Brace for impact – the importance of a tested cyber incident response plan
By Eden Winokur, Alison Baker, Sam Tempone and Chloe Taylor
Following recent high-profile cyber incidents impacting Optus (see our article No Optus – Australia’s largest data breach) and Medibank, Australian organisations should be taking steps to mitigate cyber risk and ensure they have an adequate and tested cyber incident response plan (IR Plan) in place.
With the Optus breach, the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority have announced a co-ordinated investigation into Optus’ storage and management of its customers data. One law firm has already filed a class action against Optus with the OAIC, with another assessing the issues.
As cyber attacks become more prevalent, a rapid, planned and holistic response is crucial. This ensures that incidents are identified, contained and investigated in a timely manner.
Be prepared
The Australian Cyber Security Centre (ACSC) recorded over 67,500 self-reported incidents of cyber-crime in the 2020-2021 financial year, resulting in over A$33 billion of self-reported losses. Many of these incidents could have been avoided or mitigated by good cyber security practices.[1]
A key part of being well prepared is understanding that cyber risk cannot be eliminated. While there are various steps that can materially reduce the risk, all businesses should be prepared for a cyber attack. When attacks occur, a well-prepared business can rely on its IR Plan to respond promptly and decisively to a cyber incident, limiting its impact and supporting recovery.
Some of the key benefits of having a properly tested IR Plan include:
- ensuring that the business has considered exactly what to do in the event of a cyber incident (which is better to prepare when not responding to a crisis);
- ensuring that the business has a clear understanding of what communications are required (whether to regulators, customers, employees or the media);
- minimising the disruption to business operations;
- reducing the risk of reputational damage if the company is seen as in control and handling the incident appropriately; and
- reducing the overall risk of customer complaints or litigation, by mitigating the damage caused by the incident.
What should be included in an IR Plan?
There is no hard and fast rule for mitigation strategies that will protect against all cyber threats. How your IR plan is structured will, of course, depend on the size and complexity of your organisation.
The Office of the Australian Information Commissioner (OAIC) provides useful guidance that all organisations should be aware of when implementing their IR Plan.
To be the most effective, staff must be adequately trained on all aspects of the IR Plan to ensure they are familiar with the requirements. Particularly, members of your organisation need to know what to do when coming across a cyber incident. Who do they contact? What do they do with their computer? Some people might think ‘pulling the plug’ is the best thing to do – but that can actually hinder recovery efforts and close off your IT security team’s visibility into the attack.
Some of the information that we consider is important to have in an effective IR Plan includes:
- contact details (both during and after office hours) and positions of the organisation’s response team, which are responsible personnel in the event of a data breach or security incident. This may include external experts or advisors. It is important that these personnel are able to make critical decisions on behalf of the organisation;
- details about insurance, particularly cyber insurance and notification obligations that arise under the policy;
- clear steps for the responsible personnel to contain the breach within the first hour of being notified. If it cannot be contained, further steps to coordinate immediate action to notify other responsible personnel and determine the severity of the breach. This will include initial compliance with any legal or regulatory notification obligations;
- details of information that needs to be recorded, including the time and date the breach was discovered, type of personal information involved, cause and extent of the breach, content of the affected information and the breach;
- details about how investigations are to be undertaken about the data breach or cyber security incident;
- details about how the organisation complies with its legal obligations under contract and the notifiable data breach scheme set out in the Privacy Act 1988 (Cth);
- details about how the responsible personnel are to communicate with stakeholders, including regulators, law enforcement, customers, employees and the media - ideally utilising pre-drafted communication templates; and
- a plan around key issues that can arise during a cyber incident including when customer compensation may be available, whether the organisation would pay a ransom demand and how the organisation would handle a major influx of inbound customer queries in the event of a major data breach.
Simulated cyber attack training
While having an IR Plan is the first step, it will only be effective if it is tested and continually updated.
Many businesses only discover gaps in their IR Plan when they are responding to an incident. When this occurs, businesses are less prepared to effectively manage the complex processes and coordination that takes place in combating an incident.
What we find is a most effective way to train organisations is to run through a simulated cyber incident and test the IR Plan. This will help identify any vulnerabilities – which can then be patched and strengthened. A well-run cyber attack simulation:
- requires key decision makers to think about how they would respond to the key issues that arise during attacks (how quickly can a business communicate with stakeholders);
- ensures that businesses can think about issues and decisions before they are responding to a crisis (would a business ever consider paying a ransom); and
- identifies any areas for improvement (for example, perhaps more work can be done on a communications strategy).
In 2021, leading multinational technology company, IBM, released its annual Cost of a Data Breach Report.[2] The report identified how testing played a large role in reducing the cost of a data breach. The report found that ‘[o]rganisations that had formed incident response teams and tested plans experienced data breach costs that were US$2.46 million less than their counterparts.’ That is a material difference in price that demonstrates the benefits of running cyber attack simulations.
Implementing and testing a IR Plan is a small price to pay when considering the devastating effects a cyber incident may have on your organisation and its customers or clients.
If you would like to discuss your organisation’s IR Plan or a cyber attack simulation training, please contact our team of cyber experts at Hall & Wilcox.
[1] ACSC Annual Cyber Threat Report
[2] Cost of a Data Breach Report 2022
Contact
Chloe Taylor
Lawyer
Technology & Digital Economy 
Cyber You might be also interested in...
Cyber | 5 Oct 2022
Rocked! Cyber attacks in the gaming industry are getting worse
The Melbourne International Games Week ought to be a week of celebration, but it comes at a time where the industry is heavily targeted by cyber criminals. We outline key developments and what gaming organisations can do to protect themselves.
Cyber | 28 Sep 2022
No Optus – Australia’s largest data breach
The Optus data breach is a reminder to everyone that cyber attacks can impact any organisation or individual. We outline the attack, its implications, lessons learned.