Preventing cybercrime: At what cost?

There are two types of organizations: those that know they’ve been hacked and those that have yet to find out. This means it’s vital that businesses have well prepared damage limitation plans. With long-standing relationships already in place between EY and the BSA, plus our track record in operational resilience and cyber risk, they came to us with a question: How can businesses both large and small combat cybercrime at a price they can afford?

Immediate recovery from a cyber-attack is more often about good crisis management than IT. It involves a broad range of decision-making — from the CEO and general counsel to HR, media relations and more — to both mitigate damage and continue to run the business.

EY has extensive experience of responding to cyber incidents for hundreds of clients across the globe, and an understanding of the building society and mutual sector. This experience allowed us to work closely with the BSA to design a series of realistic cyber incident simulations representing several days of an unfolding critical cyber incident.

C-suite executives from five building societies came to EY More London Place to jointly participate in the exercises, sharing knowledge and insight.

The scenarios escalated quickly while our crisis management professionals coached them from boardroom decision-making through to technical investigation. The exercises helped them understand when and how to act, who to involve and what impact their decisions might have on their business, their stakeholders and their customers. 

These are highly practical sessions providing tangible skills and insight. Using video, audio, text and multimedia experiences, simulations replicated how a real crisis would look and feel. 

So often incidents start with events that could be interpreted as error rather than a direct threat; passwords stop working and staff can’t access their computers. Escalation comes with customer complaints and media attention, with both social media and the dark-web playing a critical part.

It’s not for the faint-hearted, but the lessons learned in those three hours had a lasting impact. They empowered leaders to drive change within their own organizations, becoming more resilient to major disruption.

As one participant said, “It was informative and very thought provoking, and made us realize what we need to do in regard to communications and policy.”

Our program with the BSA has been a great success, demonstrating how powerful cyber incident simulation exercises can be in helping managers to acquire experience in a safe environment. By sharing the cost of these simulations, firms gain access to expertise and coaching at an economic price, using many of the assets and tools we’ve developed while working with the largest financial services companies on an individual basis.

As a result of this success, we’re delighted that a leading finance sector industry group with over 300 members, has expressed an interest in coming on board. This would be a big step forward in our goal of raising the bar across the entire financial services sector, reducing the impact of cyber-attacks and helping the industry to become more resilient.

It’s how minds made for protecting financial services, contribute to building a better working world.

Knowing how to act in the event of a cyberattack requires experience and first-hand knowledge. Organizations that want to learn how to protect their businesses must be given the opportunity to do so at a fair price.