COVID-19 represents an unprecedented challenge to business. Most of corporate Australia is now operating remotely in line with 'work from home procedures' and a business continuity plan. However, with remote working comes inherent cybersecurity risks and potential data breaches. Below we outline some steps you can take today to safely navigate your company through this time.

Cyber risks are increasing

Cybersecurity incidents affect approximately 1 in 3 Australians and cost businesses $29 billion per year.1

With the advent of COVID-19, cybercriminals have been capitalising on public fear surrounding the pandemic in a number of phishing scams. The scams have been using trusted brands such as the World Health Organization (WHO), the Australian Government Department of Health, and the U.S. Center for Disease Control & Prevention (CDC) to send 'phishing lures' in emails and online messaging platforms.

In light of these increased risks, timely consideration needs to be given to the strategies a company has in place to mitigate cybersecurity threats.

Does your organisation have an Incident Response Plan that is fit for purpose?

Robust cybersecurity resilience is more than just an IT issue – it requires a multi-disciplinary approach aimed at preventing a breach and preparing for when one occurs. The board will bear ultimate responsibility for how well or poorly an organisation achieves this.

The Australian Cyber Security Centre, a branch of the Australian Signals Directorate, has published useful guidance on  mitigating cybersecurity incidents and incident response plans.

An incident response plan entails having protocols in place to enable your organisation to:

  • determine the scope of the attack;
  • contain the attack;
  • deploy forensic analysis procedures to gather the material facts (including the source of the attack if possible);
  • conduct an impact assessment to understand disruption to business and facilitate cyber insurance claims in due course;
  • report to the board and other internal stakeholders; and
  • produce a fact-based report that provides an independent and impartial view of relevant events for all other appropriate stakeholders (ASX, OAIC, ASD, ASIC, APRA, Insurer, Customers, Suppliers, etc). Directors should especially note their disclosure obligations under the Notifiable Data Breach scheme if a breach involves personal data, and section 675(1)(b) of the Corporations Act 2001 (Cth) if the breach involves information which materially affects the value of the entity

Does your organisation have appropriate internal policies and procedures to protect its data?

With burgeoning threats posed to companies from external and internal factors, it is important to implement appropriate internal mitigation strategies such as:

  • mandatory two-factor authentication and VPN systems for remote working;
  • appropriate IT infrastructure in proportion to the size of your business;
  • responsible use of IT policies and confidentiality clauses into all employment contracts;
  • conducting periodic cybersecurity health checks to determine whether further safeguards are required and how best to implement them;
  • conducting a cyber tabletop exercise to test your organisation’s ability to implement its incident response plan and learn from mistakes; and
  • investigating cyber insurance quotations for the organisation.

Company directors should also ensure that they document and catalogue all decisions made/steps taken in investing in ICT infrastructure or investigating/dealing with a breach, to prevent any breach of directors duties claims. Whilst this is relatively unchartered territory in corporate litigation, cybersecurity issues do pose a reasonably foreseeable risk to companies and should be taken seriously by a board.

Key takeaways

  1. Before a cyber-attack occurs:
    1. have a robust ICT governance framework;
    2. ensure that there are sufficient resources to help prevent an attack proportionate to the size of the business or sensitivity of the data held by a business; and
    3. have policies relating to employee use of technology or general procedures for preventing cyberattacks (i.e. using encryption software, changing passwords, two-factor authentication, mandatory VPN use etc).
  2. During the event:
    1. take the steps set out in the incident response plan to respond to the attack; and
    2. make relevant disclosures (i.e. to the individual pursuant to the notifiable data breach scheme or to the market under continuous disclosure obligations).
  3. After the event:
    1. audit ICT security systems to enhance performance; and
    2. improve internal policies.