Crisis Simulation ― Build Enterprise-Wide Cyber Resilience and Prove It

This was a sponsored session.

Deepfakes are adding a new threat dimension in today's rapidly changing digital world and are corroding the trust in what people see and hear. With the increase in AI-powered attacks, the threat landscape is evolving at an unprecedented pace, and threat actors are becoming increasingly sophisticated. In order to combat these attacks, organizations are strategizing on multi-layered approaches, like employee education and more secure authentication.

Recently, the San Francisco CISO Community had a virtual town hall hosted by Immersive where participants delved into the profound implications of GenAI and deepfakes, highlighting both their potential and the risks they pose. Jamie Knobles, Director of Cyber Resilience and Readiness, Immersive, led a realistic cyber crisis simulation to test and discuss how to make organization-wide decisions in a crisis.  

Community members then debated and voted on each step based on a list of possible responses. San Francisco CISO Governing Body members Mandy Huth, SVP, CISO at Ultra Clean Technology, and Mo Balakrishnan, Director, Information Security at University of the Pacific, provided commentary on the scenario and facilitated the discussion.

• In the interactive session, executives learned that "The Puppetmaster" infiltrated their company's vital communication networks, wiping digital conversations, messages, files and connections. An emergency all-hands call is scheduled, and the audience is asked what messaging strategy they will share on the call.

Executives voted to treat this incident as a security event and caution employees against using external tools. The discussion leaders emphasized the importance of activating an incident response plan (IRP). They highlighted that organizations should rely on their IRP to guide decisions, avoiding ad hoc choices during crises. For those without a mature IRP, consulting cyber insurance providers for incident response platforms was suggested.

• In the second step of the scenario, the organization faced a communication breakdown during the all-hands call, compounded by an audio message from The Puppetmaster. With the primary communication platform compromised, the organization had to pivot to alternative methods.

The discussion leaders recommended a mix of channels, using email for general updates and personal contact for key employees. They stressed the importance of containment and involving cybersecurity insurance and external counsel. Most participants opted for a hybrid approach, combining personal contact with key stakeholders and use of other secure channels like email for general updates.

• Next, the scenario exposes fragments of internal communication being leaked, including complaints, HR discussions around layoffs and private conversations. A deepfake of the CEO is then shown to the company, creating a false narrative.

The majority chose to publicly acknowledge the leaks and deepfake, initiating an internal investigation, while some advocated for reassuring employees and clients. Knobles suggested a hybrid approach, combining the two solutions together.

• Operational disruptions and data corruption was at play as the scenario escalated. All company devices then received an unverified security update.

The majority of people voted to shut down all company systems and restore them from an older back up. Others suggested restoring from a recent backup or staying online and attempting to restore from a backup while operating.

This decision brought the threat to a standstill, but The Puppetmaster's message went viral, highlighting organizational vulnerabilities. As the recovery process began, the organization had to determine the message to the public during a press conference. The discussion leaders emphasized sticking to factual communication, with legal and communications experts guiding the dissemination of information. The decision was split between adhering to facts and stating legal limitations on detail disclosure, with a slight preference for the latter.

Key takeaways from the discussion:

1. Cyber resilience is key, and a multi-layered approach is needed.
2. Spotting the imperfections exposes deepfakes.
3. Focus on creating adaptive security strategies to stay ahead of the curve.
4. Involve communications, legal, and HR teams along with the CEO during incidents.
5. Restoring customer trust requires more than just communication; develop and share a detailed action plan with clients, emphasizing transparency.
6. Conduct annual tabletop exercises to prepare for similar situations.

CISOs can continue the discussion on responding to cyber attacks and improving operational resilience at upcoming Gartner C-Level Communities’ gatherings. Community members can sign in to the app to find events and register with one click. Or, executives may apply to join a community of CISO peers to stay fully up-to-date on key topics for security leaders.
 

By CISOs, For CISOs®
 

Join the conversation with peers in your local CISO community.