This year has already seen several high-profile companies hit with cyber attacks where customer data has been breached and cyber ransoms have been demanded. Many organisations have a cyber incident plan in place, but important legal compliance can be at risk of being overlooked during a cyber incident.
The timing for a discussion on managing cyber incidents effectively has never been more imperative than now. Gadens and Lawcadia, with special guest Stan Gallo, Partner, Forensic Services, BDO Australia, held an informative live event covering this subject. When asked about the recent high-profile data breaches impacting several large Australian corporations, Mr Gallo observed:
“The recent matters have shone a spotlight on the issues at hand and have demonstrated that there’s a combination of sophisticated attacks and not-so-sophisticated attacks, so companies need to be aware of both, and sometimes it’s the really simple things that trip us up.”
In this article we share seven key insights from the session.
Have your staff had adequate training so that they are sufficiently educated and aware of cyber risks? Phishing emails, texts and messages are one of the easiest ways hackers can enter an organisation’s internal systems and is the number one delivery vehicle for ransomware. Does your team understand what phishing is? Can they identify a phishing email, and do they know how they should handle one if received? This is the human firewall, and appropriate cyber awareness and education are a tremendous first line of defence for your organisation. It is a relatively inexpensive investment that can pay off significantly, especially if people can be aware of the risk and proactively take action.
How is your organisation protecting its data? Whether the data is stored at rest or in transit, think about data encryption and integrity. New regulatory changes will drive businesses to focus on what information they collect, how they retain and protect it, and how they dispose of it. It’s often freely distributed and stored without much forethought regarding security. Whether it gets distributed through emails, shared drives or stored in the cloud, when trying to protect something, you must know where it is, and it’s very simple, with so many available connectivity options, to lose control of that. You then have to consider smart devices and other items that collect information. If that’s a part of your business environment, you must ensure that all these elements are understood and included.
Every organisation, whether they are technology driven or not, needs to have a cyber awareness and cyber management component. You can’t outsource and forget about it, and it’s not the sole responsibility of the IT department. Cyber risk is part of normal business operations now and needs to be included in business planning and risk management. It cannot be siloed and segregated.
The recently passed privacy legislation amendment will substantially increase penalties for repeated or serious privacy breaches of up to $50 million, or 30 per cent of adjusted turnover, or three times any financial benefit obtained through data misuse for more egregious breaches (whichever is higher). There was some expectation of a transitional period because businesses would take time to adjust, but this has not happened. The higher penalties are now in force! This aggressive stance highlights that it is critical for organisations to take cyber security more seriously and be ready for hefty penalties if they fall foul of a serious data privacy breach.
Proposed further changes to the Privacy Act are also expected. There has been consultation on privacy for quite some time, and one of the areas being considered is to update the definition of personal information to take into account that we live in a more social media-focused world. Further possible changes anticipated include lowering the threshold for which organisations the Privacy Act applies, developing a tiered penalty regime, and enhanced security guidelines.
One other area of change expected is a closer alignment with the European General Data Protection Regulation (GDPR), which gives people in Europe much more control over what data organisations hold. An online privacy bill that has been tabled looks at putting together an online code and increasing the transparency and processes around consent, particularly between social media organisations and the members of the public.
Further, in the ransomware space, there have been conversations about increasing consequences for cyber extorsion and even banning the payment of cyber-related ransoms.
Whilst prevention of a cyber incident is the optimal outcome, it is unlikely to be effective 100% of the time. So, in this modern age, organisations need to plan and prepare in advance to manage risks. There are three phases that need to be considered when it comes to effective planning for a cyber incident –
Having a thorough and structured program for proactive cyber security risk management will help make sure your business is as prepared as possible for when an incident does occur.
When an incident occurs, the business priority is to get back up and running as soon as possible. The very process of doing that can destroy evidence, and recovery from a backup can overwrite important clues. Advice from a forensic investigative person earlier rather than later can allow for the appropriate evidence to be captured whilst the business’s restoration process is in progress and the broader incident response continues. It needs to be part of the plan. Like any good plan, if it’s practised and prepared for in advance, you are going to have those experts, not only forensics investigators but legal, communications, and everybody that needs to be involved, immediately ready to assist because, as we all know, it’s not if, but when a cyber attack will happen.
Many tools, tips and resources are available to assist organisations in managing cyber security, and the need will depend on the size and breadth of the organisation. Overall, the focus should be on raising awareness and uplifting business knowledge on cyber threats and risk management. Below are a few options –
Many businesses and industries remain complacent, seeming not to believe that a cyber incident could happen to them, and therefore cyber is still not a priority. Unfortunately, many of these businesses will cease to function during a cyber attack, and only then will they realise how important it is to have a plan. As the saying goes, if you fail to plan, you are planning to fail, so be prepared and put together a plan for when a cyber incident occurs.
The Gadens Cyber Incident Manager is a cloud-based solution designed to help navigate the legal reporting and compliance obligations of an organisation during a cyber breach.
Transform your legal operations with the award-winning, two-sided intelligent platform built for in-house legal teams and their law firms with legal intake & triage, matter management, workflow automation, spend management, collaboration and customisable reporting.