Source: Google
There’s no question that cyber is front of mind for all businesses around the world today. No matter the size of the organisation or how much investment has been made in cyber security, everyone remains at risk of a data breach incident. The uptake in cyber security, cyber insurance and cyber training has exploded and for good reason. Investing in a sound cyber posture is required and demonstrates good governance.
However! We are finding most businesses aren’t investing in the strategic preparedness which runs parallel to the IT team when a cyber incident occurs.
When you have a cyber incident (it is a question of when, not if), your executive team should be just as involved as your IT team, coordinating a strategic response in parallel to the IT team’s operational response.
If your executive (crisis) team isn't prepared, all of your IT preparedness and investment may be wasted. It is more likely that you will be judged on how you identified and communicated on strategic issues, not on how effectively you restored your systems.
To give a salient example: Pareto Phone was a well-established telemarketing business, calling supporters of major not-for-profit organisations (NFPs) seeking donations. They reportedly had a $100 million turnover, with 150 staff and a client list most would envy, with over 70 high-profile NFPs on their books, including the Fred Hollows Foundation, Greenpeace, Amnesty International, Stroke Foundation, Australian Breast Cancer Research, Diabetes Australia, Black Dog Institute, Australian Marine Conservation Society and more.
So, what went so horribly wrong? They, like so many other businesses, fell prey to a data breach, which was detected in April 2023. By all accounts, Pareto did notify the regulator... however, they failed to notify one key stakeholder group: their clients! As the crisis unfolded, Pareto clients only started to become aware of the cyber event months later, and often via a third party, not via Pareto.
As you can imagine, their clients were not happy. In fact, many were so infuriated that they ceased their engagement with Pareto. In October 2023, just 6 months after the breach, Pareto announced they were ceasing operations, and are now permanently closed.
A number of Pareto clients were also our clients, who have told us that their fury was not about the occurrence of a cyber breach, but the failure to notify them directly within a reasonable timeframe.
Stakeholder identification and notification is not the role of your CISO, CIO or IT team. This responsibility falls to the executive team, as well as coordinating what needs to be said and when it needs to be done.
It is far better having an independent third party to identify gaps by reviewing your crisis response capability or facilitating an incident simulation, rather than testing your response at the time a cyber event occurs.
If you would like to know more about preparing your executive team for a cyber incident, please contact us at office@crisisshield.com.au or call me (Allan Briggs) on 0417 160 120, to help establish just how ready you are.