It might be a new year, but the impacts of data breaches across both Australia and New Zealand in the second half of 2022 still feel fresh. The cyber security incidents, whether direct ransom attacks on companies, governments and institutions, or on their key suppliers, has amplified the need for organisations to have a robust, up-to-date incident response plan.

Cyber security is now considered a top risk by corporates. There were 396 notifications reported to the Office of the Australian Information Commissioner in the first six months of 2022, representing a 33 percent increase in the number of breaches involving the data of 5,000 or more Australians. New Zealand’s National Cyber Security Centre, meanwhile, reported 350 incidents affecting nationally significant organisations in the 2021 / 2022 year.
 
Some organisations have crisis management plans in place, and conduct penetration testing and other stress testing on network security. However, many are not prepared for what happens once a data breach is detected, and fail to appreciate or plan for the enormous communications and stakeholder engagement requirements.
 
Porter Novelli Australia has chosen this week, in the lead up to Data Privacy Day on 28^th January, to unveil a new data breach simulation model, bolstering its cyber incident response offering. The simulation is a half-day event which can be coupled with executive media training specific to data breaches and cyber incidents. The model is now being used with executive teams and boards to test their existing plans against a realistic and escalating scenario.

Chief Executive Officer, Rhys Ryan (pictured), said many companies that experience real reputation problems following a data breach were simply not prepared: “We are called in for particularly difficult incidents, not run-of-the-mill data breaches. What we see over and over are organisations whose leaders simply did not anticipate the challenge of communicating simultaneously with hundreds of thousands of people, often in an environment where they can’t use the normal tools of communications because of the incident itself.”

Since the Notifiable Data Breaches scheme was introduced in Australia almost five years ago, Porter Novelli has responded to dozens of serious incidents. “In some cases, you find out you’ve had a data breach at the same time as everybody else, which is tough if you’re a listed or government entity,” Rhys explained. “This is happening more often because the threat actors have markedly improved their targeting over time.”
 
“In that scenario, having a specific data breach response plan and regular simulations puts you light years ahead. At this point, it is really a matter of good governance.”
 
Porter Novelli’s new data breach simulation model comes after five years of honing the agency’s response models in partnership with forensic firms, legal partners and insurers.

“Our model is designed to find gaps in clients’ plans, and to test their executive teams’ response before they’re in a live breach simulation,” Rhys said. “No one has less time than the executive who has just been informed of a data breach. Consumer, stakeholder and regulatory expectations on how corporations respond to a cyber incident are specific and evolving, which means that relying on existing Crisis Management Plans will no longer suffice. Great response requires good preparation.”

As a first step, Porter Novelli is urging all organisations to ask themselves five questions:

• Is cyber incident response a Board-level issue in your business?
• Do you have Board-level agreement on your guiding principles in the event of a breach? The 24 hours following a ransomware attack are not the time to decide whether you would pay a ransom.
• Do you have a data breach plan for the first two hours?
• Do you have established relationships with experts - specialist legal counsel, forensic IT experts, specialist communications - who can help you at a moment’s notice (and an insurance policy)?
• Beyond your crisis plan and business continuity plan, do you have a specific response plan for cyber incidents, ransomware attacks and data breach scenarios? Have you tested it with a simulation?

“Black swan” events (high-impact, hard to predict and rare events beyond the realm of normal expectations) really put crisis planning and management to the test, and a plan’s weaknesses and vulnerabilities are horribly exposed. But the rise and regularity of cyber security incidents hardly qualifies them as black swan events any more - there is an element of inevitability.