Responsible and robust data management is crucial to the maintenance of a reliable and secure financial system. But, as the complexity and volume of data collection rise exponentially, so too do the sophistication and number of cyber-attack events.
Such is the frequency of data breaches that it is now not a case of if, but when, a company will be attacked. Defence Minister, Marise Payne, stated in April 2018 that up to 400 Australian companies had been targeted in suspected Russian government-sponsored cyber-attacks in the preceding few months.
In the event of a cyber-attack or data breach, management’s focus should be not just on operational matters but also on communication strategy and protection of the brand name. In the chaotic post-breach environment, when there is an urgency to restore systems and access to applications, there can be a temptation to give brand strategy and protection a lower priority, to the detriment of the organisation down the track.
It is crucial that a detailed cyber-attack response plan is in place in advance of any breach, and communication specialists are engaged to manage the organisation’s public response before the situation spirals out of control.
The current cyber threat landscape/Worrying trends
Consumers rightly expect that companies will protect their personal information from theft by cyber criminals but the statistics show that, in reality, this is far from the case. According to cyber security firm, CyberArk’s, Global Advanced Threat Landscape Report 2018, 45% of Australian organisations say they can’t prevent cyber criminals from breaking into their internal networks.
Coupled with this alarming situation, a recent report outlined three worrying trends that are most likely to develop further in the coming three years. The March 2018 report Threat Horizon 2020 by independent security and risk management research organisation, the Information Security Forum (ISF), expects:
- Cyber-attacks by nation states and private hackers will continue to erode business resilience and consumer confidence in the security of personal information.
- Rapidly evolving technologies such as quantum computing will outpace encryption standards and other controls.
- As security measures including biometrics become increasingly compromised by criminals, cyber risk and compliance burdens will become more onerous.
Introduction of mandatory reporting uncovers more cyber-attacks
The Notifiable Breaches Scheme (NBS), which launched in Australia in February 2018, introduced mandatory reporting of cyber-attacks relating to personal information. The NBS was incorporated into the Privacy Act with mandatory reporting to the Office of the Australian Information Commissioner (OAIC) and the requirement to advise individuals who are potentially affected. The NBS applies to all companies with an annual turnover of $3 million or more, government agencies and credit reporting bodies, among others.
Under the NBS, an eligible data breach has occurred “if there is unauthorised access, disclosure of, or loss of personal information held by a company and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.
In April 2018, the OAIC released its first quarterly report on notifications received, which revealed that 63 data breaches were reported during the first six weeks of NBS operations. This compares to just 114 data breaches that were voluntarily reported to the OAIC for the entire 2016/17 financial year.
How to manage cyber risk
As overwhelming as the rising tide of cyber attack might seem, companies have no choice but to take a proactive approach to cyber security and communication management. In addition to IT-related measures such as implementing multi-factor authentication and educating staff on information-handling best practice, communication procedures should be in place in preparedness for any data breach.
Communication management is essential to retaining trust
Inadvertently revealing information that your customers expect you to keep private, or allowing cyber criminals to steal that information, can destroy the trust customers have in your organisation. In extreme situations, customers’ lives or life savings can be put at risk, sparking widespread public alarm and anger.
The extent and speed of that destruction of trust is not only related to the sensitivity of the information that has been compromised. It will also depend largely on how you manage communication with customers and others such as media and regulatory authorities.
The way you act and how you communicate in the immediate wake of a cyber-attack will determine the long term damage to your organisation’s reputation and its ability to do business in the future. So, it’s worth getting the help of communication specialists who have experience in this field – ideally, before an issue such as a data breach or cyber-attack occurs, rather than after it has thrown your business into turmoil.
Preparedness for a cyber-attack
A cyber-attack response plan is essential to the efficient management of a breach. The plan should outline a strategy and necessary steps for containing a data breach and meeting your obligations to stakeholders. A thorough and effective plan should have input from your operational and systems managers, external cyber security experts and communication specialists with issues management expertise.
The response plan should be regularly reviewed to ensure it remains up to date and covers the relevant cyber risks facing the organisation. Your exposure to risk will depend on factors such as the size of your organisation, the industry it operates in, and the volume and sensitivity of the data it holds. A cyber-attack response plan should include:
- What actually constitutes a cyber-attack and responses to each type of breach.
- The strategy for managing a data breach.
- The roles of specific staff members in the event of a cyber-attack, including those who are authorised to speak on behalf of the company.
- Pre-prepared messaging for clients/customers, media and regulators that can be quickly modified and issued in the wake of a breach event.
- Details of external parties to contact such as insurers, lawyers, communication advisers and IT forensics providers.
- A documentation process.
- A process for reviewing the organisation’s response to a breach, to check the effectiveness of your plan in action.
The faster an organisation responds to a data breach, the more likely it is to limit negative consequences and subsequent recovery costs. This highlights the importance of the cyber-attack response plan but also the effective execution of the plan. There are four key steps in responding to data breaches:
This step is fundamentally the responsibility of the IT department. It may involve actions such as disabling network access, installing patches or resetting user passwords.
A thorough assessment of the nature and extent of the breach is essential to formulating an effective response. The aim of the assessment process is to evaluate the threat level, the harm to those affected and actions that can be taken to mitigate that harm.
The key here is to be open and transparent while protecting the interests of your organisation. A bad situation can be made worse if it comes to light that critical information was withheld from those affected. On the positive side, this is the first step in rebuilding public trust.
Some cyber-attacks may require all customers/clients to be notified while more isolated cases may only require notifying affected individuals. It is critical to manage this issue responsibly as notifying individuals who are not affected can cause unnecessary stress.
The cyber-attack response plan should inform as to whether the breach must be reported under the NBS.
It is crucial that organisations comprehensively review the response process in the wake of a cyber-attack. Valuable information can be gathered at this point, such as identifying weak points in the cyber-attack response plan to help the organisation respond better to any future data breaches.