A coffee break Q&A with Alexander Rau: “Cyber resilience is a marathon, not a sprint”

In this Q&A, we chat with Alexander Rau, a partner leading KPMG’s Technology Risk Consulting Advisory Practice, about what organizations should watch out for in the changing landscape of cyber risk and how they can enhance their crisis resilience. With over 20 years of experience in cybersecurity management, IT and privacy, consulting and strategy, Alex is a keynote speaker, educator on next-generation threat prevention and resilience methodologies, and member of the KPMG Global Cyber Response Steering Committee. Having enjoyed many chats with Alex about risk trends, I am delighted to share this conversation with my network.

Natalia

Alex, you lead a busy cybersecurity practice responding to incidents across industries and working with clients to build resilience before, during and after cyber events. What’s top of mind for you right now?

Alex

We are still in an environment where most threat actors – located may be in Eastern Europe, Asia or Middle East – attack organizations all over the world. Canada is no exception. What’s changing is how these threat actors are getting to their victims. We see more third-party attacks. They target entire supply chains where a breach of one victim may cause a domino effect across a large web of clients, suppliers and partners. Not a cyber attack, but a recent example of an outage disabling 8.5 million Windows devices after a faulty software update shows how tightly digital networks are interconnected.

In a third-party attack, companies that have contracts and service-level agreements (SLAs) with victim organizations are impacted, too. If the breached party holds your organization’s data, you are still the custodian of that data. We have seen cases where companies are not even aware their provider had a breach. They learned about it in a dark web search or from a threat actor contacting them: “Listen, we have your data, please pay up.”

Unfortunately, I still see the mentality of: “Why would anyone want to target me?” The problem is, threat actors go after everyone. Their resources are almost limitless compared to what we have on the defense side. They have the tools and can take all the time in the world to break into an organization and extort it for money. Even if a company has strengthened its own cyber defences, it may still be vulnerable to third-party exposure through its products, partnerships and integration in broader supply chains. This is its Achilles’ heel. Threat actors don’t necessarily target specific organizations. They can “spray and pray” across lots of potential victims. That’s why, in addition to beefing up individual cyber defences, organizations should take steps to boost collective resilience.

Natalia

That sounds daunting. Are there any other risks top of mind for you right now?

Alex

Zero-day vulnerabilities. They are very difficult to defend against because nobody is aware of them. That’s the nature of a zero-day vulnerability. Think of it as a secret door to the house. The owner does not know it exists. The thief opens that secret door and sneaks into the house. In this type of a security flaw, developers, quite literally, have zero days to address it. It comes down to what I call “security 101” – trying to detect an attack before it becomes a “cyber breach” – before it has an impact on the organization. Detection and early response are key. Ideally, you need additional security controls in place – for example, an alarm system that will notify the owner of the house if someone enters through the secret door.  

Natalia

Are there any new patterns of threats related to AI technologies?

Alex

AI is a blessing and a curse. Any technological breakthrough creates advantages for defenders. With security tools enhanced with AI capabilities, we can detect and respond to threats much faster and with a lot more accuracy. For example, defenders use AI for attacker attribution. Going through a lot of data and logs, we analyze them better and fasten a detective response to a cyber breach.

But there are also risks. What I am seeing with AI is what I call a script kiddie phenomenon. We now have tools available to everyone who can write ransomware within seconds. Threat actors could be sitting in a basement or garage somewhere across the world writing their own ransomware code. With these unknown players, attacker attribution becomes really difficult. Normally, when we deal with a specific ransomware tactic, we know the ransomware actor and how they typically behave. We are familiar with the indicators of compromise they are using, and that helps us with containment and recovery. With AI, we’ll have a new cast of unknown actors. If they want to make money, they can write a whole ransomware attack, go out there and destroy organizations from their garage.

Natalia

In our earlier conversation, you said no plan survives first contact with the enemy. Should organizations have a separate formal incident response plan for cyber security scenarios, or should it be part of existing business continuity or crisis management frameworks? Is there a best practice around this?

Alex

Organizations need both. Incident response plans should be aligned with the overall crisis management frameworks – based on the same principles, processes and mindsets. For example, whether you are dealing with a cyber outage caused by a ransomware or a technical outage resulting from a router going down in the network infrastructure, processes in the overall disaster recovery or crisis management program will be really helpful. How individuals involved in a cyber event escalate the issue and notify the crisis team, and how crisis team members make decisions about what needs to happen next and how they will approach internal and external communications is not something unique to digital threats. 

