The professional services industry faces a growing threat of cyber-attacks, making it more important than ever to be able to respond, particularly given Australia’s new privacy laws.
From cybersecurity threat/risk reviews and response planning to IT Strategy, Risk and assurance and data security compliance reviews, we have been working with our clients to ensure they are as prepared as possible for any potential breaches.
It’s no wonder these issues are top of mind. Just last week, supermarket chain Ritchies Supa IGA’s website was hacked, with the details of more than 6000 customers potentially accessed as a result of the breach .
Whilst you can’t predict a cyber-attack, you can ensure you are prepared to respond to a breach if it does occur.
Creating a cohesive response strategy
1. The first step in your response strategy should be to invest in the first defence – your people. The weak link in security planning is staff, whose behaviour can’t be accounted for in plans or documents. A test done by security firm Positive Technologies  found that, on average, a quarter of staff were likely to click on phishing email links. Training and cultural awareness are crucial first steps in fostering a more prepared workforce. However, organisations need to go further and extend that due diligence to both up and downstream vendors, who represent key parts of the supply chain and a key access point for system infiltration.
2. When a breach occurs, your business needs to respond. The majority of response planning needs to be done in advance in the form of soft (and hard) copy business continuity plans (BCP) and disaster recovery (DR) plans. These need to be tested iteratively in different scenarios and include details of which systems are most important to the business so you can prioritise your recovery efforts. Make your plans a reality, just as you would a fire drill.
3. Finally, communicate effectively. Knowing how to engage with your clients, authorities and the wider media requires an understanding of your obligations and your situation. One potential pitfall for your business is simply not knowing what data you possess – In the current business environment systems interact with consumers and other stakeholders at such volumes that businesses can lose track of the information they may be collecting. In this case, simple steps to understand system architecture can be taken early to avoid damages down the track.
DLA Case Study
At an event Grant Thornton held in May this year, DLA Piper described in detail the cyber-attack that shut down the majority of their IT systems on a global scale and the unprecedented level of disruption to its business when the NotPetya malware infected the organisation.
The law firm was left without emails, documents, phones and other key systems, subsequently paying over 15, 000 hours of overtime to IT staff in an attempt to recover in a timely manner. Their response plan included establishing business centres in their offices for staff to use and utilise alternate communication methods, with the priority to recover both email and document management systems while minimising the disruption to operational activities like time-sheeting which was done on paper as a workaround.
DLA Piper discussed the extensive business continuity planning it had undergone, the plans that were in place and the work it had done in the wake of the WannaCry ransomware attack earlier that same year. While this preparation was unable to prevent the cyber-attack, it allowed them to respond and recover as quickly as possible.
This attack was one that affected many businesses and serves as a reminder that attacks are not always malicious or targeted, and you can be affected even if you are a ‘small target’.
Cybersecurity is an opaque threat and one which continues to develop and change. Increasingly, cyber-attacks can be part of intricate crime networks or even state-sponsored efforts, making them more potent, creative, targeted and harder to remedy. Where ten years ago this threat may have been levelled against ‘mum and dad’ users of the internet, businesses are increasingly the focus for malware attacks and other nefarious campaigns.
Strategies such as ‘brandjacking’, where someone assumes the online identity of another entity, pose risks to a business brand even when it’s not being attacked directly.
For more information about data breach legislation, assessing your business risk, planning for a breach and how to respond, please get in touch.