How many more times will we have to hear some struggling organisation announce that a cyber breach or data leak was caused by failure at a third-party contractor?
It might be true, and it might be an explanation, but it’s not an excuse.
Consider the Latitude Finance cyber breach in March, originally reported as 330,000 customers’ data stolen and later escalated to a record-breaking 14 million personal records, affecting perhaps 8 million people across Australia and New Zealand.
The company said the attacker appeared to have used employee login credentials to steal personal information that was held by “two other service providers”.
More recently, when 16,000 files relating to Tasmanian schoolchildren were leaked onto the dark web, the data was reportedly accessed through a “third party file transfer service”.
Referring to the Latitude Finance debacle, associate professor Rob Nicholls at the UNSW Business School pointed out: “If a company outsourced to a service provider and got them to agree it’s their responsibility, that might be the case contractually, but in terms of governance it hasn’t solved anything … It doesn’t matter if you’ve outsourced, you’ll still be held liable.”
While attempting to displace blame might give the appearance of reducing responsibility, the obvious underlying problem is lack of adequate crisis preparedness and lack of formal governance frameworks.
A study by the Australian Institute of Company Directors last year found that 72% of respondents said cybersecurity is a “high priority” for their board. However, more than half (53%) said they had no dedicated crisis planning or cyber resilience plans in place. And only a shockingly low 21% receive regular reporting on the cyber performance of those increasingly critical third party suppliers.
Although the federal government has announced massive increases in corporate fines for persistent data breaches, and is staging cyber ‘war games‘ for the banking and other vulnerable sectors, the focus still seems to be more on what to do after a crisis strikes and how to minimise impact, rather than how to prevent a crisis occurring in the first place.
The government’s technical approach is important, but the reality is that cyber crises are never “just an IT problem”. A cyber crisis risks financial losses, fines, falling share value, class-action lawsuits and reputational damage – just like any other crisis.
A report earlier this month found the Australian telecommunications industry has overtaken social media as the most distrusted industry. This was primarily driven by the “toxic levels of distrust” following the highly publicised data breach late last year at Optus, which came in as the second most distrusted brand in the nation.
CEO Michelle Levine of research company Roy Morgan commented: “Unfortunately for Optus, it has been proven that brands which suffer major scandals find that once distrust takes hold, it is very difficult to curtail.”
A statement of the obvious perhaps, but it highlights that cyber failures need to be a central responsibility of top management in general and crisis managers in particular, not just IT professionals.
Of course, cyber systems and penetration testing need to be more robust. Yet the fact remains, more than half of Australian companies surveyed said they had no dedicated crisis planning or cyber resilience plans in place.
Australian crisis expert Gerry McCusker stresses that crisis preparedness is the key and crisis simulation is an essential tool to get organisations more crisis ready. “By running crisis training workshops, organisations can identify weaknesses in their response plans and take steps to address them before any real risk occurs.”
And Deb Hileman, CEO of the Institute for Crisis Management, asks the fundamental question: “Is your business at risk for a Cyber Armageddon? Yes. What are you doing about it?”
Dr Tony Jaques is an expert on issue and crisis management and risk communication. He is CEO of Melbourne-based consultancy Issue Outcomes and his latest book is Crisis Counsel: Navigating Legal and Communication Conflict.