That said, regardless of what that operational model for business continuity and crisis management looks like in a specific organization, there must be a dedicated cyber incident response plan. A cyber breach is very different from other incidents, such as a fire, flood, shooting, epidemic or service failure caused by an employee error. The incident response plan should reflect the unique nature of cyber threats. It must have actionable guidance on how they can be addressed within the organization and its business ecosystem.

For example, from an investigative and forensic perspective, there are significant differences in how an organization recovers from a technical outage versus a cyber outage. If you have a piece of hardware that fails, you go ahead and replace it. In many cases, this rip-and-replace approach is how you recover the fastest. If you are dealing with a ransom environment, there is also a forensic methodology and investigations to follow. These processes are necessary to secure evidence, find the root cause of the incident and determine its impact on the organization. In a ransomware scenario, we need to investigate what data was accessed and how much of it was exfiltrated. There could be a risk that hackers release sensitive or personally identifiable information (PII). It comes with its own set of considerations and processes around privacy. The release of personal information may involve legal and reputational repercussions. A cyber incident response plan allows for the time needed to complete the investigative, forensic, notification and other steps that may be required before we go into the recovery phase.

Natalia

What are the differences between technical and cyber outage scenarios from a communication perspective?

Alex

Organizations need to be very careful about what they say early on when they find out about the incident and how they update that narrative based on what they learn in the first couple of days. Many teams – for example, in airports or manufacturing companies – are very good at responding to physical incidents. I am thinking of a tabletop exercise we had with an airport. If there is a plane in trouble on the tarmac, within thirty seconds fire engines are there. Within two minutes, somebody is in front of the media with a microphone – for example, saying there is an incident at the airport; nobody is hurt. In a physical event, such as a fire, you want to communicate with stakeholders and the public. You update them early, often and with a fair amount of detail. For example, you could say: “We’ve sent in firefighters. The fire is under control.”

In a cyber incident, the impact is not immediately obvious. It takes time to trace the origin and scope of the breach. In the first 48 or even 72 hours, we may still be triaging what kind of incident we are dealing with, how many records have been impacted, whether they have actually been stolen and what’s the impact on the organization. Defenders have to work meticulously to find out what was accessed and what was exfiltrated. There may still be a lot to learn. Could there be privacy implications? Has the threat actor gotten hold of confidential data and personally identifiable information? Access is a privacy breach already. We are seeing many threat actors claiming they have stolen data and are going to release it when, in reality, they didn’t take it. In some instances, they have found the data online from a previous breach and are trying to re-extort the company.

Throughout the cycle of managing a cyber breach – and especially in the early stages when there could be more guesses than confirmed facts – organizations need to make sure they don’t say something they may back-track on in the next few days or weeks. Communications should be targeted to the stakeholders impacted. They could be internal or external. Finally, organizations should be up to speed with the privacy and data security laws in the jurisdictions they operate in, which are becoming more and more stringent in Canada and across the globe. For example, if there is a personal data breach, companies may be required to notify relevant regulators, as well as stakeholders affected, within 72 hours.

Natalia

Crisis communicators are very sensitive to the golden hour of response. We know that, if we don’t respond quickly, we risk losing the control of the narrative. Would it be fair to say that, in a cyber breach, we should balance that need for speed with the caution not to jump the gun on premature assumptions? 

Alex

“Jumping the gun” is a good metaphor as it points to two common mistakes. First, many organizations tend to underplay the seriousness of the situation. For example, they would say: “We responded to the incident. We got it under control. Only a small fraction of our customers were affected. No data leaked. We are back in business.” Then, five days later, they may need to go out with an update that reverses the initial message: “By the way, our investigation has actually found that data was taken. We are still dealing with the incident.”

Organizations should avoid presenting initial assumptions as certainties. Cyber breaches could be complex, evolving situations. Some threat actors come back. They may access client or partner networks, in addition to the organization they entered first. You need to work with forensic, incident response and technology teams, and until you know that all investigation has been completed and threat actors are no longer in the environment, you should not have messages in your statements you would have to revise later.

The second mistake is not considering an event as a potential cyber incident. For example, critical infrastructure is hit. The organization deals with the incident with their normal physical event response playbook. Two weeks later, they find out that the incident was actually caused by a cyber threat. Cyber attackers stole data. They may have the full names, email addresses and employee role details of the clients. In addition to responding from a physical recovery perspective, the company now has to reveal a broader extent of the breach. For example, it may need to admit that more clients could be impacted.

Natalia

Executives who operate in terms of certainties and solutions may be reluctant to communicate about the incident internally until they have all the facts. But if they wait too long, someone in the organization may learn about the breach and think: “We have a serious situation, and our company is keeping it under wraps. I don’t like this.” A whistleblower can take this to the media – sometimes, without knowing the whole story. Could a communication delay be a risk as well?

Alex

If the incident is serious, the organization should communicate with its employees first, giving them the right context. This should be in the crisis communications plan. You always need to communicate with your people first. Updates stating what you know and acknowledging what you don’t know will give them confidence that the management is on top of the issue. Again, samples of such internal communications should be in the plan for different cyber event scenarios. Communicators can use them as a starting point. Finally, employees should be aware of the policies and processes to channel all external communication through one team that is responsible for it. They should know who they can speak with internally if they have questions and understand they are not supposed to talk to the media or social media about the incident unless they are the company’s spokespeople. These considerations should be part of cyber security training, too.

Natalia

Can you talk more about the training needed to enhance cyber resilience?

Alex

The most common form of training is tabletops. These are exercises simulating potential cyber scenarios in a physical or remote training room. They could be technical, executive or communication-focused. Ideally, in addition to the organization’s crisis team, participants should include a broader group of external partners, such as a privacy lawyer and colleagues from third-party organizations in your digital network. The goal is to spot preparedness gaps and refine incident response plans. Most importantly, tabletop exercises train the organization’s muscle memory. When a cyber incident happens, there’s always the chicken-with-the-head-cut-off syndrome. But what we find is that organizations that have done tabletops and have incident response plans get over it quickly. They pull up the sleeves and get to work because the muscle memory from the training is there. These organizations recover way faster.

Natalia

What external resources do organizations need to consider to boost their cyber resilience?

Alex

First, organizations should have a breach coach. That is a privacy lawyer who will make recommendations: “In this situation, you should probably consider this.” Second, they need a forensic response firm. That’s the team that will help with the containment, root cause analysis and recovery. Third, there should be a relationship with a communications firm that can engage, as needed. These are my top three recommendations. In addition, organizations should consider having a cyber insurance partner.

Getting through a cyber breach is not a sprint. It’s a marathon. Members of an internal crisis team don’t necessarily have ready answers to such questions as: “Should we pay ransom?” or “Should we engage with the ransom actor?” or “Are we prepared to restore our data from the back-up?” You need a team of experts by your side who can guide you through the intricacies of a cyber breach, removing some of the stress of the unknown.

Natalia

How do you make sure these partners work well together?

Alex

First, get your leadership team familiar with who you’ll be dealing with when there is an incident. As I mentioned earlier, ideally, you should engage these partners in tabletop exercises and simulations so they know you already when the breach hits. Teams always go through forming, storming, norming and performing phases when there’s an incident. The sooner you get to know each other and play well as a team, the faster you move and make decisions when timing is crucial.

Natalia

This has been a great chat, Alex. Any final words of advice for organizations that want to up their cyber resilience?

Alex

Don’t wait until it’s too late. Incidents will happen. Organizations should use all resources and technologies available to them to look for threats and stop them before they become cyber breaches. Yes, resources are always limited. Not enough time. Not enough money. Not enough people. But prevention is always better than cure. Managed detection and response companies can monitor for cyber threats with much better ROI than the organization itself.

Natalia Smalyuk is an award-winning advisor and trainer with a focus on strategic communication, crisis resilience and stakeholder engagement. She runs a Women Business Enterprise (WBE) certified consultancy called NBAU. What is NBAU? Not Business as Usual. Why NBAU? Because there’s no such thing as business as usual for leaders who think ahead and see a landscape of opportunity — and risk — across the unchartered global space. NBAU supports organizations in building resilience before, during and after adverse events with a unique crisis planning and training model that broadens the understanding of crises and enables positive action in an uncertain world.