cyber risk

In June this year, the response of two Australian organisations to cyber breaches highlighted the importance of quick and clear communication to stakeholders and those affected.

When the Australian National University discovered 19 years’ worth of data had been illegally accessed, a personalised email from the vice chancellor, Professor Brian Schmidt, was sent to everyone impacted. Straight away they knew the score and what to do next. When the personal records of 139 million Canva customers were breached, customers of the Australian graphic design platform learned about it only if they read past the first paragraph of a marketing blurb.

“Not good enough,” says Annabelle Warren GAICD, founder and chair of Primary Communication, a major Canva user. “The letter they sent out ... it didn’t take the customer view — and the customer wants to know what has happened, what can I do about it, what is the likely impact. It took them three days to put out a second email that was crisp and clear about what needed to be done.”

Following its communications misstep, Canva handled the breach well. It hashed passwords and even alerted the US Federal Bureau of Investigation, but it’s the misstep people remember — a misstep Australian directors need to learn from.

Australian businesses are facing “significant” data breaches and cyber attacks at a rate of about three a day. The nation’s Notifiable Data Breaches (NDB) scheme turned one year old in February 2019. In the year to the end of March, 964 significant breaches were reported to the Office of the Australian Information Commissioner. There are literally millions more cyber incidents affecting business that don’t reach that “significant” threshold, but still have an impact on operations.

According to the Accenture Cost of Cybercrime Study, cyber attacks and data fraud are two of the top five risks facing businesses worldwide as identified by the World Economic Forum. The report reveals that the number of security breaches an Australian business faces in a year has risen 18 per cent to an average of 65 in 2018. Some organisations will endure far more and some many less. But data and cyber breaches are on the rise.

According to Joseph Failla, Accenture’s security lead in Australia and New Zealand, some directors are playing ostrich. “A lot say ‘nothing has happened to us so we’re OK’ or ‘I have Billy in IT, he’s my security guru and he’s saying we’re OK’. But it’s not a matter of if, it’s a matter of when — most of you may have already been compromised.”

Security questions

  • What is the value of your data?
  • Who has access to data?
  • Who is holding data — is it in the public cloud, private cloud, on the premises?
  • Who is protecting the data?
  • How well is your data being protected?

Failla says Australian businesses spend too little on cybersecurity. “The industry norm is that seven to 10 per cent of the IT budget should be allocated to cybersecurity. A company with $50m turnover may have an IT budget of $1m–2m, so 10 per cent is $100,000–$200,000 of allocation — that might be just the salary for one resource.”

But cybersecurity skills are notoriously difficult to find and keep. Electronic conveyancing service Property Exchange Australia (PEXA) did find a well-credentialed security lead in Craig Brown, who was made head of IT security in 2018. A few weeks after he joined, the company faced its own security nightmare when it identified a fraud that saw funds intended for one account directed to another.

Although its digital systems had not been compromised, its security had. PEXA has more than 8000 lawyers, conveyancers and financial institutions that use the network, and has transacted more than three million property transactions worth more than $464m at time of writing. Following the fraud, management swung into action, keeping the market informed and ratcheting up its security.

Brown says the lessons are clear. “Everybody will get breached whether small or large and it will happen many times. The way you handle it as a board, that’s the preparation and discussion you need to have and you can’t have that discussion under duress. You need to have that discussion and have decisions documented prior to this occurring.”

Critically, directors need to be aware of what data is stored, where it is held, how it is protected, who has access to it and what legal aspects surround it. This is a particularly acute consideration for any business that engages in Europe, where the General Data Protection Regulation came into effect in May 2018.

Australian entities that collect, store or use personal data of Europeans (including UK citizens post-Brexit) must protect that data properly or risk fines of up to €20m or four per cent of revenues. If a breach occurs, the company has just 72 hours to alert the relevant European authorities. Any doubts that non-European firms were included were dispelled with a fine of €110m against US hotel chain Marriott when the personal records of 339 million of its customers were hacked.

That’s why all directors must understand exactly what data their systems hold, how it is protected, and whether they are insured to ensure business continuity and support cyber remediation.

“You need an understanding of what are your legal obligations regarding the breach. The way to run through those is through tabletop scenarios,” says Brown. This allows executives and the board to understand the possible ramifications of a breach.

“My recommendation is to start, do it very small and monthly, then build up to bigger scenarios over time,” he says. “There’s more to think about than just how you lost data. Does my media team know how to respond? How does the company want to address this? Who will be the spokespeople? And then the safety of employees, companies — if there are funds lost there could be risk to those people — do you need to move to another building, lock that floor down, stop wearing company logos?”

This could be important if victims of data breach sought revenge.

