Posts

Data Breaches – It’s not if. It’s when!

Written on September 13, 2022. 10 days later, Optus.

Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet.

In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if.

The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong?

The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information.

Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data?

Of the last four crisis management tasks we have been asked to assist with, three have been data breaches.

Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand.

That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented.

 First, assume it will happen to you and develop and rehearse a crisis management plan.

• Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection.

The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers.

In an interconnected world  where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust.

The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse.

When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on.

RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events.

Are you ready?

Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos:

Optus

Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail!  CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it.

Uber

Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period.

A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial.

APT Travel Group

Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data.

DoorDash

Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols

International Committee of The Red Cross

Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered.

Toll Group

Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption.

A climate of fear is a risk management failure

By Robert Masters

A key element of the governance of any business or government today is its risk register. It should be the right hand tool for ministers, CEOs, chairpersons, boards, cabinets and advisory committees.

It is integral to the due diligence process and provides an overview of the degree of exposure, or ‘appetite for risk’ leaders are prepared to take with a policy, project, product, service or any new initiative.

What is surprising is that risk management programs appear to have fallen off the agenda for government and companies. The number of issues emerging in the media shows something is sadly lacking in the risk management process.

Public stoushes between corporate leaders, disruptions of ABC’s Q&A program, the goings-on of ICAC involving politicians and corporate leaders with party donations,  forgotten bottles of wine etc,  are just some of the examples that should have been considered in a risk register.

The public deserves better than what it is seeing at the moment, not to mention the climate of fear, misinformation and misguided debate that is going on.

It is accepted business knowledge that well-designed risk management plans can decrease problems encountered on a project by as much as 90 per cent. This applies equally to the management of any company or government.

Combined with very sound management methodologies, a robust and detailed risk management process can eliminate the headlines of today and diminish the issues arising unexpectedly, or provide the basis for sound, reasoned debate – not hysteria.

Unfortunately, many risk frameworks only cover operational risks and few provide sufficient analysis in relation to bad PR, potential issues and negative stakeholder reactions. Risk mitigation strategies are often at such a high level that they fail to provide sufficient guidance for an acceptable outcome consistent with the ‘appetite for risk’.

All corporate and government policies should go through a thorough stakeholder and operational risk assessment process before they are floated in the media to assess ‘community debate and reaction’.

Communities nor the proposers of policies or projects need a plethora of hysterical headlines creating fear, anger and angst. Six structured steps are all it takes to develop an effective risk register, but its effectiveness is in the detail of its planning, development and diligence.

ICG has extensive experience in creating and implementing comprehensive risk registers and  risk mitigation action plans; contact us before you embark on your next big project.

RM

 

Portfolio Items