Globally, we depend on the functioning and reliable critical infrastructure. Cybersecurity poses a real and significant risk to the reliable connectivity we depend on, placing our security, economy and, public health and safety at risk. From a purely commercial perspective, cybersecurity is now a major contributor to the company risk register. It has the potential to directly impact an organisations bottom line, with the ability to drive up costs and adversely impact revenue. It can harm an organization’s ability to innovate, grow and maintain its customer base.
In the US, the issue is cybersecurity resulted in changes to the role of the National Institute of Standards and Technology (NIST), to include identifying and
developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. The Framework provides a common structure for addressing cybersecurity risks by assembling standards, guidelines, and practices.
The Framework references globally recognized standards for cybersecurity and can serve as an international model for cooperation, aligning and strengthening communities in the application of cybersecurity principles. The Framework aims to assist organizations in addressing cybersecurity as it affects the privacy of customers, employees and suppliers/vendors. It can be applied to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).
The Framework revolves around 5 key functions: Identify, Protect, Detect, Respond, and Recover. They aim to guide the organization in its management of cybersecurity issues. The functions also align with incident management methodologies and help guide investments in cybersecurity, for example, investments in planning and tools to support response and recovery actions, resulting in reduced impact to the delivery of services.
Planning Remedial Action
A data breach can be temporarily debilitating for your business, not to mention an inconvenient nuisance and, have long term effects. It is harmful to your business and your clients/customers, creating a massive amount of anxiety, as what you believed to be safe and secure platforms are violated, shattering whatever faith and trust you had in your IT systems. However, in these moments, it is important to put your woes aside and step up to your leadership role. You will need to work through the issues quickly and apply a practical and pragmatic approach.
As we all know, when faced with a stressful situation, we often don’t perform at our best. We may be so consumed with fear and anxiety that were not able to stand back and consider how and what needs to be done calmly and rationally. For this reason, I recommend that all business owners take a few hours to develop a crisis plan. Ask yourself, how will you to respond in the aftermath of a data breach? What action will you take in what order? What resources will you need? Your plan doesn’t need to be war and peace, but it should be detailed enough that you know exactly what to do when and who will be responsible. Make an effort to think through the real details like client communications, re-establishing platform security, reporting to regulatory bodies, media reports, etc. Seek advice and counsel on business interruption and business continuity, data loss, brand and reputational damage and the cost of business remediation. If you are publicly listed, consider how you might deal with suspension from the share market and class actions. Establish a list of resources you will need to call on and reach out to them now to discuss how and what will need to be done in the event of a breach. This will ensure that you have a sound guide to follow when you need it.
Cyber-attacks leave our clients and customers vulnerable to identity theft and fraud, as their personal details are sold or used by faceless criminals. Here are some steps you can take to assess the severity of the breach and better secure yourself.
Are my platforms compromised?
Confirm with the platform or system and what data is likely to have been compromised in the breach. Are they your customers and if so, how many and who exactly? Does the breach only concern data collected in a specific time period? Always start the process by understanding exactly what you are dealing with and confirm exactly what data was stolen, when and, who is impacted. Answering those questions will allow you to judge the level of risk to your business. Remember some organisations hold your data without you being aware of it. Those include credit-reporting companies such as Equifax Inc, which suffered a breach in 2017 that affected 147 million people.
What was compromised?
Breaches often cover a wide range of data. Some information is seen as less of a concern as it is already publicly available, like your name or email address. Further, hacks by foreign governments are usually seen as less dangerous because most spy agencies do not sell or trade such information. On the flip side, data theft by financially motivated criminal gangs are very dangerous because the intent is to defraud the consumer. For this reason, extremely sensitive data need to remain private, like for example, your credit card number, direct debit details, passwords and TFN, which could be used to make fraudulent purchases in your name, or provide access to online bank accounts and ATO records.
But it is also important to remember that even if stolen, the data may still be protected by encryption.
To assess the severity of the breach, try and determine what information was compromised and in what format it was stolen.
What do I do in the event of a cyber attack?
Depending on the size and nature of your business, you may be obliged to notify the people who are impacted and report the breach (access the guidelines from Office of the Australian Information Commissioner). Aim to do this when you are certain you have all the facts, understand the issue and can provide guidance on how it has been rectified. You may also choose to post guidance for consumers on your websites.
