Incident Response – Better Be Prepared.

Some of the worlds most notorious and damaging cyber incidents could have been minimised and therefore largely ignored if they were handled well. I am referring to incidents such as the 2015 TalkTalk breach in the UK and closer to home the embarrassing system failure of the Australian Census, a highly trusted organisation.

There was a hugely different root cause for these two incidents, however both led to catastrophic reputational damage:

  • For TalkTalk there was a hack leading to a data breach, two individuals went to jail for hacking
  • For the Australian Census there was an epic system failure, those involved in ensuring this didn’t happen are still blaming each other

Where things went very badly were in the communications (as they very often do by the way…) TalkTalk prematurely announced an overestimation of the number of impacted customers; those ultimately responsible for the success of the already controversial Census, the head of the Bureau of Meteorology and the Federal Minister, disagreed publicly on the reason for the failure. This took things in both cases from bad to much worse.

Many of you may be wondering why I have used such old examples, there’s been countless more since? Because we knew about this in 2015-16 and it’s now 2019 and organisations of all shapes and sizes are still handling cyber incidents poorly!

A key point here is that no matter if the hackers go to jail or you fix the squabbling between your service providers your organisation’s brand and reputation have been irrevocably damaged.

When I first meet organisations I ask them a few quick questions:

  • Do you have a cyber incident response plan? (wooh!)
  • Do you have a crisis management/communications plan for say fire or shooter-on-site? (woah!)
  • Is that cyber incident response plan integrated with your crisis comms plan? (yeah!)
  • If yes to any of the above – have you tested these? How often? Prove it. (uh-oh.)

If there was a poll system here, I would ask this question: How many times do you think I have left these meetings thinking that (wow!) I have just encountered an organisation that is adequately prepared for their worst-case scenarios, as a percentage. Then halve it and that’s very generous.

The introduction of the Notifiable Data Breaches addition to the Australian Privacy legislation in February 2018 has highlighted the fact that organisations are accountable for cyber privacy and will potentially be fined up to AUD 2.1 million dollars for not adhering to the regulation. Add to this the ongoing fallout from the Hayne Royal Commission released on February 4th 2019 and we are seeing an increased focus from regulators on business activities around cyber risks. Some of these regulators are the:

  • Office of the Australian Information Commissioner (OAIC)
  • Australian Securities & Investments Commission (ASIC)
  • Australian Prudential Regulators Association (APRA)
  • Australian Taxation Office (ATO)

Whilst fines and penalties from regulators should always be a concern for organisations, there is a global trend towards civil litigation that organisations must be aware of. There are many Australian litigation funding legal firms that are waiting for the opportunity to take legal action against organisations that do not fulfill their obligations to secure individual’s data.

When it comes to avoiding scrutiny, the risk of coming to the attention of the regulators, and putting yourself at the mercy of the judicial systems, there are a few key lessons to be learnt here:

  • An organisation that is prepared to handle a cyber incident will less likely get in trouble with the regulators
  • An organisation that is prepared to handle a cyber incident will be less likely to be found negligent in the case of a privacy breach
  • Cyber insurance is a mature product that can greatly assist in handling a cyber incident (established and experienced incident response panels) and covering the costs

At CTRL we recommend 5 key steps, among others:

  1. Model your threats. Think of the most likely and damaging risk to your business
  2. Build a plan that directly addresses how your organisation would handle the incidents
  3. Put that plan on a page for quick reference and train those responsible for response in using it
  4. Have a third-party facilitate a scenario test with the relevant response teams
  5. Test it again, preferably quarterly

Even better, talk to the experts, all organisations should be well prepared and understand their plan.