• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

Gar is joined this week by Anthony Caruana, CEO of Media-Wize and all-around media guru. Anthony has spent time working as a writer, presenter, facilitator, journalist, media trainer and been a consultant for some massive companies.

Anthony talks us through what good crisis communications can do as part of an incident response, how to approach comms when the media will be involved, the thinking around crisis comms for different organisation sizes and verticals, what order comms should happen in, who are the best spokespeople, DIY vs external support for comms, and some incredible stories from the comms crisis trenches.


The Get Cyber Resilient Show Episode #73 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara. We're joined today by Anthony Caruana, the CEO of Media-Wize, and also writer, presenter, facilitator, journalist, media trainer, and consultant. Back in May, when Amy Holden and I were recording our episode for the podcast, which Anthony was hosting, we got talking about crisis comms. Crisis Communications should be a part of any instant response plan. In this episode, Anthony talks us through what good crisis communications can do as part of an incident response, how to approach comms when the media will be involved, the thinking around crisis comms for different organisations, sizes and verticals, what order comms should happen in.

Who are the best spokespeople and hint, and that can change depending on what's happening, DIY versus external support for comms, and all of this is littered with Anthony's stories from the trenches. Over the conversation. I'm joined today by Anthony Caruana, the CEO of Media-Wize writer, presenter, facilitator, journalist media trainer does a lot of different things. How are you going today, Anthony?

Anthony Caruana: Really well, mate. How you doing?

Garrett O'Hara: I am doing well. Thank you. Doing well. Uh, we're in different cities. I know you're down and Melbourne today, how's everything down there?

Anthony Caruana: Um, it's been an interesting day. Um, I'm not sure what day this has been released, but we found out that we're at least a couple of weeks off having any relaxation of restrictions here. So father's day will be spent in isolation and you know, missing my daughter's birthday and a few other things. So, it is a bit bit hard going down here at one level, but on the other level, look, other things are much better. The weather's getting better. So we're out a lot more and swings and roundabouts, I guess.

Garrett O'Hara: I, I definitely get you. It's first day of spring, right? And went for a little jog at lunchtime and, oh man, it's it is already warm in Sydney. So, spring has sprung.

Anthony Caruana: That's good.

Garrett O'Hara: Um, so look, we all always starts with the, the guest’s kind of just giving the audience just a bit of an intro, you know, how did you get to where you are today as CEO of Media-Wize? Um, and I was kind of joking before we start recording, that I, you know, I'm looking at your LinkedIn profile and it's long and windy road, but yeah, it'd be great to just get a, a background on, on how you ended up where you are today, Anthony.

Anthony Caruana: Look, it's definitely been very long windy. Um, if someone had asked me when I finished school would I be doing what I'm doing today, I would've probably slapped them in the head and told them that was a big joke. Um, so when I left high school, I wanted to be a scientist. So I went off and studied science. Um, interestingly enough, Australia's not a really great place to be a scientist or it wasn't in the late '80s and early '90s. Um, so those who can't do, teach. So I became a school teacher and I did that for a while. And honestly, at that stage, I was just working in a school where I wasn't having a lot of fun. I wasn't really enjoying the job, and I took the first job I could get out of the place. And that was in the commercial world doing some training.

Um, so this was in the '90s, late '90s, where the internet was but babe, and no one really knew what to do. So I was teaching people how to use word pro, use word and Excel, and how to use a web browser and save bookmarks and do email. And that's kind of where that started. And then from there, I ended up going to one of my clients and ended up working in the, in the dairy industry in manufacturing, and that led to a job where I was running training within that organisation for a while. Then I ended up in IT and doing, ended up in the business analytics part of the business, and don't even ask how I got there, but somehow that happened.

Um, it was one of the those things. Um, I left that organisation, went into the energy industry mainly to work around a particular platform and some training and then ended up running some development projects and stuff like that, did a whole bunch of different things over 10 years. And in the middle of that time I've, I've been doing some writing just for fun. And a friend of mine was going away on a trip overseas who was a journalist, and she said "I can't cover the two things I've gotta write for this magazine next month. Can you do them?" And I said, "Sure, why not?" And I did them and then the editor asked me to send an invoice and I said, "Oh, I'm gonna get paid for this and everything."

And that was kind of the beginning of working as a freelance writer. Is I realised that I had this skill that people were prepared to pay for? And I kind of just did that on the side for a few, quite a few years. And then I, you know, you get to that stage in your life where you go, "Well, if I don't try this now, I'm never gonna do it."

Garrett O'Hara: Hmm.

Anthony Caruana: So, I, I bailed out of the reliable world, world of, you know, being a full time employee with a good salary and superannuation and, you know, annual leave and all that stuff, and I bailed. And went hang and shingle as a freelance writer, did that for quite a long time. And it went really, really well. I, you know, managed to keep the kids in school and shoes on feet and all that sort of stuff. And then look, three years ago with a friend of mine who Catherine, Catherine and I were kind of shooting the breeze one day and she was lamenting the how hard it was to get journalists to write stories about a lot of, about some of her clients in PR. And I said, "Well, wouldn't it be great if they could actually tell their stories really well, because most of them are just really poor at talking about what they do."

