Firms ignore the prospect of a cyber attack at their peril. Recent statistics from Telstra found 59 per cent of organisations in Australia detect a business-interrupting security breach on at least a monthly basis, with 60 per cent stating they have experienced at least one ransomware incident in the past 12 months.
Cyber attacks range from mildly annoying to highly expensive and stressful disruptions. When you realise cyber attackers can – and do – target anyone, from the smallest business operator to the largest corporation or government, it makes sense to ensure you have processes in place to help guard against attacks.
IT lawyer Will McCullough of McCullough Robertson says unfortunately hacks are part of our digital age but with the right knowledge you can be prepared for them. Will recently presented a series of seminars on cyber security issues to Jirsch Sutherland staff and clients in Newcastle and Gosford.
“It’s even more important to take preventative action because of the mandatory breach notification scheme that comes into play from next year,” he says. The Privacy Amendment (Notifiable Data Breaches) Act 2017 introduces amendments to the Privacy Act 1988 (Cth) that require government agencies and businesses covered by the Privacy Act to notify the Privacy Commissioner and any individuals who are affected by a data breach if that is likely to result in serious harm.
So what’s out there?
Will says that cyber attacks can include:
- Email threats and phishing, including the increasing incidence of spear phishing
- Malware and ransomware
- Cloud service provider hacks
- Denial of service
- Advanced persistent threats
“While global ransomware generally attracts the column inches in the press, the biggest risk to any firm is probably at the employee level,” he says. “This could be as simple as a staff member opening the attachment of an email that they should have recognised as a phishing email.”
He adds spear phishing is also becoming more prevalent. This is a more sophisticated version of phishing where the malicious party profiles the person it wants to target (including by monitoring their social media profiles) to better understand their target’s movements and personality. The scam email is then prepared to look like it has originated from someone the victim knows (increasing the likelihood of the email being opened).
“However, this type of incident is the easiest (and cheapest) to plan for, by way of staff engagement and training.”
The best thing you can do is be prepared, Will says, especially when you consider the amount of sensitive information legal and accounting firms hold. He says having a cyber incident response policy that sits alongside an organisation’s other business plans is crucial. The plan should cover the following key steps:
- Deploy an incident response team
- Undertake initial damage limitation
- Ascertain the impact of the breach and carry out a risk assessment
- Decide how to respond to the threat
- Manage the required notifications and external considerations
- Debrief and determine what, if anything, needs to change
“What is clear is that most organisations will experience a cyber attack if they haven’t already,” Will says. “This means all organisations need to put in place a cyber incident response policy, which is to be shared and understood by all employees.”
Will says cyber incident response drills, just like fire drills, should be carried out so everyone knows what to do and whom to contact if an incident occurs (and no one is left Googling what to do next).
The key word when it comes to guarding against attacks is “prepare”, Will says. “You won’t be able to avoid an attack forever,” he says, “it’s not ‘if’, it’s ‘when’. And it’s about what happens when it happens, and how prepared you are, that will make the difference.”
Jirsch Sutherland Partner Bradd Morelli says it’s more important than ever for companies to be aware of the implications of what can happen to them if they experience a cyber attack.
“It can lead to reputational damage that ends up ruining relationships with clients,” he says. “And that can derail a business.
“Having a plan in place to guard against these attacks is not only important but an increasing number of potential clients now ask about security systems and how data is stored before committing. The firm that doesn’t have an answer to that question shouldn’t get the work.”
Will is a Senior Associate with McCullough Robertson and specialises in IT law. If you or your clients want to know more, or need assistance in this area, Will can be contacted at firstname.lastname@example.org or 02 8241 5661.