Under the European Union’s General Data Protection Regulation (GDPR), companies have to inform victims of severe data breaches ‘without undue delay’. They must then describe in ‘clear and plain language’ the nature of the breach, the likely consequences and what measures being taken to deal with it.
Is this a scam?
In the aftermath of data breach, it is important to be on high alert for scams and fraud.
If bank account details have been compromised, advise your clients and customers to watch their account balances and statements carefully. If they find any unusual activity, ask them to contact their bank or card provider immediately and inform the appropriate law enforcement agency. Your clients should also be aware of ‘phishing’ websites, which claim to offer information about the breach and even compensation but have actually been set up by criminals to trick you into revealing more personal details or making payments to their accounts.
The cyber criminals involved in the breach may also run or be affiliated with fraud cartels that contact you directly, by phone or email with elaborate ploys to defraud consumer of more money. In this case, they may be armed with large amounts of detailed personal information.
Cyber Aware Culture
In this scenario like in life, information and knowledge is important. The unfortunate truth is that most c-suite level executives don’t have a deep understanding of the risks and potential issues and further, they may have been educated by security vendors who have sold them the dream of a technology solution that will cure all ills.
Technology alone will not totally protect your business. It will take a combination of people, process and tech to significantly reduce your risk. This includes things like education for your staff and managers to create a cyber-aware culture, internal governance to ensure the risks are tabled at the highest level of your company and the precautionary activities are funded appropriately, a cyber insurance policy and regular IT back-ups to offer protection against ransomware attacks. It is important to ensure cyber risk is tabled in the corporate risk register and whilst it can hard to quantify the risk, a nominal investment needs to be made or budget needs to be set aside to fund remedial action in the event of an attack.
If you feel the need to take a proactive approach, consider the following checklist items that may help you significantly reduce your risk profile:
- Ensure you have a role or function to which cyber-attacks are reported
- Create reports to develop a sense of the volume and regularity of cyber intrusions
- Take out a cyber security policy
- Employee Training
- Train employees on the importance of company/client/customer data
- Train employees on how they and data may be targeted
- Establish all sources of data within your organisation – where is it stored and by whom?
- Classify the data and establish who needs access to highly sensitive data
- Ensure only staff that require sensitive data have access it, locking down systems that house highly sensitive data with access on a ‘need to know’ basis
- Perform assurance on your compliance with data privacy rules. Table failures and adjust the regulations to ensure you are continuously improving
- Recovery Plans
- If you have key systems housing sensitive data, assess their resilience
- Create system recovery plans
- Test recovery plans and make it someone’s job to update them every 6-12 months
- Assign someone with the role of Recovery Manager in the event of an attack to ensure they are familiar with the recovery plan before the big day
- IT Systems
- Deploy software security patches as soon as possible after their release to reduce vulnerability
- Use data encryption to protect sensitive data in transit and at rest
- Use firewalls and anti-malware to protect your environment
- Monitor and control devices connected to the environment, especially smart devices
Voluntary Data Breach Notification
The NSW government has begun reviewing its voluntary data breach notification scheme to determine whether the state’s agencies and local councils should be required to report data breaches. The Department of Communities and Justice last month opened consultation on whether a mandatory reporting scheme along similar lines to the federal model is needed.
Under existing privacy legislation in NSW, state government organisations are not required to report data breaches. They are also not covered by the federal reporting scheme, along with local councils and organisation with a turnover of less than $3 million a year.
NSW attorney-general Mark Speakman has committed to reviewing the existing voluntary reporting scheme to understand whether it would be appropriate to implement a mandatory breach reporting scheme.
“It would be premature to introduce a mandatory reporting scheme in NSW now without taking the opportunity to learn from the implementation of the Commonwealth scheme,” he said at the time.
A discussion paper has now been released by the department, seeking feedback from the community on how the existing voluntary data breach notification scheme and how a mandatory scheme might work. Whether its customer data, confidential company data or fraudulent transactions, the fall-out from cyber-crime can be consequential for you, your company and your clients. Being prepared is mandatory to reduce the risk or weather the inevitable storm.