Um, you know, a lot of, a lot of companies up, my first question to everyone almost always was, what do you do? And what makes you different from all the other people that do something like what you do? And almost no one could answer that very simple. What I thought was a very simple question.

Garrett O'Hara: Hmm.

Anthony Caruana: And that led us into doing media training. Um, so we hung a shingle as Media-Wize and we opened up really with the focus on purely on media training. Um, but out of that, a whole bunch of our clients said, "Hey, that was really good. We wanna do the next bit. Can you do our PR for us?" And we've now over the last three years become a, a full PR agency doing crisis comms, doing everyday comms for companies PR, we brought website copy for people. Um, we've got clients list you know, ASX listed companies. We are dealing with a NASDAQ listed company. We've got companies out in Silicon Valley across Australia. So we've kind of gone from, you know, almost an in anger idea between two people of let's fix a problem to something much bigger with a team and all sorts of stuff going on now.

Garrett O'Hara: Which is pretty cool. And, and today's crisis comms. You know, we got, we got chatting at when it was we, we, the roles were reversed myself and Amy Holden you had us on for the podcast. And yeah, when we're in the room, you kind of mentioned that you were doing the crisis comms and, you know, we got chatting about that. Um, so that yeah, I was very keen to kind of dig into that specifically. And you know, like every organisation these days, or, or let's, let's be honest, many organisations will have some sort of an instant response plan or at least know that they're supposed to.

And in pretty every bit of lit- literature I've ever kind of read about this stuff, they recommend having a comms plan as part of that. Um, so like before we kind of get into this stuff and kind of really dig into it what do you think the comms part of an I, or, or an instant response? Like what does that hope to achieve at a high level?

Anthony Caruana: Look, Mike I've, I've worked in organisations that have gone through a crisis more than one more than one organisation and sometimes more than one crisis in that organisation.

Garrett O'Hara: Yeah.

Anthony Caruana: Um, and the one thing that I've learned both through my own action and by observing others, is that almost always the first thing you do in a crisis typically makes things worse. Um, the human re- instinct to do something often leads to making a pretty bad decision early on. Um, and in crisis comms, that might be something like you get asked a question, let's say your, your organisation gets breached or gets hit with a ransomware attack. Or you think it's a ransomware attack is probably more accurate. The first, someone's gonna say what happened? And your first answer is you want to tell someone what actually happened and you probably don't know. So you, you have a stab in the dark at what that might be.

Um, and it doesn't, and it's not right. Um, and then you've gotta either recant that later or explain it, you know, that person didn't have all the data at that moment and made a bad, you know, made a bad call or whatever it is.

Garrett O'Hara: Yes.

Anthony Caruana: So almost always the plan's got us start with, shut up and take a breath. You know, that, I think that's the first thing people have to do. And that's where you need to start with your plan.

Garrett O'Hara: And do you think there's a huge pressure? Um, so like one of the things you kind of see a lot of reporting on is the, hey, they're not saying anything about the, the breach or, you know, what's happened. We know something's happened, but they're not saying anything you, and there's a tendency then for the, the vacuum to get filled in by stuff, you know, speculation that potentially becomes, starts to feel like truth sometimes. Um, like how do you, how do you deal with that? You know, you you're saying, don't say anything, but at the same time, if you don't say anything, like there's a vacuum that's created.

Anthony Caruana: Yeah. Look, it's not about saying nothing. It's about saying what you know.

Garrett O'Hara: Yep.

Anthony Caruana: Um, we, we always say to people, look, when you're talking, when you're in a crisis, there's probably three things you really need to avoid doing. One is you've gotta avoid exaggerating. So if, if you've been hit, you know, it might have been sometimes the case is that one workstation gets hit and one user's machine gets ransomwared or whatever. So they pick up the phone and they talk to a mate and say, "Oh, my bloody computer's down. I've been ransomwared." And that friend tells another friend. And all of a sudden there's a ran- the story is that you've got a ransomware attack inside your business. And the reality is you don't. Um, and it becomes exaggerated pretty quickly. The other thing is that people often extrapolate and go they might see two bits of unrelated news.

They might say, you know, for example, last year, the, the Australian government said, you know, we're under a heavy cyber attack from a foreign, from another, from a foreign government. Um, so, and people's reaction is foreign governments making an attack. We've just being hit. Oh my gosh, they're after us. And they put, you know, they put two and two together and they get an Apple.

Garrett O'Hara: Yep.

Anthony Caruana: You know, they, they go completely pear shaped on it to, you know, keep the fruit going. Or people just guess.

Garrett O'Hara: Yeah.

