October is Cyber Security Awareness month, but that is not the only reason organisations should be thinking about whether leadership, operations and communication teams are fully equipped to deal with a cyber-attack.
The Australian Cyber Security Centre’s latest Annual Cyber Threat Report revealed more than 67,500 cybercrimes were reported in the 2020-21 financial year, an increase of 13 per cent from the previous year. In fact, cyber crime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses, according to the report published on 15 September 2021.
No matter how robust security practices are, any organisation can fall victim to a variety of attackers — from sophisticated cyber groups, opportunistic fraudsters, malware campaigns, hacktivists, or even disgruntled employees.
Our crisis and issues experts have compiled the top ten planning considerations to help organisations prepare for a cyber security threat.
- Knowing there is a problem – and fully understanding it
Attackers often go to great lengths to hide their activity, making identification of an intrusion difficult, with the average time for detection of an intrusion 178 days. Once an intrusion is detected, it is difficult to quickly gain an understanding of the full extent of the event.
Take the time to fully understand the extent of the attack before you start communicating about it externally. The media generally has little interest in the details and is looking for a headline, therefore any ambiguity can lead to reputation damage.
- Quantifying the consequences
Assessing the extent of a data breach or attack on IT infrastructure and the impact on the business is challenging. What may initially appear a simple Ransomware attack may cripple the organisation for months. The long-term damage resulting from a data breach is impossible to predict. The communication between the Information and Communications Technology and Crisis Management (CMT) Teams can also complicate reaching an understanding, especially if the CMT has little understanding of ICT or information management.
- Responding appropriately
Without a clear understanding of the nature and extent of a problem, mounting the right response is always difficult. Overreacting can be just as damaging as not doing enough.
Knowing when and what to do, and how and when to communicate internally, to business partners, regulators, clients and customers can also be challenging. Continually re-assessing the communication required for different audiences is critical to ensuring your business survives and recovers from a cyber-attack.
- Mapping stakeholders
With interconnected systems, a breach may not be contained within just one organisation or group. The increased use of cloud services and hosted environments further complicates this. Understanding the potential of the attack to affect your stakeholders is critical, as is having a complete picture of how interconnected the organisation is with their systems and processes.
Establishing a stakeholder communication map before an attack, as well as being aware of contractual obligations will prove invaluable during a cyber security breach.
- Clear and effective communication
Clear and effective communication is critical in the management of any crisis, however, the unique nature of cyber-attacks can pose additional challenges. Good planning and preparation will assist decision-making around communication and disclosure requirements. Ensuring alternative internal communication protocols are in place will stand organisations in good stead if/when emails are compromised.
- Navigating the unique legal framework
There are specific rules and regulations governing an organisation’s response to a data breach. These can include The Privacy Act, rules set by industry regulators (such as APRA, ASIC and ACCC) and other contractual requirements with clients and business partners. If a business operates across international borders, or has clients or service providers offshore, complexity increases further as each country has unique regulatory frameworks. A clear understanding of these requirements before a crisis emerges will prove invaluable once a breach is discovered.
- Preservation of forensic evidence and law enforcement
Preservation of evidence can be important when dealing with some types of incidents. This is often the priority of law enforcement agencies. However, preservation of evidence may conflict with prompt service recovery or the protection of other systems. Understanding the implications and having the appropriate processes in place is critical.
- Planning for a complex recovery
Recovery from cyber-attacks can be difficult and take time. Once data and systems are compromised, the impact can last years. Rebuilding infrastructure often requires significant additional hardware which can take weeks or even months to procure. External expert IT support will almost certainly be required to rebuild and ensure new systems are not vulnerable. Planning the immediate and long-term response and recovery phases will reduce the impact of a breach.
- Deciding whether to pay a ransom
While it might be easy to say ‘we will never pay a ransom’, the reality of the situation might make payment the only realistic option. Many organisations have negotiated reduced ransoms (sometimes as low as five per cent of the original demand) and used payment to buy time. Understanding the options and even some of the practicalities can be helpful in a crisis.
- Ensuring insurance is comprehensive and up to date
Most major insurers offer cyber insurance. While organisations might have some level of coverage, many are not fully versed in the terms and conditions. Some policies include the cost of ransoms while most only cover some aspects of the associated business losses. Incident and crisis response teams must be aware of policy details, as some responses may preclude the insurer from paying a future claim. Trying to interpret the terms and conditions of a policy during an event is not recommended.
Assessing an organisation’s level of crisis preparedness has never been more important – this means not only improving cyber security resilience to make it difficult for criminals to compromise systems, but putting well-considered operational and communication plans in place now, so your organisation is well equipped to deal with a cyber-attack, not if, but when it happens.