Phrases to help us think about cyber attacks... .

Click each photo for the full interview.
"Organisations must have a Recovery Time Objective as well as a Recovery Point Objective" Ramsés Gallego, ISACA, 19th Nov 2018
"Responders should not rush to kick intruders out" Mathias Fuchs, SANS Institute, 19th Nov 2018
“Once we escalate to management, there will be no day, no night.” Mr Ernest Tan Choon Kiat, during biggest breach in Singapore's history
"We don't trust you" David Koh, CEO of the Cyber Security Agency of Singapore, 21st June 2018
The average potential losses could reach half of banks’ net income in extreme cyber-attacks. Christine Lagarde of the IMF, 22nd June 2018
Teams that say their cyber-security is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online.
I learned that really smart engineers can talk English, under extreme pressure.
Dame Dido Harding, former CEO of TalkTalk, presenting on 4th June 2018
“They get pummeled by hackers because their cyber security is being managed by "Participation Trophy" winning wimps!" ― James Scott, 2017 – Senior Fellow, Institute for Critical Infrastructure Technology
“Companies that are leveraging technologies the best, leveraging the best practices in order to mitigate their risk, they should see that reflected in the terms and conditions that they are offered by the market,” Noel Pearman of XL Catlin The Royal Gazette - 15th September 2017
“Until you have experienced something like this, you don’t realise just what can happen, just how serious it can be.”
"I had no intuitive idea on how to move forward.”
Maersk CEO Soren Skou on how to survive a cyber attack - Financial Times, 14th August 2017
"Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted; none of these measures address the weakest link in the security chain." – Kevin Mitnick, "The World's Most Famous Hacker" – Fix Global 18th April 2017
There's no silver bullet solution with cyber security, a layered defense is the only viable defense" - James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
"I don't think anything is getting better, that much is pretty clear." Troy Hunt - Security researcher who maintains "Have I Been Pwned?" - 28th July 2016
"Everyone thinks they have a plan until they get punched in the face" Vicki Gavin, Head of Business Continuity at The Economist Group (quoting Mike Tyson) - 9th June 2016
"Dadada" Mark Zuckerberg's password, as revealed after data breach - 6th June 2016
We're in the stone age of cyber security. Real learning will only come after the 1st major incident. Dr Christopher Frei, Secretary General of World Energy Council - London - April 2016
My message for companies that think they haven’t been attacked is: “You’re not looking hard enough”. James Snook, deputy director in the office for cyber security, Government cabinet office, London - April 2016
Even where the individual cannot take action following the exposure of their personal data, we deem there is a right to know per se which deserves protection Helge Veum, Datatilsynet (Norwegian data protection authority), Oslo - April 2016
Understand what data you hold, how you are using it, and make sure that you are practising good data hygiene David Mount, Director, Micro Focus, London - April 2016
The only crime that has been proven is the hack. That is the story. Ramon Fonseca, founding partner of Mossack Fonseca ("Panama Papers") - April 2016
You have to make sure it is your boss who gets fired Dinis Cruz, Open Web Application Security Project - February 2016
The knock on effect of a data breach can be devastating. When customers start taking their business elsewhere, that can be a real body blow. Christopher Graham, Information Commissioner of United Kingdom - January 2016
I’ve been through stages of denial, disbelief, frustration. A couple individuals displayed incredibly poor judgment and incompetence. Robert Pera, billionaire, on phishing loss of $46.7m that his staff didn't tell him about - January 2016
Obviously the Sony hack was a wake-up call for anyone in my industry, and I would think for anyone in any industry Kevin Spacey, Actor and Film Studio Boss - Davos, Switzerland - January 2016
A medieval castle is only going to channel the bad guys, not deter someone who really wants to get into your data. Jon Rigby, Director Cyber at AlixPartners LLP, London - January 2016
In the very near future, cybersecurity exercises are going to be absolutely expected of all companies by regulators Michael Vatis, founding Director of the FBI's National Infrastructure Protection Center - NYC, USA - January 2016
If you’re not doing scans and penetration tests, then just know that someone else is. And they don’t work for you. George Grachis, Senior Consultant, Maxis360 - Florida USA - January 2016
In defending a breached organization, I absolutely would prefer one that has done an annual incident response exercise Lori Nugent, Shareholder, Privacy & Data Security, at Greenberg Traurig - Chicago USA - January 2016
With any large network, persistence and focus will get you in Rob Joyce, ("the nation’s hacker-in-chief") Tailored Access Operations, NSA, USA - January 2016
Companies should be thinking about the legal and managerial decisions that the CEO, the COO and the board will need to make in that kind of crisis situation. Michael Vatis, founding Director of the FBI's National Infrastructure Protection Center - NYC, USA - January 2016
What types and number of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? George Grachis, Senior Consultant, Maxis360 - Florida USA - January 2016
The advice we received from the Metropolitan Police was not to tell our customers. Dame Dido Harding, CEO of TalkTalk - London, UK - 15th December 2015
The typical cyber-criminal is rather like your common thief: he will go for the window without security locks. There is a high element of opportunism. Thomas Naylor - Director - - London, UK - December 2015
We have to keep building our security walls higher and higher, because these cyber criminals are building longer and longer ladders. Dame Dido Harding, CEO of TalkTalk - London, UK - November 2015
Many executives are declaring cyber as the risk that will define our generation Dennis Chesley, Global Risk Consulting Leader, PwC, USA - Nov 2015
More than a third of our survey participants still think it unlikely they would be able to identify a sophisticated cyber attack Ken Allan, Global Advisory Cybersecurity Leader, EY, UK - Nov 2015
Cyber crime is the greatest threat to every company in the world Ginni Rommety - CEO - IBM, New York - September 2015
Hackers will often be the ones that put it out there that they’ve hacked an organization. Then the clock starts ticking. Ashley McCown, president of Solomon McCown - November 2015
Only after users have been fake-phished will they really pay attention to the training. Todd Fitzgerald, Grant Thornton International global director of Information Security - November 2015
If you outsourced something and your third-party provider lost your data, your insurance might not cover that. John Kennedy, corporate partner at Wiggin and Dana LLP - 11th November 2015
Incident Response plans that are 30, 40 or 100 pages long may have their place. But a shorter document helps not only during an incident, but also before it, raising awareness with the senior leadership about the types of decisions they’re going to be asked to make. Liisa Thomas, Chair of the data security practice at Winston & Strawn LLP - 11th November 2015
The awful truth is that I don’t know Dame Dido Harding, CEO of Talk Talk [when asked if affected customer data was encrypted] - 23rd Oct 2015
I am incredibly angry about this data breach and we will institute a thorough review of our relationship with [our breached supplier] John Legere, CEO, T-Mobile USA - October 2015
UK organisations we spoke to were under a far higher rate of attack than the European average Bob Tarzey, Service Director, Quocirca, UK - Sept 2015
There has been an explosion in both frequency and severity of cyber-attacks Chris Fischer, CEO, Allianz Global Corporate and Specialty - Sept 2015
JP Morgan is a company that has 2,000 people dedicated to cyber security. They have spent $250 million dedicated to cyber security. They did everything right, and they still got hacked Erik Avakian, Chief Information Security Officer, Commonwealth of Pennsylvania, USA - Sept 2015
What Would You Do Differently If You Knew You Were Going To Be Robbed? Michael Sentonas, VP & CTO, McAfee Security Connected, Intel, USA - Aug 2015
Any CEO who really understands risk knows that cyber is possibly the most unpredictable risk there is. It’s more unpredictable than a flood or tornado Malcolm Marshall, KPMG’s Global Head of Cyber Security - UK - July 2015.
The emerging nature of cyber risk is that it’s becoming systemic - as were the risks that led to the credit crisis John Scott, Chief Risk Officer, Global Corporate, Zurich - June 2015
There's no conceivable system that can stop 1 person in 100 opening a phishing email and that can be all it takes Ciaran Martin - Director General for Cyber Security - GCHQ, UK - June 2015
You would never dream of a CFO not coming to a board meeting. In addition, you would never see a CFO passing up using external audit or teams of external advisors. The same diligence has to be assigned to cybersecurity Val Rahmani, Non-Executive Director, Aberdeen Asset Management, USA - April 2015
Key stakeholders often underestimate how complex and overwhelming it can be to manage all the ancillary people and groups who must play a role in mitigating a major breach incident, including internal and external attorneys, internal and external investigators, law enforcement, regulators, insurers and many others Bryan Sartin - Managing Director - Data breach response and forensics - Verizon - April 2015
All companies go through crises, but this kind of crisis is unique in the number of unknowns Brian Brink, Senior Counsel Litigation, Schnuck Markets, USA - April 2015
Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised Malcolm Marshall, KPMG’s Global Head of Cyber Security - UK - April 2015
There was this horrible moment where I realized there was absolutely nothing at all that I could do Amy Pascal, former CEO of Sony Pictures - USA - February 2015
It will take a major global company going down in the wake of a cyber attack to really shake up information security Adrian Leppard - City of London Police Commissioner - UK - Jan 2015
A breach alone is not a disaster, but mishandling it is Serene Davis - Underwriter with Beazley - California, USA - Sept 2014
"We’re going to have a major cyber event in the financial system, an Armageddon-type cyber event." Ben Lawsky - New York State's Superintendent of Financial Services - 22 Sept 2014
It’s the not knowing that’s the worst… . After a breach, there are more questions than answers Dwayne Melancon, Chief Technology Officer, TripWire, Portland, USA – July 2014
Credit monitoring services only give consumers limited help, with a very small percentage of the crimes that can be inflicted on them. These are basically PR vehicles for most of the breached companies who offer credit report monitoring. Avivah Litan, Vice President with Gartner Inc, Washington DC, USA - March 2014
Breach Prevention? How is that working for you? Jason Hart, VP Cloud Solutions, SafeNet Inc – October 2013
"We will bankrupt ourselves in the vain search for absolute security." Dwight D. Eisenhower – 1960s
There are now three certainties in life - there's death, there's taxes and there's a foreign intelligence service on your system Sir Iain Lobban, Director, GCHQ - July 2013
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." – Bruce Schneier 1996 in ”Applied Cryptography 2nd edition"
There are only two types of companies: those that have been hacked, and those that will be Robert Mueller - FBI Director, USA - March 2012
"If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders Dan Farmer – Author of Forensic Discovery
"If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked" Richard Clarke – 2002 Security Conference

Membership gives unlimited access to the Cyber Rescue curated library of expert advice on cyber attacks, including: