Nexon blog - How to lead your organisation through a cyber security crisis and bounce back

In recent years, cyber incidents have compromised personal data, cost millions, destroyed careers and trashed brand reputations. As a result, business owners, executives and directors are under pressure to act decisively in an environment of fast change and information overload.

This pair of articles is designed to help cut through the noise with practical advice and resources to inform your decision-making.

Part one explores What the Australian Government’s Cyber Security Strategy means for business leaders. In this second article, I summarise the key findings from Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors. This report is a follow-up to the Government’s strategy document produced in partnership with the Australian Institute of Company Directors (AICD), the Cyber Security Cooperative Research Centre (CSCRC) and Ashurst legal firm.

The report’s primary goal is to help businesses of all sizes, better prepare for, respond to, and recover from significant cyber incidents. It includes practical steps and pragmatic advice covering best practices, processes, controls, data governance, testing and simulation, as well as communication and reputation management.

The role of a board during a cyber crisis

The Governing Through a Crisis report makes it clear that accountability and responsibility for cyber security start at the very top, as is evident from the forward written by Hon Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security:

Business leaders, boards and directors have important obligations to protect their organisations and customers from cyber risks. Australians rightly expect businesses to take cyber security seriously.

It insists that board members and executives must be confident that their organisation is ready, be prepared to become proactively involved in incident responses, and understand the regulatory, operational and reputational risks at stake.

The report comprehensively details the key roles, questions and red flags relevant to the four main stages of crisis management: readiness, response, recovery and remediation.

Here are the key points:

READINESS: What you need in place now

Check 1 - A documented cyber incident response plan that is regularly refined.

A documented cyber incident response plan that is regularly refined.

Check 2 - Defined roles and responsibilities to ensure effective decision-making.

Defined roles and responsibilities to ensure effective decision-making.

Check 3 - A clear communications strategy for internal and external stakeholders.

A clear communications strategy for internal and external stakeholders.

Check 4 - Training and testing that simulates crisis conditions.

Training and testing that simulates crisis conditions.

RESPONSE: What to do during a crisis

Check 1 - Provide proactive support and oversight of management decisions.

Provide proactive support and oversight of management decisions.

Check 2 - Consistent, timely, accurate and transparent stakeholder communications.

Consistent, timely, accurate and transparent stakeholder communications.

Check 3 - Seek expert external advice to support decision-making.

Seek expert external advice to support decision-making.

Check 4 - Understand reporting obligations and liaise with regulatory bodies.

Understand reporting obligations and liaise with regulatory bodies.

RECOVERY: What to do following an incident

Check 1 - Oversee investments needed to secure systems and data immediately.

Oversee investments needed to secure systems and data immediately.

Check 2 - Take steps to support the well-being of employees impacted by the crisis.

Take steps to support the well-being of employees impacted by the crisis.

Check 3 - Oversee a comprehensive post-incident review, including consultants if needed.

Oversee a comprehensive post-incident review, including consultants if needed.

REMEDIATION: How to make good and minimise damage

Check 1 - Drive the implementation and resourcing of customer-focused remediation plans.

Drive the implementation and resourcing of customer-focused remediation plans.

Check 2 - Ensure ongoing communication with impacted employees, customers and third parties.

Ensure ongoing communication with impacted employees, customers and third parties.

Check 3 - Oversee complaints handling processes and provide compensation where appropriate.

Oversee complaints handling processes and provide compensation where appropriate.

Check 4 - Responsibly share learnings and knowledge with other organisations.

Responsibly share learnings and knowledge with other organisations.

RED FLAGS: Check for common warning signs

The report goes into more detail, but here are some of the red flags we often see in our work with clients.

Red flag 1 - Leaders do not undertake regular incident and response simulations.

Leaders do not undertake regular incident and response simulations.

Red flag 2 - Confusing, contradictory or opaque internal/external communications.

Confusing, contradictory or opaque internal/external communications.

Red flag 3 - A delay between the incident and the understanding of the impact.

A delay between the incident and the understanding of the impact.

Red flag 4 - A focus on fixing symptoms rather than investigating root causes.

A focus on fixing symptoms rather than investigating root causes.

Red flag 5 - Lack of clear accountability. Finger-pointing between departments.

Lack of clear accountability. Finger-pointing between departments.

Red flag 6 - Unclear who will support customers after an incident and how.

Unclear who will support customers after an incident and how.

A cyber incident is a matter of when, not if

Increasingly, as digital platforms become business as usual, every business will face an attack, breach or error at some stage. Backed by research and recent real-life examples, the report illustrates that a cyber incident is virtually inevitable for Australian organisations.

Governing Through a Crisis is a valuable resource for you and your team if you’re not entirely confident in your organisation’s cyber readiness or simply want to interrogate and cross-check your processes with best practices.

For broader context, part one of this article series explored the Government’s 2023-2030 Cyber Security Strategy.

We’d be happy to chat if you have questions about either of these reports or would like to discuss your cyber security readiness or strategy.

Paul Edmondson is Head of Cyber Security Sales at Nexon Asia Pacific.
For more information, contact Nexon today.