I recently had the pleasure of speaking at the Mimecast Connect roadshow held in Melbourne earlier this year - feel free to watch the presentation in full here. By discussing the challenges of ransomware and the regulatory changes on the horizon, I hoped to highlight how important it is to look at cyber resilience holistically. Data breaches and cyber-attacks are not just the IT department’s problem any more. They impact every aspect of an organisation, and how a company responds to an incident can have far-reaching operational, legal and financial consequences.
All organisations are data-driven organisations now, and big data puts some big responsibilities on our shoulders. Companies, no matter their scope and size, can and will be held accountable for their data practices, and having multi-dimensional policies governing the use of that data can protect you from a multitude of liabilities should the worst happen.
Being prepared for a data breach
Data is arguably one of your company’s most valuable assets, and it’s safe to assume that at some point, you will suffer a data breach. It could be due to human error, it could be cyber criminals; the point is, your data will be compromised. What’s your response plan? Does your company even have one?
I am always shocked at how many companies don’t have a documented response plan in place. Even tech companies, who should know better, are often trucking along without one. In business terms, that’s like driving down a freeway at night with no lights, no seatbelts, and your eyes shut. Sure, you haven’t crashed yet, but chances are high you’ll be in the news tomorrow.
Preparation is everything, but with all the different stakeholders involved, putting a plan together can feel overwhelming. Where do you start?
Make sure your legal ground is covered
Your legal team is a good place to start. They are skilled in navigating the complexity of your regulatory environment, know how to manage diverse stakeholders, and can help you sidestep the enormous costs and time that typically come with a data breach.
It’s a good idea to bring onboard an IT forensics team appointed by your lawyers. That way, any findings of a cyber incident will be protected by privilege, and your legal team can advise you on what to disclose and to whom.
Keep your communication partners briefed and ready
Communications will be key to effectively manage the crisis and protect your business reputation. You’ll need tailored comms for different audiences like shareholders, employees, customers and the public. For business resilience, make sure both your employees and customers have tried-and-tested alternative communications channels available to them.
As soon as news of a breach breaks out, the media pressure will pile on quickly. Before you go out and respond, get the help of crisis PR specialists. These people are experienced in handling crises like this and know exactly how to handle media enquiries and public statements without risking your reputation.
For maximum effectiveness, always get external PR and IT forensics teams. While it may seem convenient to keep these functions in-house, internal groups will have an incentive to minimise their accountability and may downplay the full consequences of a breach. The appointment of independent advisors is usually a good message for interested regulators and concerned customers.
Do NOT give in to ransom demands
If you’ve been hit by a ransomware attack, it can be tempting to just pay off your attackers and get back to business, but that’s a risky idea. Firstly, there is no guarantee that paying them will restore your data. Secondly, it may actually be illegal. Again, this is where your legal team can advise you on your options.
Make sure you’re meeting your compliance obligations
Keep in mind that attacks may not be targeted at you specifically. An attack on a vendor or business partner can also affect you, especially if you share your data with them. Again, it’s better to get legal advice on your obligations in case they are attacked, even if you haven’t been directly affected (to your knowledge).
Remember, if a third party interacts with your data, you are still responsible for how they use it and what happens to it. After all, it was YOUR data they were using, so compliance obligations may extend to you.
We also need to be clear on data breach notifications. Your legal team can advise you on what you need to tell the privacy commissioner, when to inform your customers and what exactly you should share with them. Some customers may submit data access requests, and you will have a limited time frame to honour their request. Again, turn to your lawyers for advice.
To learn more about how the recent changes in Australian privacy laws and data breach notification obligations could affect your business, check out Jim’s book “Big Data, Big Responsibilities: A Guide to Privacy & Data Security for Australian Business.”