Securing Australia’s cyber future Part 3: why incident response is every team’s responsibility

Breaches leave organisations in a very tricky position. Respond the wrong way, and you’ll give attackers the time to wreak more damage.
Leave your customers panicked and at risk of scams, and alarm shareholders and markets. Mistake can pile on mistake in a cycle that may even be terminal. But if your response is well-considered and planned out, you can protect shareholder value, reassure customers, regulators and your own board – not to mention set the stage for better cyber resilience.

The recent wave of breaches contains plenty of lessons 

This year has seen more major breaches of Australian organisations than ever before. Optus, Medibank, Vinomofo, MyDeal and EnergyAustralia are among the household names to have been hit. A combination of stolen credentials, API vulnerabilities and poorly secured testing platforms has been blamed. The impacts of the biggest incidents are enormous, with millions of customers’ data compromised.

Medibank has predicted that its hack is likely to cost it a minimum of $25m or $35m. That figure does not include customer compensation, legal or regulatory costs. Indeed, the Optus breach shows how the long-term customer management side of incident response can be a gargantuan undertaking – the company has set aside $140 million for a programme of customer actions, including an independent review, third-party credit monitoring and the replacement of identification documents. These costs make it even more crucial that organisations manage the aftermath of a brief as effectively as possible.

Incident response starts with preparation 

An incident may blindside you, but you should always have a plan to fall back on. An incident response plan gives cybersecurity, IT and comms teams practical steps to follow in the event of a crisis. Building a plan will involve reviewing key threats and responses, specifying who is responsible for individual tasks or decisions and managing regulatory concerns. The plan should be signed off by separate departments – including communications, your legal team and the C-suite, well before a breach actually happens. But you can’t just clock off once you’ve made a plan: training needs to be ongoing and policies must be regularly reviewed based on internal changes and shifts in the threat landscape.

A good incident response plan won’t just help you manage a breach: it will shape the way the incident is framed by the media and regulatory bodies. After the Optus breach, some observers praised the company for its “swift actions”, with Phillip Ivanci of automation and security giant Synopsys saying, “The fact their CEO was able to provide initial details and a public statement seemingly within hours on a national public holiday means that Optus must have a well-established, and well-practised, incident response plan."

Clear communications are vital 

There’s a temptation to leap into action without thinking after a major incident. “The first thing you do in a crisis,” says Media-wize CEO Anthony Caruana, “typically makes things worse.” Rather than having “a stab in the dark”, Caruana advises taking a breath, and sticking to your plan.  

Misleading public announcements, for example, can be more damaging than silence. Following its mid-October breach, Medibank at first announced only a “small cyber incident” with “no evidence that customer data has been accessed”. Then, on October 27, Medibank said nearly 4 million customers’ data had been compromised. We now know almost 10 million customers are affected, with the hackers leaking Whatsapp chats that appear to show negotiations with Medibank’s CEO.

There’s no perfect approach here, and Medibank did underline that “our investigation is ongoing”. But by going public with partial news, the company muddied its messaging – and may have sowed doubt in the minds of customers and shareholders.

While external communications are usually developed and managed by the Comms team and delivered by the executive team, the reality is they can only communicate what they know up to that point. This is where swift investigation from the cyber team becomes critical to providing fast and accurate information to key stakeholders, who are then in a better position to develop clearer messaging.   

Building muscle memory helps crisis management 

Your decision-making will be clearer if you have worked through possible scenarios. One Mimecast Advisory Board member notes the advantage in training with other departments, and making exercises as real as possible.  “Our communications team is involved in the overall strategy,” they say, “but historically it hasn’t been taken seriously enough. Breach tabletops should be practised so often that they becomes muscle memory, rather than something that sits in a document.”

Identifying the exact nature of the incursion is vital. Firewalls and intrusion detection systems can provide monitoring, with Security Information and Event Management tools able to combine and analyse data in real time, helping reduce the time before detection, and AI playing an increasing role in detection and response.  But you’ll need skilled staff to crunch and document the results, and depending on the size and expertise of your team, this may be a time to call in third-party specialists.

Shutting down, wiping and rebuilding systems can be an enormous job and, if customer data is involved, regulatory bodies may need to be involved. Optus has had to rebuild its entire customer database, comprising 20 terabytes of data. If you know your systems, and are clear on the steps and responsibilities in the event of an incident, you’re more likely to be able to act decisively and limit these costs.

The questions will keep coming – have the answers ready 

If you’re breached, you may need to inform your customers, the OAIC, the public and your insurers. Discussing different scenarios and planning your response to customers in advance is an integral part of any plan. You may decide that you will always reject ransomware demands (as Medibank did), but you should also play out possible actions if criminals start leaking your data in response.

Communications around breaches are never easy. While aspects of Optus’s response have been praised, the company has also been criticised by Home Affairs Minister Clare O’Neil for suggesting the attack was “sophisticated”, when current signs point to a blunt-force attack on an unauthenticated API. Stating your case in public is one thing, but being honest and owning your mistakes may go down better than excuses.

Learning and preparation are the bedrock of crisis management 

There’s no magic bullet for every crisis, and the recent wave of breaches have shown a number of different approaches from the companies affected. A Mimecast Advisory Board member suggests that these incidents can be crucial for learning. “The Optus situation wasn’t handled well,” they say, “but it helped to get us to review our strategy. Now that we know what bad looks like, we can benchmark ours and see where we can make improvements.”

CISOs and boards should take this moment to review their incident response plans and roleplay different scenarios. If the next breach is your own, take a deep breath, and rely on the preparations you’ve made. They could make a big difference to your customers' data and your bottom line – not to mention your stress levels – as the storm breaks around you.