Anthony Caruana: You know, something goes pear shaped. And they, you know, like if we look at what happened to the census five years ago people were guessing what happened in that initial thing. Was that a D, was that a DDoS attack? Was it a poorly configured system? What was it? And in that first few hours, everyone just guessed what it was. And that became, and the guess became the story. So don't, don't guess. When you don't know what's going on, say, you know, the incident happened, this is what we think hap- this is what we know has happened. You know, a workstation was compromised, 12 workstations were compromised. We took the following action. We did thing A, thing B, thing C, that's all we know at this moment.

When we know more, we will tell you more. you know, and if anyone else tells you they think they know what's going on, they're making it up. Because the definitive source of, of information needs to come from you as the person inside the crisis.

Garrett O'Hara: So it's like basically controlling the narrative and, and getting ahead of any of the, the, the fluffer nonsense that might get generated in the media.

Anthony Caruana: Yeah. And it does happen.

Garrett O'Hara: Or, or elsewhere. Yeah. Yeah, elswhere.

Anthony Caruana: And, and elsewhere.

Garrett O'Hara: Yeah.

Anthony Caruana: And what's interesting is our experiences. We've done some work with a number of organisations going through crisis. And most of the time, the crisis doesn't hit the media. So, you know, you've gotta make sure you don't jump the gun and go, we've been breached. We better tell, we better tell the media before they come to us. And there rather things you may need to do first, like triage. [laughs]

Garrett O'Hara: Yeah, you would hope. Well, but how does social media play into this right? Because you sort of see, I mean, for me, I get a lot of my news on LinkedIn and quite often, it's, you know, it's opinions and it's people who I, I kind of trust at some level. Um, and often, you know, on LinkedIn, in my news stream, I'll see people speculating, making comments on, on what has happened or what's, you know, not happened. Um, is that stuff that you can control or like have any thoughts on that?

Anthony Caruana: Look, I mean, social media is, you know, it's a, it's an interesting beast.

Garrett O'Hara: Hmm.

Anthony Caruana: Um, it tends to be a bit of a self, self eating animal. Um, you know, here's one thing, someone retweets it or re-posts it, and then suddenly when, if 100 people do it, it becomes truth by volume, not truth by actual fact. Um, when that starts happening is you've literally gotta have someone who sits and go, actually, that's not right. You don't, we don't know that that's, we don't know is going on. Or the actual facts are at, you know, 14 minutes past nine, we detected an infected work station at 16 minutes past nine, we closed the network down at 18 minutes past nine, we did this thing.

And you come back at it and you just lay out facts because it's very, you know, you can bring your own opinions to anything, but you can't bring your own facts unless you're the American president, I guess. But you really, you, you, facts are, facts are absolute and you gotta deal in absolute. You can't deal in speculation.

Garrett O'Hara: Do you think we, we suffer a little bit from you know, look, there's a history of some companies either doing the, you know, look over there, nothing's happening or waiting too long to make any kind of comments, you know, to the point where people are maybe a little bit cynical when there is commentary or there's no commentary that, you know, there's an organisation that's running a playbook for comms, but actually they maybe already know what's going on. They just don't wanna say.

Anthony Caruana: Look, when you are, when you are the company going through the crisis, you have to decide where your priorities lie.

Garrett O'Hara: Hmm.

Anthony Caruana: Um, and you, that might be, we're going to give accurate information every 30 minutes and we'll post it on our website or we'll post it on social or whatever. You make it obvious. You make people know that there's a channel, and when there's, when there's new information, this is where it will be. Um, the last thing you wanna be doing is taking a phone call every eight minutes or more when you're in the middle of trying to fix a problem. And that's probably where having a plan makes a very big difference because you need to actually plan not just what you're gonna do, but who's gonna do it.

Garrett O'Hara: Yeah, absolutely. And that, those plans, you know, when we were chatting before we started recording, one of the questions I kind of was thinking of like, does this apply to organisation when you hit a certain size or are there verticals where this is particularly appropriate? You know, maybe more visible or verticals where their reputation maybe is more valuable and yeah, they have a higher profile? Like, what are your thoughts there?

Anthony Caruana: Look, I think everyone needs a plan.

Garrett O'Hara: Hmm.

Anthony Caruana: ... To deal with an incident. I mean, we're, we're a relatively small company, but we, we have a plan that says, here's how we're gonna communicate. If something goes [inaudible 00:14:41], you know, if our messaging platform disappears, here's what we're gonna do. You know, if it gets, if, if it's hacked, because you know, like everyone, we use a bunch of cloud services. If the cloud service goes down, we need a plan B. And this is almost, this is similar. It's just being prepared for whatever's gonna, you know, if something happens, what are we gonna do about it? And there's some things you can plan for. Well, look, when to talk about a plan, I think there's probably three key elements that you need to think about in terms of a comms plan during an, during an incident response. One is who are you gonna contact?

