In the latest episode of Legally Consumed, we had the pleasure of hosting Robert Hadler and Allan Briggs to discuss the importance of cybersecurity with a focus on sensitive customer data. Allan, also known as ‘The Crisis Guy’, is the founder and CEO of Crisis Shield, a crisis management firm. Robert has over 40 years’ experience as a senior advisor at board and executive levels, and is a trusted authority in crisis management.
This episode explores the rise in cyber attacks, how AI will increase the number of attacks, and the importance of preparing for a critical incident while navigating the evolving cyber-related regulatory landscape.
Rise of cyber attacks
The most critical threat currently facing Australians is foreign cyber attacks with over 68% of respondents to a survey by the Lowy Institute citing cyber security as the most concerning issue facing the country, and only 1% believing it was not of importance1. In the wake of the trio of high-profile cyber attacks on Optus, Medibank and Latitude, consumers are increasingly aware and concerned about the sensitive data that businesses hold. During the episode, both Allan and Robert reiterate that every business could be a victim of a cyber incident with the potential consequences of failing to manage and mitigate the incident potentially being catastrophic.
While more and more businesses are treating cyber security as their number one priority, Allan explains that these attacks are only going to become more prevalent and sophisticated over time. Modern cyber criminals operate through elaborate businesses that utilise technologies such as AI to accelerate the rate of attacks. In fact, a survey of cybersecurity experts found that 85% of respondents attributed the increase in cyber attacks to the use of generative AI by bad actors2. With the mindset that every business is going to get hacked or an attempted hack on them, the importance of preparing for a cyber incident cannot be understated.
Preparing for a critical incident
During the episode, both guests stressed the importance of preparing for a cyber attack from a multi-stakeholder approach, including having a workable crisis management plan rather than ‘sticking your head in the sand’. Drilling down, Robert outlined the steps to preparing a plan which include identifying a crisis management committee, being clear on members’ roles and responsibilities, and allocating a place to meet with dedicated facilities including telecommunications. When selecting the crisis management team, Allan and Rob advise that the CEOs should be omitted from the team to liaise with major stakeholders, advise the board and conduct media interviews if required.
Once the plan is outlined, it is important to pressure test it with drills to identify any weaknesses in the processes or procedures. Common questions that arise for the executive team after a simulation include ‘Should we pay the ransom?’, ‘What does our insurance policy cover?’, ‘Who will talk to the media?’, ‘What are our regulatory obligations?’ and ‘What are our moral obligations?’. The discussions should also cover the role of the board and how they will be briefed in the event of a cyber incident. The last takeaway Rob highlighted that business leaders should keep in mind is that every crisis is different, but the steps for managing and potentially preventing it are the same, whatever the crisis is.
Navigating the regulatory landscape of cyber
The cybersecurity regulatory landscape is rapidly evolving as the number of cyber attacks surges. During the episode, Allan pointed out that regulatory bodies including the Australian Signals Directorate, federal and state police who deal with cyber crimes struggle to keep pace with the sheer number of incidents. This means that organisations should not outsource their responsibility for managing a crisis to a regulatory agency or wait for the government to intervene as they have a responsibility to their customers to communicate how this incident will affect them.
Another topical debate that has arisen as a result of the increase in the volume of cyber attacks is the question of banning the payment of ransoms in Australia. The government advice is not to pay, however our guests provided some deeper insight into the issue. Rob and Allan recommend preemptive discussions with the senior executive team and board of directors regarding how the organisation, in principle, plans to address this issue before a crisis arises. It is not a black-and-white decision but rather a complex issue with competing priorities that has to be reviewed on a case-by-case basis. The central question that Rob recommends decision makers ask themselves in that position is what is best for your customers and that should lead them to a balanced decision.
To listen in and find out more from Allan Briggs and Robert Hadler, and cybersecurity best practices for organisations, tune into our podcast, Legally Consumed where we explore the legal intricacies of the consumer products space.
For more information on Robert or Allan and their work, head over to their LinkedIn accounts.