Cyber resilience is an important and evolving concept. It refers to the introduction of cyber security practices that help to protect businesses from a cyber-attack, together with an organisation's plans, capabilities and readiness for how to respond to a cyber-attack or data breach event.
Depending on the size and scope of the attack, businesses may suffer significant reputational and financial damages from a data breach. And with new federal notification laws in effect, businesses struggling to deal with the aftermath of a data breach have added regulatory burdens to address.
In an age where the click of an email link can threaten an entire business, these steps are critical:
1. Prepare a cyber resilience framework
The first step is for businesses to accept that developing cyber resilience and cyber security capabilities are a vital part of doing business. This also includes the development of business continuity plans to detail how a business will continue to operate if a serious IT related incident occurs that impacts the ability of a business to trade.
Cyber resilience like the identification of risk and devising appropriate mitigation strategies is something that should be prioritised by all facets of a business (including the Board). It is important that businesses take a keen interest in developing and periodically reviewing cyber resilience systems that cater for their circumstances.
There are a number of resources available to assist businesses to increase cyber resilience and to develop frameworks to suit their own business.
The `Essential Eight' summary released by the Australian Cyber Security Centre is a useful resource for organisations looking to assess their current IT systems and to identify some changes that could significantly improve their levels of protection
Other excellent resources for businesses looking to develop their own frameworks include Appendix 1 of the ASIC ‘Cyber resilience: Health check’ guide (https://asic.gov.au/regulatory-resources/find-adocument/reports/rep-429-cyber-resilience-healthcheck/) and the National Institute of Standards and Technology ‘Framework for Improving Critical Infrastructure Cybersecurity’ (https://nvlpubs.nist.gov/ nistpubs/CSWP/NIST.CSWP.04162018.pdf).
2. Look after your customers and staff
Businesses have legal obligations to take reasonable precautions to protect the security of personal information provided by staff and customers.
As people start to value their data more and to take their digital footprints more seriously, consumers and staff will expect businesses to actually care about protecting their personal information and to invest in systems and adopt a corporate culture which reflects this objective. This may mean going beyond the current legal baseline. The wider public who entrust organisations with their personal data and information - will be more trusting of businesses that demonstrate a strong desire to protect the data (rather than being blas about data protection and focusing more on data analytics and exploitation).
3. Test your network
It is important that businesses arrange for regular testing of the robustness and integrity of their IT platforms by reputable IT companies.
The Federal Government is providing grants of up to $2,100 to small businesses (less than 20 employees) in the 2018/19 financial year to co-fund the introduction of measures to increase cyber security.
Businesses with an IT presence should regularly update anti-virus software and introduce a system for security patching, the testing of IT platforms and the investigation of any malicious activities.
4. Don't break the law!
We encourage businesses to regularly monitor their compliance with important legal obligations (including those under the Privacy Act), which require privacy policies and privacy collection statements for businesses that collect certain information from individuals. Businesses should also prepare and adopt a data breach response protocol to outline the organisation's plans if a data breach event occurs and to ensure that their website terms and conditions are also reviewed and updated to meet current requirements.
5. Use multi-factor authentication
Multi-factor authentication provides an additional layer of protection for private accounts and requires a user (or a hacker) to enter a password together with a code (usually sent to the user's mobile phone) to gain access to an account. If a user's password details are compromised, multi-factor authentication will prevent any malicious access to private accounts unless access to the user's mobile phone has also been compromised.
Multi-factor authentication is particularly important for email accounts that are used to open accounts with other websites. Often the `forgotten password' settings in those platforms will send a reset password link to your (compromised) email account, potentially giving a hacker control of a broader range of information.
6. Be suspicious of emails
Not only can emails harbour potentially malicious payloads, the seemingly innocuous text of an email can also offer a security risk. By far the safest way to protect yourself from email scams is to be sure of the sender's identity (and by checking the email address of the sender to make sure the communication is from who you think it is). If you are suspicious about the legitimacy of email you receive, you can also take steps to find the IP address of email senders (see how to view (https://www.lifewire.com/how-to-find-emailserver-ip-address-818402) and search a sender's IP address (https://www.whois.com.au/whois/ip.html) for further information).
7. Use advanced passwords and keep them a secret
Having a diverse and difficult to hack password is one of the simplest methods you can use to stay safe. It doesn't take a hacker long to get into an account when the password is `Password123'. Nor does it take long when a password is kept on a sticky-note under a keyboard. The best password is long, unrelated to any personal information, not written down and unique. Remember to use different passwords for different accounts.