Right? And who's gonna know what? So for example, you might need to have a particular message that goes to staff. Um, and typically the kind of message that goes to staff is there is an incident in progress. We have a nominated spokesperson. If anyone contacts you, you, you need to deli- you need to actually refer them to the delegated spokesperson and not answer questions. Um, look what I, I was involved in a system incident once, and it was a very significant one. It had national repercussions and we literally had angry consumers and journalists banging on the receptionist door. We locked reception down, not just to physically protect their receptionist, but also to make sure that someone walking past didn't say something in anger or say something out loud that they ought not here.

Garrett O'Hara: Yeah.

Anthony Caruana: 'Cause sometimes, you've been in incidents where there's a lot of thinking that goes on. There's a lot of thinking out loud. And the last thing you want is the thinking out loud to actually get outside the door as well while you're trying to work out what you're gonna do next. I mean, you obviously do need a comms plan for media. Um, and the comms plan for media may well be only if the media comes to you, 'cause you don't have to go to the media if something happens.

Garrett O'Hara: Hmm.

Anthony Caruana: Um, we dealt with a client recently who had a very significant breach. Um, and we had a media plan for them. Um, but we never used it. But it didn't mean it wasn't, it would the, it means they can use it next time because now they've got the plan. The challenge for that organisation was they got breached quite significantly, but they didn't have any plan on what to do for anything. Um, so you've obviously got staff media suppliers, customers you need to have plans in place because obviously now the way we look at supply chain is very different. And just because you didn't get, you, just because you got breached doesn't mean that your customers are immune or your suppliers are immune, or you may have been breached because of something that happened with one of them.

So you've gotta be able to have those lines of communication available and ready. Obviously you've got regulators depending on the nature of the breach, you have to notify the office of the Australian Information Commission Privacy Commissioner and all those sorts of things. Um, there's speculation now that ransomware attacks are going to need to be reported. Um, and that's an interesting one because I think some of the draft legislation or drill, or some of the thought bubbles I've seen around that say that you need to notify within 24 hours or thereabouts.

Um, that would be very interesting 'cause I reckon most people in the middle of a ransomware incident are gonna be too busy dealing with the incident, rather than trying to work out which bit of paperwork to fill in for the government. Um, and obviously you may have to involve law enforcement depending on what's going on. So there's, you need plans for all of these. And with what plans you have will depend on what kind of industry you're in. If you don't have to talk to regulators, for example, you don't need to deal with, you may not need a law enforcement comms plan. You probably need one for customers and suppliers at a minimum to give them confidence that you actually have protected their information and that you will be able to continue trading.

Um, once you know who you're gonna contact, you're gonna know when you're gonna contact them. Like what are the trigger points for telling certain people what they need to know? And then you need to actually have how you're gonna contact them. Um, and you probably can't rely on email because if you've been pinged, you may not have an email server that you can access, for example. So you need to make sure that you've got multiple lines of communication available to you. And whether that's email or phone, I mean, that's the great thing about social. You, social becomes a viable conduit for communicating. Um, I know that during natural disasters now the various agencies in Australia use social media because it's able to scale way better than they are to deal with the tens of thousands of potential messages that they're gonna receive, and inquiries they receive. So it's, it's basic. Who, what, when?

Garrett O'Hara: So here's the question, as you talked through that, is there... In my mind, I'm, I'm building almost a logic flow chart of to your point, if this, if this then the, if that-

Anthony Caruana: Yeah.

Garrett O'Hara: Then this. [laughs] If I can get the word [crosstalk 00:19:10].

Anthony Caruana: If this and that?

Garrett O'Hara: Yeah.

Anthony Caruana: Yeah. You could probably, that's a good online service that you could correct called this and that.

Garrett O'Hara: I Think that there might be. Um-

Anthony Caruana: [laughs]

Garrett O'Hara: But I guess the, the question here is though it's not one plan, right? Or maybe it's one plan with lots of choice points along the way. Because it depends to your point, if it's one machine cool, like that's one thing. If it's a whole organisation taken down, there's no way to communicate it. So that's another thing. Data breach first is you know, denial of service, but like there's so many different types of things.

Anthony Caruana: Yeah. Yeah. I mean, we did a comms plan for one of, for a very large ASX listed company, recently, a disaster comms plan. And we said, you've gotta take this disaster comms plan and you've actually gotta embed it inside your disaster or business continuity planning. So it's the start, it's gotta fit in with all of that as well. So can't be, you can't just execute it in isolation. But I mean, they have plans contemplate different scenarios or business continuity plans.

Garrett O'Hara: Yep.

Anthony Caruana: They contemplate different scenarios. So you have comms plans, you have a comms plan that integrates with those to, to compliment those specific scenarios. I mean, when I've done business continuity plans, when I've been an IT manager in the past you know, I, I typically worked on scenarios that were like, what are the things that are gonna only hit us for half a day or a day? What are the things that are gonna affect us for a week? And what are the things that are gonna affect us for three, you know, for, for more than a week? You know, and we'll do and talk about that.

