The offline response to cyber threats

3 August 2015

It shouldn't come as a surprise to hear that cyber attacks are on the rise.  A recent PwC Survey reported significant year-on-year increases of detected cyber security incidents, but - more alarmingly - noted that the figure of detected incidents is probably conservative:  the most successful attacks go undetected, and many detected attacks go unreported for fear of regulatory action, reputational damage or financial impact.

At the same time, there has been a general awakening in the public consciousness of privacy issues, meaning that even if the operational or legal impact of a security incident can be contained, the damage to reputation and loss of public trust will be much harder to repair.

Getting it wrong

And yet, despite the growing threat and the heightening awareness of privacy and security risks, many organisations remain under-prepared, often for one or more of the following reasons:

First, a culture remains among many organisations that 'it won't happen to us', preferring to believe that cyber attacks are exclusive to global corporate giants like Sony, eBay or Home Depot or those operating in particularly sensitive sectors, such as healthcare, telecommunications or financial services.  But as those traditional targets continue to take more effective security measures, small and medium organisations are increasingly at risk of attack for the very reason that their security practices and defences are unlikely to be as mature or sophisticated as those of a larger organisation. 

Second, many businesses focus their attention on external threats, failing to recognise that security incidents can just as easily come from within - an opportunistic employee, service provider or someone else who we let in to our systems is just as likely to be behind a security incident as a rogue nation state or organised criminals. 

Third, it is tempting to classify information security as an IT issue, ignoring the reality that a huge proportion of security incidents are the result of human error (or human malice) - whether that's attaching the wrong document to an email, falling for a phishing scam or deliberately circumventing security measures.  In the same way that a bad driver can negate a car's advanced safety features, the most vulnerable part of an information security system is the person interacting with it, or actively looking for a way around it to make their job easier. 

It's for this reason that the word 'cyber' runs the risk of being over-used, and misleading - while it might be right to talk about 'cyber threats', the security measures put in place to respond to those threats shouldn't be narrowed by the same adjective.  IT measures will be an element of a good security plan, but so too will physical safeguards, employee training and well-implemented and monitored policies. 

What should organisations do?

Security obligations in Australian and New Zealand privacy legislation (among others) are defined by what is "reasonable", "adequate" or "appropriate".  There is some useful regulatory guidance available to shed light on what these concepts mean in practice, but the steps that an organisation can take to put a security plan in place should be five-fold:

  • Audit the organisation's data, so that there is a clear understanding of what information is held, how sensitive it is, what damage could be caused if security is breached, and what additional regulatory requirements might apply (eg, healthcare or financial information).
  • Implement security measures and safeguards that are appropriate given the information held and the harm that could be caused, taking into account legal obligations and regulatory guidance.

  • Prepare a response by ensuring that the organisation can quickly and effectively deal with the fall-out following an incident. Part of that response will be operational in nature and dovetail with a disaster recovery plan - such as ensuring business continuity and restoring key systems and datasets - but it should also have an external focus by identifying what regulators and other stakeholders might need to be notified, planning how communications with key customers and the public at large will be handled, and having a press release and media strategy printed and ready to go.

  • Test the response, in the same way that a disaster recovery plan or fire evacuation would be tested to make sure that it is effective and any deficiencies can be identified and addressed.

  • Update the plan regularly, by adapting it to take stock of security incidents and near misses, changing threats, new products or services that have been launched, and new systems and service providers used by the organization.

This article was written by Allan Yeoman for the Australasian Lawyer magazine (Issue 2.4, August 2015).  Allan is a partner in Buddle Findlay's ICT practice.

Buddle Findlay has produced a guide on information security entitled 'Safe and Sound', which discusses these issues in more detail.