8. Staff training
Educating staff on the importance of cyber resilience, and training staff on minimum IT and data handling protocols and practices to avoid, is a crucial step in protecting a business' systems. Training can include building awareness around some of the tricks used by hackers to gain access to an IT system, such as approaches from seemingly trusted sources prompting a user to click on a link, open an attachment or enter password details. Other well-known social engineering techniques include leaving USB sticks in the vicinity of a target business in the hope that an unsuspecting staff member will plug the device into the work system.
Staff training also demonstrates a business' commitment to complying with federal privacy legislation. In an IT context, administrative privileges should be restricted to key staff.
9. Run checks on email accounts
Various platforms exist which allow you to check if your email account has been compromised in a data breach. See for example www.haveibeenpwned.com, which also allows you to receive notification if at any time your account becomes compromised. A business could elect to receive notifications if any employee email account has been compromised.
10. Regular back ups
As well as frequent testing and the adoption of current security protocols, businesses should also adopt a system where data is regularly backed up and securely stored. This may include the use of cloud computing solutions, provided the cloud computing service provider has a proven track record of providing a secure data management service and agrees to abide by the Australian Privacy Principles.
Regular back-ups can help to thwart the impact of ransomware attacks, which occur when hackers lock up the data of an individual or business and try to sell it back to them.
11. Cyber insurance
Cyber insurance is an expanding part of the insurance market which allows businesses to insure against the financial losses and business impacts that occur following their IT systems being compromised. For businesses that are particularly vulnerable to their IT systems being compromised, this is something that should definitely be considered.
1. Bring in an IT expert
The first step after a hack is to identify the source of the breach and to determine which systems or files were compromised. By finding out what part of your network was compromised, you can make an informed decision about how to respond. Depending on the nature of the breach, isolating your computer network from the web may prevent further intrusions. This may require the removal of network cables from computers and the unplugging of routers to stop further information from leaving your servers. If you don't have an in-house IT team, there are various IT experts who can assist.
2. Inform your clients
Depending on the nature of the breach, you may be obliged to notify customers and the Privacy Commissioner of a data breach that has occurred. In these situations, all of the proactive steps you have taken to adopt best practices (including IT security and compliant legal documentation) will be important and help to reduce additional scrutiny.
3. Protect your brand
Preparation is everything! Regardless of what industry you are in, or the size of your business, to protect your reputation during a cyber-attack or any other issue your organisation may face, preparation is everything. The ideal opportunity to sort through breach response decision-making is before an incident, when there is time to think deliberately about how to protect stakeholders and the organisation. The best way to do this is developing, testing and maintaining a crisis communication plan a critical tool to help guide you to communicate effectively in a crisis.
Crisis communication plans come in various forms, depending on the size and operations of your business (and are usually part of a wider Crisis Management Plan), however actions guiding how to communicate with stakeholders during a crisis remain the same. Top line actions should include:
- Nominate members to form a `crisis team' (before the crisis occurs) this should include senior executives, legal, communication, HR, and technical experts. Ensure each team member has a clearly defined role and responsibility and knows what to do when a breach occurs.
- Map all stakeholders ensure you fully understand who would need to be communicated with should a breach occur (e.g. customers/clients, media, employees, suppliers, industry bodies, regulators, government)
- Have external consultants/advisors engaged it is critical you have access to specialist expertise immediately
- Scenario planning identify potential cyberattack/data breach scenarios with the potential to impact the business, and develop an action plan to address them
- Develop template materials to guide your communication response. These should include:
- Key messages (information that guides your communication to stakeholders)
- Draft media statement
- Question and answer document (addresses frequently asked questions by stakeholders in a crisis)
- Stakeholder letters (proactively sent to stakeholders updating them on the matter)
- Briefs for frontline staff (ensuring all of your frontline staff are appropriately briefed to handle stakeholder enquiries)
- Employee communication
- Social media monitoring (allows you to understand stakeholder reaction to the issue).
The key to protecting your organisation's reputation during a crisis is effective and consistent communication with stakeholders. This can be best achieved through preparation and planning.
4. Change your passwords
If any employees were sharing passwords between work accounts and their banking or social media accounts, now is the time for these to be changed. If a hacker has access to company password and username databases, they could and most likely will use that information to target individual employees.
5. Implement your backup plan
By reinstating your backed-up data, you can get business turning over again as soon as possible.