Are you cyber crisis ready?

The chances of an Australian company falling victim to a cyber attack have never been higher. In the 2022-23 financial year, the Australian Signals Directorate received one cybercrime report every six minutes, and artificial intelligence is already enabling criminals to target more victims, more quickly. The cost to the global economy is in the trillions, while for individual businesses the impact on operations, reputation, morale and share price can be catastrophic.

It’s the risk everyone is talking about (when it happens to someone else), but are businesses acting to protect their own interests?

Cybercrime is constantly evolving, both in nature and sophistication of attacks. This makes it challenging, especially for organisations with minimal in-house IT expertise, to predict and defend against attacks, whether they involve ransomware, theft of data, denial-of-service, malware, control system compromise or simply scamming unsuspecting employees to take unauthorised actions.

Just in the last few weeks we have had data hacks at e-prescription provider MediSecure and non-bank lender Firstmac, not to mention the apparently accidental (non-malicious) incident at UniSuper which left half a million members unable to access the super accounts. For me, the deepfake dupe at engineering giant Arup was a reality check about how devious and sophisticated cybercrime has become – an employee transferred millions after attending a video call with people he believed were the chief financial officer and other colleagues – but who were in fact AI versions of those people.

Despite the challenges, there are steps all businesses should be taking, in an effort not only to avoid an incident in the first place, but to be ready to handle it and minimise financial and reputational impact if it does.

Businesses should be acting on at least three levels:

1. Identify vulnerabilities

2. Take protective action

3. Be crisis-ready

Identify Vulnerabilities

When looking at vulnerabilities, businesses should consider any weaknesses in their systems (password requirements, two factor authentication, minimising storage of personal data etc) as well as identifying particularly sensitive data or critical systems and understanding the full consequences of a breach (on this note, the fallout from the 2022 data breach at Optus continues – this week the Australian Communications and Media Authority launched action in the Federal Court alleging Optus failed to protect the confidentiality of its customers’ personal information  as required by specific telecommunications legislation).

Identifying vulnerabilities also involves understanding which staff are most vulnerable to being targeted by cyber criminals. The Australian Signals Directorate has identified the following categories of staff as highest-risk:

– senior executives and their executive assistants

– help desk staff, system and network administrators, and other users who have administrative privileges to operating systems or applications such as databases

– all users who have access to sensitive data, especially data that could provide a foreign government or organisation with a strategic or economic advantage

– users with remote access

– users whose job role involves interacting with unsolicited emails from members of the public

Malicious hacks are made easier if a user’s email address is readily available via their employer’s website, social networking websites or if the user uses their work email address for purposes unrelated to work. You may have noticed some organisations adding complexity to email addresses with a middle letter.

Take Protective Action

Protective action again includes system protections but also regular reminders to staff about company policies regarding accessing sensitive data, updates on cybercrime methods, and what to do in the event of a suspected cyber incident.

While protecting confidentiality of data is a key aim, integrity of data and ensuring uninterrupted availability are also considerations.

There is a wealth of resources available to guide organisations on how to protect themselves, including an Australian Cyber Security Centre checklist and guide for small business to enhance cyber security and the ASD’s Essential Eight cyber mitigation strategies.

Be Crisis Ready

What has become apparent, however, is that even with significant investment in protecting against hacks and other technology crime, incidents are still possible, especially given the rising involvement of supply chain and third-party compromises (where customers or partner organisations are impacted as a result of trusted relationships with a third party who is hacked).

That means that every business should also be crisis-ready.  Having a well-practiced crisis management plan in place can make an enormous difference to the speed and effectiveness of a business’s response to a cyberattack. Acting swiftly can make a difference to the extent of a hack, but a crisis also requires cool heads, and preparation is the secret ingredient here.

A good crisis plan is concise but contains key information such as: a list of members of the crisis management team (including alternates); their responsibilities and contact details; and a list of key stakeholders who need to be kept informed or have particular needs addressed. It will also include a clear process for detecting, evaluating and containing an event, notifying relevant management, authorities and others, and mobilising the crisis management response when needed.

A subset of the crisis plan should deal with reporting obligations regarding cyber incidents, including mandatory reporting of cyber incidents involving critical infrastructure assets and notifiable data breaches. Obligations may be to government departments and/or to individuals and organisations affected, depending on the situation. Organisations with a dedicated cyber security crisis plan should ensure the cyber plan is consistent and dovetails seamlessly with any broader crisis management plan.

The best crisis plans include a range of templates for use by the Crisis Leadership Team in a crisis to keep track of unfolding events, assist with meeting agendas and even simplify the process of drafting media releases and messages (by predicting the most likely scenarios in broad terms).

Issues to consider from a communications perspective include engagement with media, use of social media, effective stakeholder engagement (who, how, when) as well as internal communications that keep staff informed while allowing them to continue their day-to-day work as much as possible.

Board members should also be across their responsibilities. The Australian Institute of Company Directors’ publication on governing through a cyber crisis, released earlier this year, provides useful guidance for directors, especially on when active involvement is needed.

Finally, a key element of being crisis-ready is ensuring familiarity with the crisis plan, which should be tested regularly and updated as needed. Don’t be the client who says “Crisis plan? We’ve never had a crisis”. The odds are not in your favour.

If you would like to discuss updating or testing your crisis plan, get in touch.