This year has already seen several high-profile companies hit with cyber attacks where customer data has been breached and cyber ransoms have been demanded. Many organisations have a cyber incident plan in place, but important legal compliance can be at risk of being overlooked during a cyber incident.
The timing for a discussion on managing cyber incidents effectively has never been more imperative than now. Gadens and Lawcadia, with special guest Stan Gallo, Partner, Forensic Services, BDO Australia, held an informative live event covering this subject. When asked about the recent high-profile data breaches impacting several large Australian corporations, Mr Gallo observed:
“The recent matters have shone a spotlight on the issues at hand and have demonstrated that there’s a combination of sophisticated attacks and not-so-sophisticated attacks, so companies need to be aware of both, and sometimes it’s the really simple things that trip us up.”
In this article we share seven key insights from the session.
1. It’s not only about cyber resilience but also the people behind it
Have your staff had adequate training so that they are sufficiently educated and aware of cyber risks? Phishing emails, texts and messages are one of the easiest ways hackers can enter an organisation’s internal systems and is the number one delivery vehicle for ransomware. Does your team understand what phishing is? Can they identify a phishing email, and do they know how they should handle one if received? This is the human firewall, and appropriate cyber awareness and education are a tremendous first line of defence for your organisation. It is a relatively inexpensive investment that can pay off significantly, especially if people can be aware of the risk and proactively take action.
2. It’s about the data
How is your organisation protecting its data? Whether the data is stored at rest or in transit, think about data encryption and integrity. New regulatory changes will drive businesses to focus on what information they collect, how they retain and protect it, and how they dispose of it. It’s often freely distributed and stored without much forethought regarding security. Whether it gets distributed through emails, shared drives or stored in the cloud, when trying to protect something, you must know where it is, and it’s very simple, with so many available connectivity options, to lose control of that. You then have to consider smart devices and other items that collect information. If that’s a part of your business environment, you must ensure that all these elements are understood and included.
3. It’s part of everyday operational risk
Every organisation, whether they are technology driven or not, needs to have a cyber awareness and cyber management component. You can’t outsource and forget about it, and it’s not the sole responsibility of the IT department. Cyber risk is part of normal business operations now and needs to be included in business planning and risk management. It cannot be siloed and segregated.
4. Significant regulatory changes are coming
The recently passed privacy legislation amendment will substantially increase penalties for repeated or serious privacy breaches of up to $50 million, or 30 per cent of adjusted turnover, or three times any financial benefit obtained through data misuse for more egregious breaches (whichever is higher). There was some expectation of a transitional period because businesses would take time to adjust, but this has not happened. The higher penalties are now in force! This aggressive stance highlights that it is critical for organisations to take cyber security more seriously and be ready for hefty penalties if they fall foul of a serious data privacy breach.
Proposed further changes to the Privacy Act are also expected. There has been consultation on privacy for quite some time, and one of the areas being considered is to update the definition of personal information to take into account that we live in a more social media-focused world. Further possible changes anticipated include lowering the threshold for which organisations the Privacy Act applies, developing a tiered penalty regime, and enhanced security guidelines.
One other area of change expected is a closer alignment with the European General Data Protection Regulation (GDPR), which gives people in Europe much more control over what data organisations hold. An online privacy bill that has been tabled looks at putting together an online code and increasing the transparency and processes around consent, particularly between social media organisations and the members of the public.
Further, in the ransomware space, there have been conversations about increasing consequences for cyber extorsion and even banning the payment of cyber-related ransoms.
5. Take the time to prepare for cyber incidents
Whilst prevention of a cyber incident is the optimal outcome, it is unlikely to be effective 100% of the time. So, in this modern age, organisations need to plan and prepare in advance to manage risks. There are three phases that need to be considered when it comes to effective planning for a cyber incident –
- (1) Preparation: This is undoubtedly the most crucial part. It’s ensuring you have everything in place across the pillars of people, process and technology. A good first step is undertaking a health check review to ensure that all the different aspects of the organisation are as robust as they can be. Then, have an Incident Response Plan and ensure it’s up to date and tested. The following are some helpful questions to ask internally –
- Have you carried out a Crisis Management exercise recently?
- Have you performed a Disaster Recovery exercise recently?
- Do you carry out regular penetration testing?
- Do you have the latest technology in place, including ensuring software is patched and up to date?
- Have you conducted a cyber security risk assessment of your third-party providers?
Having a thorough and structured program for proactive cyber security risk management will help make sure your business is as prepared as possible for when an incident does occur.
- (2) Incident: When an incident occurs, a well-tested Incident Response Plan in place is crucial to responding appropriately and quickly. The incident or crisis management team will focus on rectifying the issue, getting the organisation’s operations back up and running, and minimising impacts to stakeholders. Whilst this is necessary, it is essential to remember not to forget your legal compliance requirements, some of which are time sensitive.
- (3) Post-incident review: After an incident, take the time to document the lessons learned and build them back into the organisation. This means updating your plans and processes and implementing what has been highlighted, which may include additional training and upgrading your technology. Incorporating pertinent learnings, building organisational knowledge, and documenting actions taken will help you minimise the risk of a reoccurrence of this type of incident again.
6. Get a forensic expert involved at the right time
When an incident occurs, the business priority is to get back up and running as soon as possible. The very process of doing that can destroy evidence, and recovery from a backup can overwrite important clues. Advice from a forensic investigative person earlier rather than later can allow for the appropriate evidence to be captured whilst the business’s restoration process is in progress and the broader incident response continues. It needs to be part of the plan. Like any good plan, if it’s practised and prepared for in advance, you are going to have those experts, not only forensics investigators but legal, communications, and everybody that needs to be involved, immediately ready to assist because, as we all know, it’s not if, but when a cyber attack will happen.
7. Use a tool kit of helpful resources
Many tools, tips and resources are available to assist organisations in managing cyber security, and the need will depend on the size and breadth of the organisation. Overall, the focus should be on raising awareness and uplifting business knowledge on cyber threats and risk management. Below are a few options –
- The Australian Cyber Security Centre: This Government resource provides the Essential Eight framework, which sets out important areas to improve security.
- Cyber awareness training: Organisations must take cyber risk seriously and consider regular updates and initiatives. This requires leadership from the top level regarding the vision around cyber awareness, consideration of the organisational structure, and, depending on the size of the organisation, how you embed security and cyber awareness within that. Large organisations may have an Information Security Officer reporting directly to the executive team to elevate cyber to being considered as a business risk at that upper level of management.
- Risk management and risk registers: Ensure cyber is included within these processes and records and that they are visible to senior management and discussed at the Board level.
- Adopting risk champions or cyber security champions: This promotes cyber awareness throughout an organisation’s culture, effectively making it part of the everyday conversation within the company.
- Cyber incident checklists and workflows: A platform, such as the Gadens Cyber Incident Manager, assists in working through a structure and checklist designed to help businesses manage their legal compliance obligations. There are many moving parts when you are in the middle of a cyber incident, and legal compliance must not be overlooked. This should be included as a step within the Incident Response Plan.
Conclusion
Many businesses and industries remain complacent, seeming not to believe that a cyber incident could happen to them, and therefore cyber is still not a priority. Unfortunately, many of these businesses will cease to function during a cyber attack, and only then will they realise how important it is to have a plan. As the saying goes, if you fail to plan, you are planning to fail, so be prepared and put together a plan for when a cyber incident occurs.
Lawcadia is a legal technology company with a cloud-based platform that in-house legal teams and their law firms use to manage intake, matters, engagements, RFPs, and spend. It enables users to be more efficient, control processes and spend, and have visibility across the legal function.
An award-winning, easy to implement, intuitive and affordable end-to-end legal operations platform, Lawcadia incorporates no-code workflow automation and logic-based processes with a collaborative and secure interface.
Clients include corporate and government legal teams and over 150 law firms.
Founded in 2015, Lawcadia is headquartered in Brisbane, Australia with clients in Asia-Pacific, UK and the US.