Is it system access is it physical building access and all of different? So I used to plan all those different scenarios out and then the trick is to go right now. I know what all my, I know what scenarios I'm anticipating from a business continuity or an incident response perspective. Now what are the comms that are gonna support those activities? So-

Garrett O'Hara: Yeah, definitely.

Anthony Caruana: It's, it's nuanced. It's, yeah. And it's cont- it's context specific, it's organisation specific.

Garrett O'Hara: And you've just talked about the comms, but then the people doing the comms are probably very important too. Like who are the people, who are the people who are best suited to that's sort of in the moment spokes person role. And does that change depending on what's happened, severity impact, et cetera?

Anthony Caruana: Look to a, to a degree, yes. It depends on the nature of the incident. There's basically two schools of thought on this. Um, and it becomes a bit of a you know, it's a bit of a thunder down do to decide which one you're gonna go without those two things. Um, you can either go with your established spokesperson. So an example of that might be, you might have, your CEO might be your primary spokesperson. Or it might be you might actually have a comms manager who becomes the primary spokesperson. Someone like that.

Um, all of that, those are viable options because they're probably media trained and prepared and they've, with some luck, they'll probably have rehearsed these different, some of these different scenarios, which is what they ought have done. So that's your plan A, or a, that's plan one, if you like. Option two is you pick someone no one's ever met before. Um, and you, you effectively have a disposable spokesperson who comes in, does all the comms for that entire incident. And when you incidents over, they're never seen or heard from ever again, basically.

Um, now the bene- the, the, the benefit of doing that is your CEO will... Because if it's not your CEO or the regular spokesperson, they're not gonna be exposed to questions about that incident in future, 'cause they weren't the person on the spot during that incident. Or you keep it anonymous and you go, look, we have a company spokesman and a spokesperson and we put everything out via written statements. And we just say, attribute this to a, you know, GarrettO'Hara.com spokesperson or something like that. Um, to either, both approaches are valid depending on your organisation and what you wanna do.

But like, I'll give you an example. I interviewed the CEO of a, of a major retailer some, a few years ago now. And they'd been breached about three years before. And it's reasonable to say that the breach was not handled particularly well. Um, it was before we had breach notification or data, the data breach notification regime that we have today in Australia. And they didn't disclose the breach for about two or three years. In fact, they didn't disclose it until it was leaked and the media found out about it. So I asked him a couple of years after this had all happened, I asked the CEO of the organisation, so tell me about that incident. Um, you guys got pinged. What have you done since then?

And he went into complete defensive mode at that moment and said, "I'm not gonna talk about that." And he actually, he had a he had someone else on the phone with him and he threw them under the bus for the call. But that's the risk you take by having, if you've got an incident, that's the risk you take by having your, you know, one, your regular spokesperson out there all the time because they get asked. Um, but if it's someone else people tend to disassociate because it's not the same person.

Garrett O'Hara: Yeah. So it could kind of be a buffer in terms of the well, the questions, but also potential the personal level reputation of that, you know, the senior leadership within the organisation.

Anthony Caruana: Yeah.

Garrett O'Hara: They don't get to into the, you know, the breach comms per se. Yeah.

Anthony Caruana: Yeah. Look, I was involved in an incident some years ago where the CEO of the organisation ended up on the 7:30 report and basically bombed the interview after this incident. And it did immeasurable damage to that individual's reputation, so much so that ultimately they were not renewed as CEO fairly quickly. Um, and ended up taking, having to, you know, effectively leave the industry not long after. Um, so it can have very devastating personal repercussions if you've got the wrong spokes- spokesperson.

Garrett O'Hara: I Wonder 'cause is there a role out there for like a stunt spokesperson? I could just smoke jump in, you know, do the, do the horrible delivery of all the, the bad news and then leave you know, as a, as a contractor.

Anthony Caruana: Yeah. Look, look, maybe I, my, I think what you're really need to do is make sure that the, whoever you're put up, and it doesn't matter whether you're putting in a, a onetime spokesperson or your regular spokesperson in it, they've gotta do, they've gotta be ready. Um, this is why this is one of the things where we focused on media training so heavily at the beginning is so many spokespeople think they can just rock up and the magic will happen, and it doesn't just happen magically, you know? The, the reason the prime minister or what, you know, high profile politicians are able to get their messages across in the media out is because they've trained and practiced.

Like they've thought about what they're gonna say. They've said it in rehearsal many, many times so that when they say it, they don't have to think about it. Um, you know, it's one of, one of the things we do in our media training is we talk about taking people from unconscious, from conscious incompetence where they've got no idea what they're doing. They don't even know, it's not even that they don't know what they're doing. They don't even know what it is that they're meant to be doing, through to this stage where they've got unconscious competence, where stuff just happens mad- you know, it just happens naturally.

