't help staff um uh select. So if if if they were sequenced,

it would work. But sometimes I see plans that just say, you know, here's a list of 15 things that you you know, if 10 different ways that you could communicate or or 12 different things that you could do. And that sometimes confuses people because they don't know what to pick first. So the protocol has to be, you know, if if this is the scenario, you know, the system is down. Here's what you can do. And then we have a bunch of appendices that have to go in the plan to help people with with anything that's pre-built. So whether it's a form to that needs to be filled out with multiple copies, um any any type of extra guideline, contact

information, all of that would go in the printed plan or the offline plan. And then once we have the plans and we talked about there are different types of plans. So there are business continuity plans, crisis management plans. They follow a similar structure. How do I activate the plan? How do I declare a crisis, declare an incident? And you would go through the same things and you have communications, you have roles and responsibilities. So they they they would look and feel the same. It's just the actual protocol that's in them that's different. And then we get to the last part before maintenance. It's the training and exercising. And I'm not going to read all of these for you, but

there are a ton of benefits um to to being able to do uh training and exercising. Um we want to make sure that, you know, now that we documented a plan, um typically plans are are developed with a small group of people, but it's a much broader group of people that have to follow them. So if you look at the roles and responsibilities, it's typically more it has more people listed there than the people that were involved in developing the plan. And so we have to explain it to them, walk them through it, and then give them a a safe environment to practice the plan and and be able to to run through and and figure

out what's expected of them. And because some a lot of the time they're experts in their areas of operations, they would be able to raise issues and to say, you know, that template is wrong. You know, that that that you know, the way that you have the order of the steps is wrong. I have to do this before that. And that really helps you G establish a really solid plan. Um couple of couple more comments on how to put it all together. So just just some closing thoughts that didn't really fit any particular place uh in in the presentation. Um keeping the business involved. So even though we're talking about cyber attacks, half of the

fight is how is the business going to survive while IT and security are working on recovering and containing that cyber attack. Um, so it's, you know, typically business resilience is is a businesswide responsibility. It's not the CISO or the head of security that's supposed to be responsible for it. Cyber resilience is usually tagged to the security person, but half of it is the business the business has to do their their recovery planning and it's not the IT folks that will know what the best manual workound is going to be. So they have to be it has to be a joint effort. Um, the second one is keeping it practical. So we're talking about survival mode. We're not trying to

duplicate and create a you know copy paste of the company. We're trying to do the bare minimum to survive, the bare minimum to make sure that the company stays in business and then we slowly expand on that. As as you continue to mature, you can do more and more so that you're not doing the absolute bare minimum. You're doing a bit more in the in terms of the the level of operation in in recovery mode. Um, understand the appetite for investment. So this this is a a good one to have up front because um sometimes we develop resilience strategies and you know we go in at the end and and we understand that there's no budget or there's like a really tiny

budget and so it doesn't really help you because you you picked a bunch of things that need to be done but they can't prioritize because they don't want to spend that much on it or they didn't have that much reserved for it and so that would have helped before you develop a strategy so that you can pick more cost-effective uh methods to to do maybe you know maybe if it if it takes longer if if the recover every time frame needs to be longer. Um it's helpful to know the appetite up front. Um investing across the life cycle. So not just focusing on you know preventing cyber attacks and making sure they never happen and then not focusing on what

happens after a cyber attack hits. We have to focus on the response itself and the recovery as well across the life cycle and then looking at where we're less mature and bringing that up first. Um the next one is looking outside the box. So not just thinking outside the box but um not just looking at at at a company as an island. um no company just operate or very limited organizations operate purely on their own. There's always a supplier, a third party that that you're depending on. Um if you look at bigger corporations, they they use thousands of suppliers. A few percentages of those suppliers are the really critical ones. Those are the ones that you would focus on um when

assessing the risk of of third parties. But always look at your ecosystem, not just your own company. And then the last one is collaborate with your industry. Um so a lot of industries are pretty friendly. they they'll uh uh with with other players in the same industry, they'll collaborate, go through industry associations, um recovering uh a particular manufacturing process, recovering an administrative process, um recovering systems, it sometimes looks looks similar across similar companies. Um the example that I'll use is schools. Um a high school the recovery process for a high school or if you take 20 high schools, you're not going to have 20 different recovery plans or business continuity plans. They're going to look

the same. And so it's beneficial for for those group of schools to to get together and and and plan together or at least share ideas because the the recovery looks pretty similar. Um the last thing that I'll leave you with is a bit of a call to action. So I have four questions for you to to think about. Um think about your critical service providers. So what's the number one uh most critical service provider that you have and if that service provider, no matter how big or small they are, if they're breached, can you survive for a week or two without them? because that's happened in a lot of a lot of cases and you'll find plenty

of news stories where a particular company couldn't operate for a week or two and so can you withstand that kind of disruption for any company out there. I'm not saying all your service providers will be breached at the same time but pick one and see what would happen in in that one. The second one is think about your payroll. Um whether it's you know the particular bank that you're working with, whether it's the payroll provider. um if you don't make payroll h how fast are people and you know it's the day before payroll there's a breach um how fast are people going to stop showing up for work um there are some businesses where people would keep

coming for a month there are some businesses where you know 3 days and and they're going to stop and that has a much bigger impact on the business think about your damage control so how how confident are we that we will detect a cyber attack early and that we can have that we can have the right containment and that we know how to how to how to quarantine an attack before it spreads and then Think about your recovery. How fast can I rebuild my systems? Especially in the scenario of a cyber attack where the primary infrastructure, the primary assets are off limits because the in the forensics people are doing their part. And so I just wanted to leave you

with that. Um I promised you I would I would uh bring up the not suspicious QR code again. I'm kidding. It's it just goes to LinkedIn, but I I welcome your

questions. Awesome.