Businesses are being urged to include a crisis management plan in their arsenal against a cyber attack and to remember customers are just as much the victims of a data breach as the organisation itself.
It’s not a matter of if an incident will occur but when, Ai Group member and secure infrastructure company Oper8 Global warns.
“Our general purpose for getting out of bed in the morning is to protect organisations from the worst day of their lives,” the group's Nick Lovell said.
To educate businesses on how to protect themselves and their employees, customers and reputation, Mr Lovell teamed up with UK-based crisis management consultant Jonathan Hemus in a podcast on cyber security.
In the podcast, titled Beyond the Breach: Crisis Management, listeners learn the benefits of implementing a crisis management plan and hear real-life examples — the good and the bad — of how companies in Europe have handled breaches.
“No organisation is immune to a cyber attack and what you do after an event will determine the impact on your organisation,” Mr Hemus said.
“You won’t be judged for being a victim of an attack but rather, by how you respond to it, and you will only respond well if you have planned, trained and rehearsed.
“Don't wait until the worst happens before starting to think about how you will respond. When you’re in the middle of a crisis, there’s intense pressure and scrutiny. There is a lot at stake.”
While it is important to do as much as you can to prevent a cyber attack, a crisis management plan is key to dealing with the aftermath, Mr Lovell said.
What you do before a cyber attack happens will enable you to either retain the trust of your customers or alternatively flounder and lose value and reputation, as well as trust, Mr Hemus said.
The first step is to create an overarching crisis management plan, not limited to cyber, that is fit for purpose in any crisis.
“It should include ways of working, processes, checklists and flow charts to enable you to operate purposefully and much less stressfully when the heat is on,” Mr Hemus said.
“Further checklists and first steps against different crisis types, such as a cyber incident, can then be added.
“Among other things, include the contact details of your regulator. You don’t want to be Googling this kind of information when you’re under the pump.”
The most important part of any crisis management preparedness program is exercising — having your team play it through as if it were real.
“Exercising builds understanding of the plan and identifies flaws, which is a good thing, because you are identifying them before the event,” Mr Hemus said.
“It builds mental muscle memory of how you would respond in a crisis and breeds confidence and capability.
“A plan without an exercise is not enough. It won’t work fully if your team has not rehearsed deploying it.”
Ensure the crisis management team comprises a range of people from across the organisation, not just the techies and senior management.
“Everyone needs to understand the role they play in a cyber incident,” Mr Hemus said.
When doing your scenario planning, consider how you will communicate with customers. What about ex-customers? Would you communicate with them as well?
If they have questions, could you deal with tens of thousands of incoming phone calls? Would you do the notification in phases?
What if the attack took down your email system, and you’ve got it on your plan to email customers?
“That is why scenario planning is such an important part of being ready,” Mr Hemus said.
“You do not want to be having those discussions or finding out those flaws when you’re in the middle of it.”
Remember, though, you need to fix the problem, too.
“Just fixing the problem is not enough to protect your business,” Mr Hemus said.
“Conversely, just communicating well isn’t enough, either.
“It’s about what you do and what you say and doing both of those things well, simultaneously under great pressure.”
It depends on the organisation, Mr Hemus said.
Some may have a dedicated Head of Crisis Management.
In others, the responsibility may lie with the Chief Operating Officer or a person in another role.
“Whoever it is, it needs to be made clear, because someone has to take responsibility for making sure you are ready,” Mr Hemus said.
“Culturally, the CEO needs to lead crisis management. If you are to be truly ready for crisis, it needs to be led from the top.”
“When someone attacks you, you feel hard done by,” Mr Hemus said.
“You feel like the victim. In the case of a cyber breach, you are the victim, in a sense.
“However, you need to get over yourself quickly because the harm that’s been done is to your customers, employees and other stakeholders who have been affected by what has happened to the business.
“One of the worst possible crisis responses is to focus on the harm a breach has done to ‘you’ — your business, your operations or the value of your business.
“You need to put yourself in the shoes of your stakeholders, and you need to step forward and take full responsibility for responding to it and putting it right.
“It is incumbent on organisations to do the right thing — to not just protect themselves but all the people going to be affected if they get it horribly wrong.”
It’s important to fully commit to your crisis management plan.
“If it’s just a tick-boxing exercise to satisfy a regulator, it’s not as likely to be as effective in protecting your organisation when the worst happens,” Mr Hemus said.
“There has to be really good governance to make sure your own checks and balances are being adhered to, monitored and audited appropriately.
“Live and breathe the plan, knowing it’s going to serve you well.”
Oper8, which has its Australian base in Brisbane and provides services that protect data, hopes its series of podcasts on cybersecurity will create thought leadership.
“We believe we have a right and a responsibility to give people enough information to make quality decisions,” Mr Lovell said.
“We’re promoting the concept of collaboration within the industry to be able to protect people's data.”
In Europe, companies must notify the European Data Protection Board within 72 hours if they know confidential information has been accessed.
There is also a mandatory data breach reporting framework in Australia, with Boards of Directors now responsible for their organisation’s data.
Mr Lovell said there are still listed companies in Australia that fail to report data breaches.
To address this, the Australian Government recently increased the penalty for persistent data breaches from $2.2 million to a minimum of $50 million.
Despite their worth, crisis management plans are relatively new in Australia, Mr Lovell says.
“Some of the larger organisations have been alive to this, but the vast majority of businesses in Australia do not have a crisis management plan,” he said.
“Yet, the cost of these breaches is enormous.
“Organisations are doing the same things in the same ways and expecting different outcomes.
“Nearly 90 per cent of security is spent on firewalls and endpoint protection only.
“We need to take a different view of how to spend that money.”
Click here to listen to the podcast.
Ai Group is conducting a survey on cyber security. It is an issue for everyone so we would like to hear from all businesses on this topic. We will use the results to inform a report on cyber capability and to help sharpen our advocacy on behalf of industry. Pleae click here to begin the survey.
Hear how fellow Ai Group member B&R Enclosures went from cyber target to cyber safety advocate at a FREE webinar on Thursday, July 27.
Oper8 Global has been a member of Ai Group since 2018.
“We are constantly impressed with the quality of Ai Group briefings and the engagement of the people within the organisation. We have learnt a great deal and benefitted enormously from our partnership, for that is exactly how to describe the relationship — a mutually beneficial partnership.” — Nick Lovell, Sales Director, Oper8