It's like watching me play tennis and watching Roger Federer play tennis. I'm on the far left hand side of the scale and he's on the other side where he just picks up the racket and wax the ball and, and it happens. I pick up the racket and whack the ball and end up with a concussion. You know, it's, it's, it's that far apart. And prep- it's about training and preparation.

Garrett O'Hara: Yeah, definitely. Watching the west wing at the moment and, um-

Anthony Caruana: Uh, love it.

Garrett O'Hara: ... That's one of the things that's fascinated me. Yeah. Is just watching the the prep for the presidents where they, you know, they, they go off camp David and they literally you replicate the, you know, the the conferences [crosstalk 00:26:31].

Anthony Caruana: The [inaudible 00:26:31].

Garrett O'Hara: Yeah.

Anthony Caruana: [inaudible 00:26:34].

Garrett O'Hara: Try and catch a med and just keep on doing and keep on doing it until to your point, yeah. It's sort of second nature. And given, you know, like if you've just kind of described a not complex, but like there's a reasonable amount of effort involved in, in prep potentially. And like, so where my head goes then is like crisis comms or, you know, that communications planning. Is that something you think organisations can kind of tackle themselves, like go into the the post office for, you know, your, your last will, you know, you fill out the template in a way you go you know, DIY or like, is that better left to kind of engage those external organisations for that support?

Anthony Caruana: Uh, look, it depends on what you're talking about. If you're talking about for some things, for example, if you're talking about preparing communications for customers, suppliers, potentially for regulators, for staff, you can prepare those well ahead of time. Um, you know, we all go through that thing where if you're in a position, if you're doing something you've never done before you, you burn a lot of brain cycles getting those things, getting ready for it and actually executing. But if you can simplify a lot of those things by thinking about them well ahead of time and prepare them, then you save yourself a bunch of times.

So, you know, an example is if we're gonna suffer, let's say you suffer a extortion wear attack, pretty common these days where you get ransomwared and your data gets ex- exfiltrated with the threat of publication, it's a pretty common threat these days. If you're a retailer, you should be ready for that. And you have a plan that says, if this happens here is our customer communication that explains what happened or when it happened? What happened? And that your data has potentially been exfiltrated to some external source, however, it was encrypted. So it's, the data's out there, but no one can access it. Assuming you've done the right thing and encrypted your data and all that sort of stuff.

So you can have those things ready, because the last thing you wanna do is be in the middle of dealing with the actual crisis of, you know, dealing with firewalls and people and all that, all the other stuff, all that massive hype of activity. And the last thing you wanna be doing is drafting emails.

Garrett O'Hara: Yeah.

Anthony Caruana: Or letters. You know, 'cause you may have to physically do these as letters with 24 hour postage because you might not have email, you know? What's your plan? Have it ready, ready to go so that you can push stuff out really, really quickly. Then be ready. You know, the, the more prepared you are, the less likely you are to make a mistake and send a, send an email out with a typo or something like that. You know, you know, it's, sometimes it's just a grammar problem and it can create huge amounts of confusion.

Garrett O'Hara: Yeah, no, I definitely get that. Um, so like, it sounds like the recommendation is if you, if you think about it far enough out, you can potentially tackle some of this earlier yourself and-

Anthony Caruana: Yeah.

Garrett O'Hara: And then, yeah. Like you're less relying to those external engagements with, with companies like yourselves, I suppose for-

Anthony Caruana: Yeah. And look, look, that's a part of what we do is we, we, we go into an organisation and we might spend a few days on this and say, right here's, here are the scenarios and we will brainstorm what are all the things that could happen to your organisation? So it might be, I mean, there's some obvious ones, there's things like data breaches and ransomware attacks and DDoS and there's all that sort of stuff. But what are some of the other things that, you know, what, what's some of the reputational damage like disgruntled employee takes over your social? Um, you know, we had that, that a famous incident some years ago where the guy [inaudible 00:30:04] heads who was a former employee, left himself some access to the system and reversed the sewage pumps.

Um, and pumped raw sewage into the streets. Um, after he'd been, after he'd been let go by the organisation. You know, what's your scenario for dealing with the grumpy employee who's been fired summarily? You know, apart from the fact you mentioned you've got all your good security controls in place, so that doesn't happen.

Garrett O'Hara: Yeah.

Anthony Caruana: But what's your what if? What do you do with the disgruntled employee? What do you do? You know, we'd say to people, what do you do about Glassdoor reviews? Where dis- where disgruntled employees start mou- mouthing off and giving up stuff about the organisation through Glassdoor anonymously? There's, there's so many different things you need to think about, what's your response to them? And not all of them will have a media response or a customer response, but you need to have a plan that says maybe we, maybe your plan is do nothing. But think about the do nothing before you have to think about it under pressure.

