Cyber Security
Protect your reputation after a breach
D By Wayne Tufek
ata breaches expose everything from government identifiers to user account log-in names and passwords. Criminals can use the stolen information such as name, address and date of birth, to file false tax returns, order credit cards and to take money from bank accounts. If you use the internet and have provided your personal details, you’re most likely a victim of at least one data breach. Data breaches are inevitable and waiting for a breach to occur before designing and testing an incident response plan is a recipe for failure. It’s now a question of when your organisation will be breached and how you will respond, not if you will be breached. 100% prevention simply doesn’t exist, so having a plan to deal with a security breach is now more important than ever. You probably already have an incident response plan, from a technical perspective with defined phrases such as preparation, identification, containment, eradication and lessons learned. Given the severe reputational damage that can arise from a high-profile data breach, a marketing and communications plan, along with a technical response plan, is now a necessity. Security heads must now learn about public relations and crisis management, as the changing facets of information security force the role to move from a technologist to a business leader and risk manager. As the role changes, you must now consider in
16 | Australian Cyber Security Magazine
the event of a breach what is required for communication to your customers, regulators, shareholders and to the general public. What will be communicated, how it will be communicated and what will be done to remedy the situation, must all be communicated quickly and across multiple mediums to the right audience. Honesty, transparency and accepting accountability are key to successfully saving your organisations reputation in the court of public opinion. Breaches are inevitable, but data theft is not. Remember, focusing on all five elements of a comprehensive security program: identify, protect, detect, respond and recover, will provide full circle protection and allow you to manage your risk. In AON’s 2015 Global Risk Management Survey (http:// www.aon.com/2015GlobalRisk/) the number 1 risk that keeps senior managers and risk leaders awake is “damage to reputation and brand”. Interestingly enough, at number 7 was “business interruption” and at number 9 was “computer crime/hacking/viruses/malicious codes”. An information security breach can certainly give rise to the number 1, 7 and 9 of the top ten risks. Whilst every incident that becomes a crisis must be handled in a different way, there is one factor common to all crises, and that is communication. How communications are handled with your stakeholders is critical in protecting your organisations