Weekly Security Update with your Cybercrafters

News articles about Cyber Security breaches in Australia and New Zealand have increased over the last few months. Some of those highlighted in the media include Medibank, Pinnacle Health and Optus. The danger with cyber breaches being frequently reported is that people become complacent. However, essential issues need to be considered. Does a cyber breach impact an organisation’s reputation? How does a cyber breach affect day-to-day business function as operations halt due to a ransomware attack?

We will go into detail and analyse not just the breaches, but the response around it, and ways that organisations can work on improving the way that they respond to the breaches to help maintain a better reputation.

Over the last couple of weeks, Australia has had some major breaches that were in the news. Healthcare and telecommunications were the sectors that have been highlighted. The data breach for the telecommunication provider Optus included 2.7 million names, birthdates, phone numbers, addresses, passports and driver’s license numbers. This attracted the federal government to investigate this breach to see what had gone wrong. The telecommunications agency had called this a “sophisticated” breach however it was interesting to note that after the investigation from the federal government; the government called this a “basic hack”. This was not the first time Optus has come under fire for the way they have dealt with their customer's data. Optus has stated that they will offer to pay individuals, whose driver’s license has been compromised but not the individuals who have had their passports compromised. The Foreign Minister has however stated Optus will be required to pay for the individuals’ passports as well. A well-planned coordinated response to manage this incident would absolutely help.

New Zealand and Australia both had a healthcare provider go through massive breaches including Medibank and Pinnacle Health. Both used ID Care to provide ongoing support for the people who have been breached. Both Pinnacle Health and Medibank’s CEOs have publicly apologised, the Pinnacle Health Chief Executive labelling the hackers “malicious actors”. In both breaches highly sensitive information was compromised, resulting in the most vulnerable people being impacted.

Initially, with Pinnacle’s breach, their Chief Executive stated that it was just the names, addresses and contact details containing no confidential health information that was breached. A few weeks later it was disclosed that past and present patients’ confidential data had been published on the dark web.

Whilst these are an unfortunate set of incidents, the manner in which both the CEOs have been informed and prepped by their media liaisons has not helped in this situation.

There is a call from certain New Zealand business sectors for a specific Minister for Cyber Security to be appointed. In Australia, privacy regulations are going to be reviewed as well. Specifically, to update changes reflecting the urgency for both private and public organisations to look at how they are maintaining the confidentiality of their customers, patients and/or clients.

What can be learned from these incidents is that it is vital to have a proper communications plan for any sort of breach prior to the breach happening. What we have seen is, when the unfortunate breach does happen, the Executives are under extreme pressure and having a proper plan in place is crucial. With the above examples of breaches, it appears that the CEOs have tried to reduce the amount of information provided to their patients, suppliers, or any other interested party This should not be the case. Transparency and an urgent need to be upfront, providing as much information as possible is crucial.

How are you preparing for a breach in your organisation? Do you have a communications plan, or do you believe your IT guy will sort this out? Bear in mind, that in Cybercraft’s 4 years of conducting Risk Assessments, on average less than 5% of Organisations had a viable Incident Management Plan. In most cases, management thought IT had it covered. But let’s face it, it’s not the case.

Don’t wait till an incident happens before putting a management plan together!