Cybersecurity crisis: ready or not?
It’s an open secret in the world of cybersecurity: if your business is attacked, you pay. Either in a loss of trust, reputation, or revenue. Recovery can also be very costly.
Ransomware – a form of malicious software that encrypts an organisations IT systems and data until a ransom is paid – is now the biggest cyber threat to Australian businesses and government.[1] Cyber-attacks are no longer a question of if, but when, and those who believe themselves too small fry to be of interest to cybercriminals are in for a rude awakening. After all, if you have nothing of value – why are you in business?
Whilst attacks have increased by 60% in the last year[2], ransomware and cyberattacks are not a new phenomenon. For years now, Australian entities have been quietly paying hackers millions of dollars. This is against expert advice, which points out that like any ransom situation – there is no guarantee of return upon payment. Yet for many businesses, it’s a question of risk. The Australian Cyber Security Centre assists an average of six entities per day in responding to cyber security incidents. Some incidents can take weeks, even months to resolve, and in today’s fast-paced world the operational, reputational, and time costs of an attack are greater than even the most extortionate ransom.
Some 95% of CEOs cited cyber risks as the top threat to growth this year, up from 86% last year.[3] Despite this, corporate Australia is woefully unprepared. This year’s Fortinet Networking and Cybersecurity Adoption Index revealed only 29% of Australian organisations felt highly prepared for an IT security threat, and just 36% of businesses said they had complete transparency around risk vulnerability.[4]
Where to next?
Australia currently lacks a mandatory reporting scheme for those hit by ransomware, so costs are hard to quantify, but industry estimates have previously placed them as high as $29 billion annually.[5] This represents approximately 2% of our GDP.
Considering the scale of the problem, politicians and industry leaders alike have pushed for regulatory changes. Some have argued for mandatory reporting, others the criminalisation of ransom payments. Most importantly for company directors, however, is a proposal floated by the Federal Government which would see directors held personally liable for cyber-attacks. These extra responsibilities would be like those already existing for workplace health and safety and will be further investigated in a government discussion paper on cyber-security reforms.
It’s an understandable position to take. A corporation’s tone on cyber-security is set from the top, and the days of cyber considerations being left to a Chief Information Officer and the technical team are over. Directors need to decide how they will manage tensions between usability, security and cost in advance, so that when an attack comes, the organisation is prepared.
Levels of cyber-preparedness are a mixed bag in corporate Australia, and it becomes rapidly apparent who has been systematically preparing, and who is forced to improvise once the worst happens.
Case Studies: Toll Group and the Nine Entertainment
How a company communicates once attacked is key to maintaining trust and failing to communicate effectively can have serious reputational impact. This is particularly evidenced by the ways both the Toll Group and the Nine Entertainment communicated to customers in the wake of crippling cyber-attacks in 2020.
Approach One, Toll: Open and Honest Transparency
In February of 2020, Toll was hit by a ransomware attack known as ‘Mailto’ or ‘Kazakavkovkiz’, which forced the company to take down numerous delivery and tracking systems and left it unable to tell customers where their parcels were. Toll openly admitted to the attack and released details to suppliers of the impact. It did not pay the ransom and declined to say just how much was demanded. The company went on to experience over a month of costly delays. It was attacked a second time in May the same year with a fresh piece of ransomware known as Nefilim.
While many of the major companies working with Toll declined to publicly comment on the incident, there was a palpable sense of frustration at a perceived lack of timely and honest communication. Importantly, two major partners – Telstra and Optus, were forced to take their business to Toll’s rivals to meet customer expectations. Many frustrated individuals took to social media to vent their frustrations, particularly over the fact Toll’s customer service line provided minimum information and made promises about deliveries that ultimately went unrealised.[6]
Approach Two, Nine Network: Radio Silence
In a total reversal of Toll’s strategy of open transparency, Nine Entertainment kept the details of its cyber-attack, which temporarily prevented Nine from producing its news and current affairs content, a secret. Indeed, it refused to answer even the most basic questions of who, what, when, where or why.
There are a few reasons a company may choose radio silence over transparency. It could be done to avoid being seen as boasting about defences, which would then create a sense of challenge for hackers. It could also be to avoid provoking attackers into a second hack in retaliation for naming and shaming. However, non-disclosure has several unfortunate consequences, and is frowned upon by industry. This is largely due to the fact it prevents other organisations from learning about the latest vulnerabilities in widely used systems like Microsoft, which is used by Nine.
There is also a significant culture of victim blaming within the industry when it comes to cyber-attacks, which further incentivises non-disclosure. However, it undoubtable that the ensuing information vacuum only makes life harder for consultants, cyber experts and responsible hackers trying to get a handle on the problem.
A company’s reputation is one of its most valuable assets.
A company’s reputation is one of its most valuable assets. It touches everything – from growth, to revenue, to employee retention and recruitment. It’s also fragile, and once broken, can take years to rebuild. One reason cyber-attacks can be so damaging is due to the theft of stakeholder information – meaning the damage of the incident extends beyond the internal, creating a reverse halo effect. This has resulted in tangible detriments for companies who fall prey to hackers. Many who have been subjected to an attack have been hit with shareholder and customer lawsuits. Further, after Target revealed a breach that leaked information on close to 110 million customers in 2013, its sales dropped 4%, its profit plunged nearly 50%, and the CEO resigned.
Which leaves the question – what to do in the event of a breach?
Crisis Responses
There are four stages of any crisis: risk mapping, preparation, response, and recovery. The first two occur prior to a breach and go a long way to ensuring that should the worst happen; you’re not scrambling for a solution.
Risk mapping and developing a risk register is essential and straightforward. Employing a consistent ‘cause and effect’ lens across the risk register helps to clarify the critical stakeholders, the size and nature of the impact on them and their behaviour and the resulting business outcome.
Once this audit is complete, you should have a decent idea of where your company’s current cyber security sits. From there, you can pull together a crisis communications and process manual, including the composition of your crisis team, escalation processes and call trees, as well as internal and external communications protocols. You will also be able to draw together a training manual that educates employees on the basic tenets of cybersecurity, and scenario-based learning.
Now you’re ready to respond. Courtesy of the crisis manual you’ve pulled together, you can now activate your crisis capabilities, conducting real-time analysis as the breach unfolds with the correct decision-making support. It’s important at this stage to keep all internal stakeholders updated as the situation unfolds, and whilst keeping phone lines open is important, regular email updates may be more efficient. You should be as transparent as is commercially sound – collecting information about how the breach happened and what information is lost or corrupted.
After an attack, conducting reputation research and tracking is vital so you can understand the state of play. You should expect to have some uncomfortable conversations with both internal and external stakeholders and be prepared to accept backlash. Drawing together a strategic recovery plan should be your first priority, followed by an analysis of how the breach occurred, and what future learnings are that you can glean from it.
Be Prepared
As technology accelerates and business evolves, the threat of cyberattacks will only grow. No sector is immune, from transportation and logistics to media and entertainment – every business has its incentives for hackers. Regulation is now playing catch-up, with the Federal Government considering making company directors liable for cyberattacks, and boards should be prepared for this shift in responsibility. Ultimately, the best way to ready yourself for an attack is to be pre-emptive by understanding the threat environment, having a good workplace culture around security, and planning for the worst.
[1] https://www.cyber.gov.au/sites/default/files/2020-09/ACSC-Annual-Cyber-Threat-Report-2019-20.pdf
[4] https://go.fortinet.com/apac-lp-anz/networking-cybersecurity-index-report
[6] https://www.afr.com/technology/toll-faces-customer-fallout-after-cyber-attack-20200214-p540s2