Incident Response is a highly crucial component in maintaining good cyber posture at any organisation. Some of the world’s most notorious and damaging cyber incidents could have been minimised and therefore largely ignored if they were handled well. For instance, the 2015 TalkTalk breach in the UK and closer to home, the system failure of the Australian Census, a highly trusted organisation.
There was a hugely different root cause for these two incidents, however, both led to catastrophic reputational damage:
- For TalkTalk there was a hack leading to a data breach, two individuals went to jail for hacking
- For the Australian Census there was an epic system failure, those involved in ensuring this didn’t happen are still blaming each other
A key point here is that no matter if the hackers go to jail or you fix the squabbling between your service providers your organisation’s brand and reputation has been irrevocably damaged.
The introduction of the Notifiable Data Breaches in addition to the Australian Privacy legislation in February 2018 has highlighted the fact that organisations are accountable for cyber privacy and will potentially be fined up to AUD 2.1 million dollars for not adhering to the regulation. Add to this the ongoing fallout from the Hayne Royal Commission released on February 4th 2019 and we are seeing an increased focus from regulators on business activities around cyber risks. Some of these regulators are the:
- Office of the Australian Information Commissioner (OAIC)
- Australian Securities & Investments Commission (ASIC)
- Australian Prudential Regulators Association (APRA)
- Australian Taxation Office (ATO)
Whilst fines and penalties from regulators should always be a concern for organisations, there is a global trend towards civil litigation that organisations must be aware of. There are many Australian litigations funding legal firms that are waiting for the opportunity to take legal action against organisations that do not fulfil their obligations to secure individuals’ data.
When it comes to avoiding scrutiny, the risk of coming to the attention of the regulators, and putting yourself at the mercy of the judicial systems, there are a few key lessons to be learnt here:
- An organisation that is prepared to handle a cyber incident will less likely get in trouble with the regulators
- An organisation that is prepared to handle a cyber incident will be less likely to be found negligent in the case of a privacy breach
- Cyber insurance is a mature product that can greatly assist in handling a cyber incident (established and experienced incident response panels) and covering the costs
Recommendations
CTRL Group recommend 5 key steps to be prepared, among others:
- Model your threats. Think of the most likely and damaging risk to your business
- Build a plan that directly addresses how your organisation would handle the incidents
- Put that plan on a page for quick reference and train those responsible for response in using it
- Have a third-party facilitate a scenario test with the relevant response teams
- Test it again, preferably quarterly
Even better, talk to the experts, all organisations should be well prepared and understand their plan.