Porter Novelli Australia revealed it is strengthening its data breach simulation offering.
As 2023 kicks off, the agency noted that the impact of recent data breaches on millions of Australians has amplified the need for organisations to have a robust, up-to-date incident response plan.
Some Australian companies, governments and institutions have crisis management plans in place and conduct penetration testing and other stress testing on network security. However, the agency noted many are not prepared for what happens once a data breach is detected, which often results in massive communications requirements.
Rhys Ryan, Porter Novelli Australia’s chief executive officer, said many companies that experience real reputation problems following a data breach were simply not prepared.
“We are called in for particularly difficult incidents, not run-of-the-mill data breaches. What we see over and over are organisations whose leaders simply did not anticipate the challenge of communicating simultaneously with hundreds of thousands of people, often in an environment where they can’t use the normal tools of communications because of the incident itself.”
“Since the Notifiable Data Breaches scheme was introduced almost five years ago, we have responded to scores of these incidents. In some cases, you find out you’ve had a data breach at the same time as everybody else, which is tough if you’re a listed or government entity. This is happening more often because the threat actors have markedly improved their targeting over time.”
“In that scenario, having a specific data breach response plan and regular simulations puts you lightyears ahead. At this point, it is really a matter of good governance.”
Having honed its response models in partnership with forensic firms, legal partners and insurers over five years, Porter Novelli has bolstered its cyber incident response offering with a new data breach simulation model. The model is now being used with executive teams and boards, to test their existing plans against a realistic and escalating scenario.
Ryan said: “Our model is designed to find gaps in clients’ plans, and to test their executive teams’ response before they’re in a live breach simulation. We create a series of scenarios that are realistic, but also test against a worst-case scenario to ensure our clients are fully prepared when the inevitable occurs.”
“This level of ‘inevitability’ is the reason cyber security is now considered a top risk by corporate Australia. There were 396 notifications reported to Office of the Australian Information Commissioner in the first six months of 2022, representing a 33 per cent increase in the number of breaches involving the data of 5,000 or more Australians.”
“No one has less time than the executive who has just been informed of a data breach,” he said.
“Consumer, stakeholder and regulatory expectations on how corporations respond to a cyber incident are specific and evolving, which means that relying on existing Crisis Management Plans will no longer suffice. Great response requires good preparation, so we have developed a simulation product to build on our long-standing experience in reputation management and data breach response,” Ryan added.
The simulation is a half-day event which can be coupled with executive media training specific to data breaches and cyber incidents. Porter Novelli has rolled out the simulation model to clients across the financial services, retail and education sectors over the past three months.
As a first step, Porter Novelli urges all organisations to ask themselves five questions:
1. Is cyber incident response a Board-level issue in your business?
2. Do you have Board-level agreement on your guiding principles in the event of a breach? The 24 hours following a ransomware attack are not the time to decide whether you would pay a ransom.
3. Do you have a data breach plan for the first two hours?
4. Do you have established relationships with experts – specialist legal counsel, forensic IT experts, specialist communications – who can help you at a moment’s notice (and an insurance policy)?
5. Beyond your crisis plan and business continuity plan, do you have a specific response plan for cyber incidents, ransomware attacks and data breach scenarios? Have you tested it with a simulation?