Garrett O'Hara: Yeah. And the crisis, I mean, they're different sizes. They're not all, it's not all the end of the world. Some of them are definitely smaller. Um, like you mentioned reputation damage just then like outside of that, you also mentioned earlier on in the conversation disclosure laws and, you know, the NDB legislation locally. Has that kind of changed the approaches to crisis comms plans at all. I mean, presumably that now there's a regulatory requirement to kind of report certain things within certain timeframes. So I'm assuming it's kind of baked into many of them.

Anthony Caruana: I mean, the good thing about the OAIC reporting that people need to do the Office of the Australian Information Commissioner, which is where the privacy commissioner lives. Uh, the good thing about that is that the, even though the data gets reported, it's not, it's basically anonymous.

Garrett O'Hara: Hmm.

Anthony Caruana: Um, the only time it becomes not anonymous is when there might be a report there of 250,000 customer records get breached. And everyone knows that they came from a particular store from particular business, because the story got reported as you know, anthony.com got pinged, for example. Um, so some people can put the data together that way, but the, the data is largely anonymous. And the idea is to let people know what's going on, not necessarily to out people for being the wrong, doing the wrong thing. I think there's a really interesting element to disclosure and in a, in a crisis.

And that's the, it doesn't have to be bad. We often think it would, 'cause the word crisis in itself brings a whole bunch of negative feeling.

Garrett O'Hara: Yep.

Anthony Caruana: Um, but if you look at what's happened in the world, organisations that have handled crisis well have enhanced their reputation. Um, I mean I often think there's, there's a great example we use this, we've used this in a couple of presentations we've done at various conferences, but we talk about the difference between the red cross blood bank, broad services reaction to its breach which was amazingly, it was an amazing reaction though. They were fast, they had accurate information. The CEO of the organisation stood up and said, "It's our fault. We are sorry." If it have come and find the YouTube video of that press conference, but she says, sorry about half a dozen times. Like the un- unabashedly takes full responsibility for the incident.

Garrett O'Hara: Hmm.

Anthony Caruana: Now we've gotta remember that that incident was actually the result of a external third party contractor making a mistake for something that was in the public domain for, I think only about 24 hours before it was discovered and taken down. The actual chance of damage to specific individuals was very, very low, but they were public, they were open about it. They explained what happened. They explained what they did about it. And they took responsibility. In a contrast up with BP, right? Then this one's a famous case study. It's all over you, you can actually go and look at academic journals about this case study. They had an oil platform fire some years ago a number of people died.

There was massive environmental damage caused by oil leakage from the platform after, during the fire, huge environmental and personal disaster. Um, the pressure, the media pressure in that was pretty high, obviously. The CEO of the organisation snapped at the journalist and said, "You know what, guys I'd like to get my life back." Um, which was an interesting reaction after several dozen people died. Um, and he was a bit concerned because he'd had a sleepless night. The other side of that was that they never took responsibility for it.

Garrett O'Hara: Hmm.

Anthony Caruana: They, they said, "Well, release the platform. So platform safety's not our problem," their contract employee. So they're not our problem. There was, there was no admission of what actually happened or taking responsibility for it. I mean, if, if something goes pear shape and the brown stuff hits the rotating blades, and it's your, and it's on your watch, you're responsible. Doesn't matter who owned it. It doesn't matter what happened. If you're there take responsibility, accurate information, timely delivery to the right people at the right time.

Garrett O'Hara: Seeing it. Uh, and I think not just for crisis comms, I think that message could probably apply so much more broadly in society, but that's a different podcast I'm sure. Um-

Anthony Caruana: Yeah.

Garrett O'Hara: Yeah, look, I mean, we're, we're kind of closing out here time wise, but couple of things I would be keen to get to just before we kind of finish up and, you know, one, one of the things is, you know, you as an organisation are, you know, your air quotes back phone rings, and people kind of call you when that brand stuff does hit the rotating blades as you so eloquently put it. Um, so you're gonna jump in when the company's had an incident already, and I'm assuming that's more difficult to do, obviously because you haven't got a prebuilt plan and everyone's kind of scrambling around trying to figure out what's going on.

And like, what's your experience there? You know, what's, what are the, is there anything you can do be- like, not you as in you, but an organisation there could do better if they are in that sort of situation where it's all going pear shape, they don't have a comms plan. What do they do?

Anthony Caruana: Look the, the problem is, and we've been, we've literally had those, that situation happen not so long ago. The challenge is that the people involved are doing two things at once. They're trying to manage a communications program and they're trying to deal with a crisis. Um, and that dealing with that crisis might mean restoring data. Um, making, finding out what actually was exfiltraded, for example. Finding out what the level of compromise has been, understanding how to stop it from, you know, 'cause often with a compromise, it might start and you'll detect it starting, but how do you stop it from continuing?

