Sep 18 2023

Steps CEOs Should Follow in Response to a Cyberattack

Category: Cyber Attack,Information Securitydisc7 @ 2:12 pm

Over the years, numerous individuals have sounded the alarm about the increasing cyber threats, and several have provided insightful guidance on enhancing an organization’s security and resilience. To gauge the adequacy of your efforts, consider the following three questions: Firstly, have you recently engaged in a cyber tabletop exercise? Secondly, is the contact information for your chief information security officer stored in a location other than your work phone or computer? (Keep in mind that if your company’s networks fall victim to a ransomware attack, your work devices might be unreachable.) Lastly, are you aware of your government liaison in the event of a cybersecurity incident?

On May 7, 2021, Colonial Pipeline, a crucial fuel supply network for the eastern United States, suffered a ransomware attack and chose to halt its operations. This decision triggered a broader crisis, resulting in fuel shortages and skyrocketing gas prices at thousands of gas stations. The incident highlighted the intricate connection between physical and digital infrastructures.

In response, the U.S. government took action, with Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressing the public on May 11, 2021. They reassured the American people and explained the government’s efforts to mitigate the attack’s impact, urging against panic buying of gasoline as the pipeline was expected to be operational again soon. This incident underscored the vulnerability of critical infrastructure to cyber threats and the importance of a coordinated response.

Significant Implications:

The Colonial Pipeline ransomware attack had significant geopolitical implications. It prompted direct engagement between President Biden and Russian President Vladimir Putin, highlighting the seriousness of the situation. This incident emphasized the critical need for stronger cybersecurity measures, especially for vital infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats can have far-reaching real-world consequences. The incident has had lasting effects, reshaping the roles of CEOs and industry leaders and influencing future cybersecurity considerations.

One notable outcome is the way CEOs are reevaluating their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, faced the difficult decision of paying a $4.3 million Bitcoin ransom to hackers, describing it as the most challenging choice in his 39-year career. This dilemma of whether to pay ransom or risk severe disruption has garnered attention from CEOs, who are keen to avoid public scrutiny and congressional hearings.

In light of this and other recent incidents, here are six recommendations for CEOs to consider:

  1. Prioritize cybersecurity as a top-level concern.
  2. Invest in robust cybersecurity measures and incident response plans.
  3. Foster a culture of cybersecurity awareness within the organization.
  4. Establish clear communication channels and relationships with relevant authorities.
  5. Assess the potential impact of cyber incidents on critical operations.
  6. Develop a strategy for handling ransomware demands that aligns with both legal and ethical considerations.

These recommendations are essential in an era where cyber incidents can quickly escalate to national security crises, demanding the attention of the U.S. president, and where the role of CEOs in responding to such threats is under increased scrutiny.

Exercise caution when communicating with the public.

A run on banks is a classic example of how public reactions and group psychology can exacerbate a crisis. Recent instances such as the rush for toilet paper during the Covid-19 pandemic and the panic at gas stations following the ransomware attack demonstrate that this issue goes beyond financial institutions.

Being cautious in how and what you communicate to the public doesn’t mean avoiding public communication altogether; it’s a necessity. However, companies must approach this with careful consideration. The Colonial Pipeline incident serves as an example, highlighting that even companies not accustomed to regular public engagement may suddenly find it necessary.

Collaborate with government authorities.

Colonial Pipeline’s swift decision to shut down its pipeline system was necessary, but it could have allowed for consultation with U.S. government experts. The shutdown, regardless of infection, would lead to days of disruption in the fuel supply chain, necessitating government intervention due to the serious consequences. Effective coordination with the government is crucial to prevent an unintentional worsening of a crisis.


Be aware of who to get in touch with. Updated Incident handling decision tree.

CEOs must have the knowledge of the appropriate government contacts to facilitate informed decision-making and effective coordination. Contacting entities like NATO or the military, as some anecdotes have indicated, is not the correct approach. However, at times, the government may not make it straightforward for external parties to determine the right person or agency to reach out to, underscoring the government’s responsibility to offer clear guidance in this regard.

Establish a Incident Handling plan and put it into practice.

This point is paramount, as it serves as the foundation for achieving other objectives. Besides creating and maintaining a plan, ideally under the CEO’s supervision, it’s crucial to conduct annual practice sessions, such as tabletop exercises. These exercises help company leaders and employees develop the necessary “muscle memory” for responding efficiently during actual crises.

Know your infrastructure.

Ideally, a CEO should possess a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. In cases where systems are isolated (air-gapped), it may not be necessary to shut down the OT network if a compromise is limited to the IT network. However, the Colonial Pipeline ransomware attack illustrated that even the incapacitation of business IT networks can have substantial repercussions. In scenarios where a company is unable to generate invoices, identify customers, or establish contact with them, the resulting disruption can be as disruptive as a complete production halt. This was evident to anyone who has been stranded at an airport due to an airline’s IT system outage, experiencing firsthand the disruptive consequences.

Demonstrate humility and actively seek expertise from professionals.

Cybersecurity is a complex and multifaceted challenge that varies significantly across different sectors, such as pipelines, finance, healthcare, education, and transportation. Recognizing the limits of expertise, including that of cybersecurity professionals, is a crucial insight gained from years of cross-sector cyber incidents. CEOs should not hesitate to seek external assistance when developing, testing, or refining cybersecurity plans or reviewing existing processes and policies within their organizations. Additionally, there are numerous detailed resources available, including guides and checklists tailored for CEOs, board members, and Chief Information Security Officers (CISOs). The U.S. government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), offers resources like Stopransomware.gov and Shields Up, designed to cater to companies at different levels of cybersecurity maturity. These resources are valuable tools for enhancing cybersecurity preparedness.

An Executive Self-Assessment:

In addition to the numerous warnings and valuable advice regarding the growing cyber threats, three key questions can serve as a practical self-check to assess an organization’s cybersecurity readiness:

  1. Have you recently participated in a cyber tabletop exercise?
  2. Is the contact information of your chief information security officer stored outside your work phone or computer to ensure accessibility during a network compromise?
  3. Do you have IHP one page summary and know your contact for cybersecurity incident reporting?

If the response to any of these questions is “no,” it’s essential to take action to enhance your organization’s cybersecurity preparedness. This proactive approach can significantly improve protection, prevent potential crises, and contribute to national security.

Source: https://hbr.org/2023/09/6-actions-ceos-must-take-during-a-cyberattack

Your System’s Sweetspots: CEO’s Advice on Basic Cyber Security

In what situations would a vCISO or CISOaaS Service be appropriate?

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CEO, cyberattack


Feb 21 2022

BEC scammers impersonate CEOs on virtual meeting platforms

The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms

The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests

Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.

Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.

Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.

The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.

“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.

Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.

Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:

  • Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
  • Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
  • Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
BEC virtual meeting platforms

Below are recommendations provided by the FBI:

  • Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

Tags: CEO, scammers impersonate