find the latest legal job
Part Time Risk & Compliance Officer
Category: Other | Location: Brisbane QLD 4000
· Brisbane City · Flexible Part Time Hours
View details
Infrastructure Lawyer/SA
Category: Construction Law | Location: Sydney CBD, Inner West & Eastern Suburbs Sydney NSW
· Global elite law firm · Dedicated Infrastructure team
View details
Property Lawyer
Category: Property Law | Location: All Melbourne VIC
· 12 Month Contract · Diverse Work
View details
In-House Legal Counsel (Mid to Senior)| Regulated Markets (Energy and Gas)
Category: Generalists - In House | Location: Melbourne CBD & Inner Suburbs Melbourne VIC
· Full PD on Request · Exciting High Impact Role
View details
Family Lawyer
Category: Family Law | Location: Eastern Suburbs Melbourne VIC
· Boutique Firm · Great Reputation
View details
It’s time to take a deep breath and get real when it comes to cyber security

It’s time to take a deep breath and get real when it comes to cyber security

Cyber security

Cyber attacks are a day-to-day reality for all businesses and each week we witness another well-regarded brand being served up as the latest casualty of what is a global, extremely well-funded and organised threat, writes Geoff Fowlstone.

In my experience, while the legal profession has well thought through systems and policies to manage the legal elements of a cyber breach, there can be a dearth of ‘big picture’ thinking to bring focus to all the elements of a breach, particularly when it comes to the threat to an organisation’s reputation.

The old adage attributed to Warren Buffet – it takes 20 years to build a reputation and five minutes to lose it – can be rewritten for the digital age: it takes 60 seconds to lose it.

One of the key risk factors for the legal profession is an overconfidence in the organisation’s ability to successfully deal with a breach. By way of example, a recent survey showed that 88 per cent of in-house counsel rated their company’s ability to manage a social media crisis as ‘good or very good’ yet the same group estimated the average time it would take them to act was 38 hours.

In the digital age, news of a cyber breach often breaks on social media that equates to the speed of light! One of the realities of a planet, which boasts more than 7 billion mobile devices (more even than the number of people), is that information proliferates at an incredible speed.

Preparation (like always) is a key factor in successful execution

A key observation from numerous experiences at the coal face is that preparedness is a significant mitigant to the amount of damage done. The harsh reality is that organisations that do not have robust systems and policies in place usually find out far too late that they have been compromised and they lack effective plans to manage the response.

“There are two types of companies in the world: those that know they’ve been hacked, and those that don’t” – Misha Glenny, journalist and author on cyber security

In many cases, companies which have been breached find out about the breach from a third party, frequently customers or partner organisations, and this often manifests through negative social media posts.

Fifty-one per cent of organisations surveyed by the Australian Cyber Security Centre in April 2017 said that they tend to be alerted to possible breaches by external parties before they detect it themselves. 

A credible social media listening tool should be a hygiene factor in the risk management planning of every organisation yet many organisations do not have such a tool in place.

There is now nowhere to hide

The mandatory reporting legislation, which comes into effect in February 2018, is a game-changer and will alter the landscape for legal firms and their clients. How organisations respond to a breach is about to become even more important, and there will be nowhere to hide.

Even if the news does not break on traditional or social media, these new reporting requirements mean that organisations will not only have to inform customers directly, but also the Office of the [Australian] Information Commissioner and make a public announcement online.

Handling communications around a breach

In my experience most organisations are woefully underprepared for the significant risks associated with a cyber breach, particularly how they manage the potential brand damage of a poorly handled response to a cyber attack that is vast. 

It is critical for companies to have a plan in place that covers how to communicate with all stakeholders such as clients, regulators, staff and suppliers. 

ONLY 52 PER CENT OF ORGANISATIONS HAVE A CYBER SECURITY STRATEGY IN PLACE” – Grant Thornton report, 2016

Preparation is key. Many firms fail to have communications channels established so that they can reach all clients quickly. Organisations frequently (and rightfully) get criticised for failing to have adequate processes in place and therefore not alerting affected clients soon enough.

Consider how your clients would take this if their systems are compromised and they cannot use email – as DLA Piper found earlier this year when it was impacted by a ransomware attack and had to text staff and clients alerting them not to use email or landlines, only mobile numbers to communicate.

Importantly, providing regularly updated guidance on what customers should do if their information has been breached should be a key part of the communications strategy.

In our experience, bringing in third-party experts – such as independent security expert – is a vital strategy to cut through the obvious loss of credibility when an organisation has suffered a major breach and managed it poorly.

Managing media and social media

There is tremendous power in proactivity when it comes to communication. While each situation is different, as a principle we almost always advocate a proactive approach to informing all affected parties. Even if the mandatory reporting requirements are not applicable in particular circumstances, the risk that a client finds out through the media that there has been a breach at the firm will be considerably more damaging than if they have been informed upfront with an authentic apology from the firm.

While the legal requirements may be clear, handling the specific needs of each stakeholder group through rapid communications and tailored messaging forms an important part of the process. In our experience, it often requires direct communication from the CEO to appease affected customers. In fact, we have even had instances where handling customers well has attracted positive feedback from impacted customers.

Disgruntled customers or impacted parties who are prepared to speak to the media will always add fuel to the story. Customers speaking out add a new dimension to the coverage and can dramatically increase the impact.

A breach does not have to be a catastrophe

While cyber risk is a day-to-day reality, if it is handled rapidly and with due concern for all of the stakeholders involved, it does not have to be business threatening. Some upfront preparation gives a considerably higher chance of a successful outcome in limiting the reputational damage on the organisation, and given that a cyber breach is a matter of ‘if not when’, there is every reason to get started today.

Geoff Fowlstone is a principal at Fowlstone Communications. Geoff has an extensive background in corporate affairs, investor relations, investment banking and politics. He has held senior roles at Burns, Philp & Company, Gresham Partners and in New South Wales politics. Since establishing Fowlstone Communications in 1999, he has advised some of Australia’s largest public companies through very high-profile and complex issues in diverse industry sectors.

Like this story? Read more:

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

The legal budget breakdown 2017

It’s time to take a deep breath and get real when it comes to cyber security
lawyersweekly logo
Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Law Council of Australia
06:04
LCA calls for urgent adoption of ‘game-changing’ recommendation
The Law Council of Australia has urged for the immediate adoption of a key recommendation put forwar...
Sally Wheeler
Nov 20 2017
ANU College of Law appoints new dean
A distinguished legal academic and the former head of law of a higher education institution in Irela...
Violence
Nov 17 2017
It's time for politicians to commit to eradicating domestic violence
The national shame of domestic violence cannot be left unaddressed, writes Christine Smyth. ...
APPOINTMENTS
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
opinion
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
Help
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...