Surviving a cyber fire and company data breach
Would you survive a cyber fire?
It’s Thursday morning, and you arrive at the office to find that all of the computers are frozen with a message saying that you have been hacked, and all the company’s data is locked and not accessible.
A ransom of $600k must be paid for the company’s data to be unlocked. The hackers have provided examples of customer and employee data to verify the hack. You have just 48 hours to pay the ransom. To signal intent, you must confirm that you will pay, otherwise a sample of customer, business and employee data will be made available on the dark web.
Office computers and general business software applications are not operable.
1.
Phase 1: It's on fire
How will the business respond to this cyber fire? Will you inform employees and customers that the business is closed for an indefinite period? Will you establish a board and management ‘war room’ and a tactical response team? Who is included in the management ‘war room’? Who is involved in the tactical response team?
The board and management team decide to close the business for an indefinite period, and the comms team prepares and distributes notification to employees and customers. Assurance is provided that more information will be shared as soon as possible.
You contact your IT partner and legal team.
2.
Phase 2: Cyber Incident Response Plan
The management war room instructs that the Cyber Incident Response Plan (CIRP) be activated, however the CIRP is held on the company’s SharePoint site which is inaccessible. Yikes.
The company’s IT partner advises that on conducting some initial discovery, the hack is very targeted and specific and will require a cyber specialist to identify the source. It is suggested to contact the company’s insurer to access specialist technical assistance, and in the process you discover that the company does not have a policy that covers this specialist assistance. The IT partner suggests contacting the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) for guidance and support.
The ACSC confirms that it saw the hack in progress and mobilises quickly. ACSC advises that the business must advise the Office of the Australian Information Commissioner (OAIC). The OAIC advises that the company must take steps to advise customers when the issue has been remediated.
In the meantime, an employee notified a media representative who made a public statement regarding the hack and the importance of keeping customer and employee data secure and private.
The company’s phones start ringing off the hook. Employees want to know what data has been stolen. Customers want to know what data has been made public. Media want to understand what the company is doing – and what they didn’t do to mitigate the data breach.
Customers and employees are asking for their personally identifiable information (PII) data to be returned. The company does not have a right of erasure policy in place, and it also doesn’t have a precise definition of the employee and customer data it holds.
ACSC specialists identify the source and set out a list of remediation steps. The IT company confirmed that it will take 48 hours to implement the recommendations and a further 24 hours to cleanse and replace desktop computers and laptops.
The company remains closed. What is the cost to the business of being closed for one hour? 24 hours? 48 hours?
You need to decide:
-
Does the company remain closed for days until the hack is resolved, OR
-
Does the company pay the ransom and return to business in a few hours?
3.
Phase 3: Reflecting on the cyber fire
The company’s cybersecurity vulnerabilities were exposed. The company had managed anti-virus software and licensing with security rich features, but the following controls were not observed:
-
Documented Cyber Incident Roles
-
Accessible and available Cyber Incident Response Plan
-
Cybersecurity policies
-
Cybersecurity insurance
-
Essential Eight or Information Security Management System (ISMS)
-
Vulnerability and penetration testing
-
Third party monitoring and review
-
Security event monitoring and alerting
-
Cloud configuration management
-
Cybersecurity induction training and refreshers
Data governance is essential for board directors and senior business leaders
The recent data breaches at Optus and Medibank where 20 million customer records were compromised, has changed the Australian regulatory cyber and privacy landscape forever. Just last week, ClubsNSW fell victim to a mass data breach that threatens to expose the personal details of one million people opening a risk of identity theft.
Tougher privacy laws are on the way as demonstrated by the Review of the Privacy Act report released in February 2023 and the Australian Prudential Regulation Authority’s (APRA) order to have Medibank include a capital adequacy requirement of $250 million as a result of the “weaknesses” identified in its information security environment.
Additionally, the Office of the Australian Information Commissioner (OAIC) will be empowered with additional resources to investigate suspicious cyber incidents and will be bolstered to fine offending companies up to $50m, which is in line with the General Data Protection Regulation (GDPR) in place across the European Union.
The new Privacy Commissioner Carly Kind signalled that new tougher privacy legislation will be in place by August 2024.
How well placed is your organisation to respond to these data protection and privacy challenges?
Who is responsible for keeping data safe?
Ultimately, the Board and senior leaders are accountable for keeping the company’s data private and secure. Alarmingly, many organisations don’t even know where their data is stored, and what data they have.
A Data Governance Framework is now essential. A practical Data Governance Framework blends management and board responsibilities to ensure corporate data is kept protected and private.
Get in touch
If you need support understanding the cybersecurity and data governance posture for your organisation, please get in touch, we’d love to help.