Businesses are girding corporate communications teams with cyber security specialists as executives watch the cyber security disasters at Optus and Medibank play out in front of their eyes – and consider how they would manage the public fallout from a similar incident.
The impact of the recent spate of breaches is evident at the ANZ Banking Group, which is recruiting an ‘incident communication advisor – technology, cyber security and data’ whose primary role will be to “keep ANZ’s customers and employees informed… during major technology, cyber security incidents, data regulation events, and planned outages.”
Based at ANZ headquarters in Docklands, Melbourne, the role will involve developing and testing strategies for communicating with affected customers and other stakeholders during and after incidents – for example, drafting public statements and key messages for distribution to the public, and to staff via the bank’s intranet, Yammer, email, and other communications channels.
It also involves acting as a liaison between the technical staff within ANZ’s Command Centre (Technology) and Data Event Response Team, and the business leaders that need to stay apprised of revelations from ongoing breach investigations.
The Commonwealth Bank of Australia (CBA) is also bolstering its cyber security team, this week calling out for several employees with the title senior manager cyber defence GRC and findings management – specialist cyber security analysts responsible for evaluating the relationship between cyber security issues and the bank’s governance, risk management, and compliance (GRC) obligations.
That means evaluating the business risk of “critical security findings” identified by the penetration testing, red teams, and blue teams – teams within the CBA’s Cyber Defence Operational unit that regularly probe the bank’s security architecture – and working with business leaders to explain and manage their impact in plain English.
Recruiting cyber security specialists to liaise between technical, staff, business people, and the public is a new approach for a business community that has typically relied on corporate communications staff to handle incident responses.
Such staff work furiously behind the scenes to manage stakeholders, but previously provided little more information than sporadic, tersely-worded website updates that often came months or years after the breach.
However, the magnitude of recent incidents – including the “distressing” and still-evolving Medibank data breach, as well as the recent breach of Optus customer data, which each involved many millions of Australians – seems to have shifted the narrative.
Optus CEO Kelly Bayer Rosmarin took the bull by the horns early on, fronting the media the day after that company’s data breach – which was found to include the sensitive identity details of at least 2.1 million Australians – was discovered.
“We’re informing customers as quickly as we can, in a very different way from what has been done with previous cyberattacks,” she said.
“We know that in these situations time can be of the essence, so we contacted the media less than 24 hours from when we learned that this incident had occurred.”
“Our front-footed approach, and the speed with which we’ve responded to this, doesn’t allow us to have all the answers – but if you ask away, I will tell you whatever I can.”
Such public mea-culpas by CEOs have been rare in the past, but amidst data breaches’ growing intensity and impact – and a regulatory climate that is pressuring executives to be personally invested in cyber issues – it seems Bayer Rosmarin’s repeated apologies are setting a new standard for incident response.
Medibank CEO David Koczkar has taken a similar approach, publicly apologising and admitting that “this latest distressing update will concern our customers… [but] we have always said that we will prioritise responding to this matter as transparently as possible.”
Even as the company progressively revealed ever more “distressing” details about the hack – including recent revelations that hackers wanted to negotiate over the stolen data, and that all of its 3.9 million customers’ data had been compromised – the federal government was promoting a policy that would dramatically increase the fines that breached companies could face.
Professionalising the management of revelations about breaches early will help avoid the rolling chaos that can encompass companies once a breach is made public – and that, along with the increasing GRC burden on executives, could well make cyber incident communications specialists increasingly common.
“In the wake of a cyberattack, there are a lot of moving parts,” security firm Cymulate noted in a report highlighting the results of a global survey of 858 senior executives that found 22 per cent of businesses “will have to handle the regulatory mandate of public disclosure, which can cause even greater damage if it isn’t handled with sensitivity and expertise.”
In 39 per cent of cases, the study found, security teams need to bring in outside specialists in legal, finance, and the C-suite “to handle the fallout” while 35 per cent of respondents noted the importance of third-party consultants in handling breaches.
Planning a coherent breach response well in advance, and meeting regularly to reinforce it, was associated with fewer breaches overall amongst survey respondents.
Indeed, in companies where leadership and cyber security teams met at least 15 times per year, there were zero breaches reported.
By contrast, Cymulate found, businesses that met less often – under 9 times annually, on average – reported suffering 6 or more breaches in the past year.
“A reactive approach is a costly gamble,” the firm noted, “and being proactive about cyber security could eliminate this added cost altogether.”