Blue colour banner to Cyber for directors course

Cyber crisis communications

  • Find a lawyer who understands customers and people, not just the law. Make sure you have a communication response, not just a legal response.
  • Make it an interactive response — set up call centres, email and social media.
  • Ask for questions and provide clear advice on what you are doing and what you ask your customers to do to protect themselves.
  • The level of communications indicates how seriously you take it, but don’t sacrifice responsiveness. The speed at which you do something is very important.
  • Role-play a scenario by turning off the computers and seeing how the organisation operates.

Annabelle Warren GAICD, chair Primary Communication.

Prep, plan, train

Darren Kane GAICD is the chief security officer at NBN Co. He stresses the digitisation of the global economy means few businesses can expect to remain immune to a cyber breach and must prepare for the inevitable. “The first thing is, the board must understand their role in that response,” he says. “Second, it’s about trusting the process. The board has to understand there has been preparation, planning and training done by your business continuity and crisis management team.”

Directors of smaller companies or not-for-profits without a dedicated team should ensure management has addressed the issue directly, says Kane. “The board should revisit that every six months so they are familiar with the process and trust in it.”

Kane says when a breach occurs, communications to customers, stakeholders and regulators need to be transparent and honest. “If you try to hide the details, people know anyway,” concurs Brown. “Things get out there on the deep web and suddenly you’re being asked to explain why you haven’t brought this up earlier. You don’t have to give away all the details, but don’t try to deflect blame. And if you’ve leaked people’s information, they have a right to know. They trusted you to hold that information and you must return that trust.”

Kane says preparation is critical. “Sometimes I see it done incredibly well and it’s clear scripting and training has been in place. But sometimes the thing goes off piste where they have a difficult question,” without a satisfactory or credible response.

There are words directors and management need to avoid entirely, says Phil Kernick, chief technology officer at the independent information security consultancy CQR Consulting. “‘We take your personal safety and cybersecurity seriously’ — that’s how they all start and they all lie because if they did we wouldn’t be here.”

According to Kernick, Australian directors are more fortunate than their overseas peers who are more exposed to class actions following a cyber breach. “In California, companies are getting class actions thrown at them every time there’s a data breach and directors are personally on the hook.”

He suggests directors view their company’s data through a different lens — considering it as toxic waste that could escape rather than a trove of value. That, he says, gives a clearer perspective about data risks to which the organisation and its customers could be exposed. “More and more our lives are wrapped up in cyber identities and they can get just as injured as we can in an industrial accident,” he warns. “It could take longer and be more expensive to resolve than an industrial accident. Directors need to see cyber in terms of its impact on corporate governance, audit and financial liability.”

Property valuation company LandMark White’s (LMW) recent cyber breach experience, which exposed PDF documents detailing property valuations and contained personal information, provides sobering lessons. Many clients suspended their relationship with LMW. In response, the company suspended its shares from trading on the ASX from February until May, and again in June. A report in The Sydney Morning Herald in early June quoted LMW chair Keith Perrett as saying that unless it was able to satisfy customers its systems are safe, “the constant attack on us will ultimately bring the company down”. By the end of June, it was a little more confident. Although revenues had been reduced by $6m–$7m because of the breach and there were significant costs to upgrade cybersecurity, it was hoping to return to profit in the second quarter of 2020.

Personal impact

Warren says it’s not just the technical side of the house that should concern directors. “One of the key groups to be considered is the actual people in the organisation and your contractors,” she says. “A lot of the reporting is of external breaches, not internal breaches, which is often most likely driven when people are leaving an organisation and taking customer data with them. What directors are really struggling with is ‘what do I report?’ Culturally, we’re starting to move from exception reporting to something that will become culturally very normal.”

Data breaches will still have a massive human impact says PEXA’s Brown. “If you look at this when the incident occurs, it’s a short-term technical problem, but a long-term personal thing. The impact to the people, that’s the thing you have to be aware of and address.”

A year after the PEXA fraud, he says, “There is a level of post-traumatic stress that occurs. I still feel it today. If someone rings and says there is an incident, it can bring up a lot of emotion.”

James Turner, managing director of Ciso Lens, a forum that brings together leading security executives working with large Australian organisations, says directors need to, “expect the incident to happen, expect not everything to be perfect, expect it to happen at a not convenient time. Do that scenario planning”.

Turner recommends directors familiarise themselves with the Essential Eight steps associated with improved cybersecurity as advocated by the Australian Signals Directorate. “When it does happen, you can tell the ones who have done the thinking versus those blindsided by it,” he says.

Australian Information Security Association (AISA) and the AICD have formed a valuable partnership aimed at developing directors’ understanding of their roles and responsibilities in governing data security. This partnership will see the AICD release a range of director tools and webinars later this year. AISA’s 2019 Australian Cyber Conference features local and global thought leaders providing insights to help business better understand current threats and meet emerging challenges. Melbourne, 7-9 October.