Responsible and robust data management is crucial to the maintenance of a reliable and secure financial system. But, as the complexity and volume of data collection rise exponentially, so too do the sophistication and number of cyber-attacks.

Such is the frequency of data breaches that it is now not a case of if, but when, a company will be attacked. Defence Minister, Marise Payne, stated in April 2018 that up to 400 Australian companies had been targeted in suspected Russian government-sponsored cyber-attacks in the preceding few months.

In the event of a data breach, management’s focus should be not just on operational matters but also on communication strategy and protection of the brand. In the chaotic post-breach environment, when there is an urgency to restore systems and access to applications, there can be a temptation to give brand management a lower priority, to the detriment of the organisation down the track.

It is crucial that a detailed data breach response plan is in place in advance of any breach and communication specialists are engaged to manage the organisation’s public response before the situation spirals out of control.

The current cyber threat landscape/Worrying trends

Consumers rightly expect that companies will protect their personal information from theft by cyber criminals but the statistics show that, in reality, this is far from the case. According to cyber security firm CyberArk’s Global Advanced Threat Landscape Report 2018, 45% of Australian organisations say they can’t prevent attackers breaking into their internal networks.

Coupled with this alarming situation, a recent report outlined three worrying trends that are most likely to develop further in the coming three years. The March 2018 report Threat Horizon 2020 by independent security and risk management research organisation, the Information Security Forum (ISF), expects:

  • Cyber-attacks by nation states and private hackers will continue to erode business resilience and consumer confidence in the security of personal information.
  • Rapidly evolving technologies such as quantum computing will outpace encryption standards and other controls.
  • As security measures including biometrics become increasingly compromised by criminals, risk and compliance burdens will become more onerous.

Introduction of mandatory reporting uncovers more breaches

The Notifiable Breaches Scheme (NBS), which launched in Australia in February 2018, introduced mandatory reporting of data breaches relating to personal information. The NBS was incorporated into the Privacy Act with mandatory reporting to the Office of the Australian Information Commissioner (OAIC) and the requirement to advise individuals who are potentially affected. The NBS applies to all companies with an annual turnover of $3 million or more, government agencies and credit reporting bodies, among others.

Under the NBS, an eligible data breach has occurred “if there is unauthorised access, disclosure of, or loss of personal information held by a company and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.

In April 2018, the OAIC released its first quarterly report on notifications received, which revealed that 63 data breaches were reported during the first six weeks of NBS operations. This compares to just 114 data breaches that were voluntarily reported to the OAIC for the entire 2016/17 financial year.

How to manage cyber risk

As overwhelming as the rising tide of cyber threat might seem, companies have no choice but to take a proactive approach to information security and communication management. In addition to IT-related measures such as implementing multi-factor authentication and educating staff on information-handling best practice, communication procedures should be in place in preparedness for any data breach.

Communication management is essential to retain trust

Inadvertently revealing information that your customers expect you to keep private, or allowing hackers to steal that information, can destroy the trust customers have in your organisation. In extreme situations, customers’ lives or life savings can be put at risk, sparking widespread public alarm and anger.

The extent and speed of that destruction of trust is not only related to the sensitivity of the information that has been compromised. It will also depend largely on how you manage communication with customers and others such as media and regulatory authorities.

The way you act and how you communicate in the immediate wake of the crisis will determine the long term damage to your organisation’s reputation and its ability to do business in the future. So, it’s worth getting the help of communication specialists who have experience in this field – ideally, before an issue such as a data breach or cyber attack occurs, rather than after it has thrown your business into turmoil.

Preparedness

A data breach response plan is essential to the efficient management of a breach. The plan should outline a strategy and necessary steps for containing a breach and meeting your obligations to stakeholders. A thorough and effective plan should have input from your operational and systems managers, external cyber experts and communication specialists with issues management expertise.

The response plan should be regularly reviewed to ensure it remains up to date and covers the relevant data breach risks to the organisation. Your exposure to risk will depend on factors such as the size of your organisation, the industry it operates in, and the volume and sensitivity of the data it holds. A data breach response plan should include:

  • What actually constitutes a data breach and responses to each type of breach.
  • The strategy for managing a data breach.
  • The roles of specific staff members in the event of a breach, including those who are authorised to speak on behalf of the company.
  • Pre-prepared messaging for clients/customers, media and regulators that can be quickly modified and issued in the wake of a breach event.
  • Details of external parties to contact such as insurers, lawyers, communication advisers and IT forensics providers.
  • A documentation process.
  • A process for reviewing the organisation’s response to a breach, to check the effectiveness of your plan in action.

Management/response

The faster an organisation responds to a data breach, the more likely it is to limit negative consequences and subsequent recovery costs. This highlights the importance of the data breach response plan but also the effective execution of the plan. There are four key steps in responding to data breaches:

  1. Contain
  2. Assess
  3. Notify
  4. Review

 

  1. Contain

This step is fundamentally the responsibility of the IT department. It may involve actions such as disabling network access, installing patches or resetting user passwords.

  1. Assess

A thorough assessment of the nature and extent of the breach is essential to formulating an effective response. The aim of the assessment process is to evaluate the threat level, the harm to those affected and actions that can be taken to mitigate that harm.

  1. Notify

The key here is to be open and transparent while protecting the interests of your organisation. A bad situation can be made even worse if it later comes to light that critical information was withheld from those affected. On the positive side, this is the first step in rebuilding public trust.

Some breaches may require all customers/clients to be notified while more isolated cases may only require notifying affected individuals. It is critical to manage this issue responsibly as notifying individuals who are not affected can cause unnecessary stress.

The data breach response plan should inform as to whether the breach must be reported under the NBS.

  1. Review

It is crucial that organisations comprehensively review the response process in the wake of a data breach. Valuable information can be gathered at this point, such as identifying weak points in the data breach response plan to help the organisation respond better to future data breaches.

By Michael Pollack, content manager, FCR