Like if you see one folder of data being exfiltrated off a box, how do you stop folders two through 500? You know, you're so busy trying to of stop the problem that you may not actually give thought to how you gotta communicate about the problem. So it, I mean it, it, preparation is always best. The companies think have, have thought about it and written something down, it's the, the best place to start. We've been phoned in where we're literally finding out, so you, you are from company X, what do you do? 'Cause we don't know every company in Australia.

Garrett O'Hara: Hmm.

Anthony Caruana: And there's several thousands of the them. Millions maybe. You know, we don't know everyone, so we need to actually find out what it is, what is it that you do? What's your exposure? What, what are we talking about here? You know, where was, where was the data? Was it in a box, in a cupboard under the stairs? Was it a cloud service? Was it, you know, do you have your own data center? Was it in a co-host location? You know, we have all these questions that we need to go and find out so we can understand what to talk about. Because when we know, the more we know about the organisation, the, the clearer the story can be, you know?

I can say, right, we're dealing with a family owned retail business that, you know, has grown, has had, has got, you know, 30 sites now, they're franchised, you know, for have just having all that information beforehand makes a difference. 'Cause we can sit there and go, right? We know who we're talking about. We understand the exposures, we understand who they need to go in contact. But when you get, when you literally parachuting in in the middle you know, I, I think of all those soldiers around the world who've had to parachute into, you know, highly militarized situations where things are going pear shaped and they've gotta land on the ground and wonder what they're doing.

You know, we've, we've gotta spend that time understanding that. And that that makes it quite challenging.

Garrett O'Hara: Yep.

Anthony Caruana: But we've been, you know, we pat ourselves in the back, we've never had anything go completely pear shaped having done that. Um, but that, you know, if you want to mitigate risk and we, what we, we, at the end of the day, all the things you do in cyber, whether we're talking about crisis comms today or all the other topics that you've covered over the last, I'm not sure how many years you've been doing this, but it's been a while. Um, we're talking about risk mitigation. It is that-

Garrett O'Hara: Yeah.

Anthony Caruana: ... Big topic all the time. What's the risk of your communications going pear shaped? Best way to mitigate risk is by thinking about it and actually having plans in place.

Garrett O'Hara: Yep. I was definitely... So one last question. Um, you know, one, one of the things as I've kind of observed is the, I dunno, the frequency or the volume of stories that are hitting the news. Um, and I would say kind of mainstream media these days, you know, it's not just the kind of obscure IT and cyber websites or, or news sites. It's actually more broadly kind of everywhere. And um, like with that, there's a, kind of a natural fatigue I think that comes along for the viewing population, people in our industry and outside of it. Um, so the question would be then like, is, are people paying less attention? Um, or do you feel like maybe at some level they're, they're getting used to what good looks like when it comes to crisis comms and then they can spot when an organisation isn't kind of doing it well?

Anthony Caruana: Actually, it's really interesting. I think there's, there's two sides to this. One is the fast moving nature of today's new cycle can actually work in your favor, because there's always someone else tomorrow. There's always another story that can come and push you off the front page. Um, and that can work in your favor. Um, I mean the light, the, the, you know, I often say to people, the best time to have something go wrong is when Apple releases a new product. Um, and the worst time for something to go wrong is about two weeks after Apple's released a new product.

Because the new cycles quiet down and there's a gap. Um, so, you know, if you can organize your breaches around those sorts of things, fantastic. But but it is, you know, the new cycle doesn't fast. And we talk to people in media training and say, look, when I started in, in the media and it was largely print, we would publish in print 30 stories a month. That would be, that would be a pretty big month for a magazine. 30 individual stories. Now I was, when I edited life hacker, I would, when I, the first time I edited life hacker, I was doing eight stories a day.

Garrett O'Hara: Yeah.

Anthony Caruana: Um, the last time I worked on that publication, I was, I was a contributor and I was only doing four stories a day. And we were publishing every, every, there was a fresh piece of content every 30 minutes on that site.

Garrett O'Hara: Yeah.

Anthony Caruana: And that was one of five sites in the family. So that was, that was a huge amount of content going through. And you sit there and go, well, wow, that's, they're churning through the staff, but also means that bad news disappears quickly unless you keep on, unless it keeps on giving. Um, and by not extrapolating, not exaggerating, sticking to the facts you be, you want, what you wanna do is become boring. So you get pushed off the page.

Garrett O'Hara: That sounds like the, the absolute new Yoda quote to "To end the conversation on and be boring enough to be forgotten when it comes to crisis columns." I love it. Um, Anthony, thank you so much for taking the time. Uh, been a really awesome conversation. Definitely I've learned a lot, so we very much appreciate it.

Anthony Caruana: My pleasure. Thank you.

Garrett O'Hara: Thanks so much to Anthony for joining us for that conversation. And as always, thank you for listening to The Get Cyber Resilient Podcast. Jump into our back catalog of episodes and like, subscribe and leave us a review. For now, stay safe. And I look forward to catching you on the next episode.

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara