Why you must run mock cyber attacks
Stricter regulations for data protection are coming to Australia, one senior in-house counsel-turned-partner said. As such, law departments must up the ante in ensuring their businesses are safeguarded.
Andrew Truswell (pictured) has over 25 years of in-house experience, having worked for airlines such as Qatar Airways, Qantas, Jet Asia, and Amadeus, as well as tech companies, including Capgemini, Versent, PaySociety and NetApp.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Those years of experience – together with his observations of the age of coronavirus – led him to believe that general counsel cannot ignore the need for a “sound data strategy”.
Speaking recently on The Corporate Counsel Show, Mr Truswell reflected that, during the pandemic, many airlines were without passengers, and thus took the opportunity to see where they could improve their tech processes. Aviation is a competitive space, he explained, and data management forms part of this – particularly with a tightening regulatory landscape.
Now a partner at BizTech Lawyers, Mr Truswell is adamant about supporting clients in developing a strategy for data “rather than a single piecemeal approach to achieve a strategic objective”.
“Moving to being someone who is instructed [rather than doing the instructing], I hope to be able to provide value and tune in to the strategic requirements of the client, and also help them to see and achieve those strategic objectives,” he said.
Such a broader strategy is essential for law departments right now, Mr Truswell argued, given that he believes the Australian government “is definitely headed” in the direction set by the General Data Protection Regulation (GDPR) set by the European Union.
“Now is the time to be cognisant,” he warned.
“Even companies that don’t consider themselves tech companies have logistics issues, which mean they deal with data, and thus need a data strategy.”
It would help, he suggested, for businesses to run mock cyber attacks and thereby deduce how vulnerable their network is, and consider what might happen in the event of an actual attack.
“If personal information is at the core of a company’s business, you really need to consider protecting the network through safeguarding mechanisms, including cyber insurance. Also, if the mock cyber attack shows a vulnerability, it can be addressed.”
Data strategies, Mr Truswell espoused, are like plumbing.
“They can access the pipe, for which the data flows through. And unless you have a strategic approach to protecting it across the board, there are vulnerabilities,” he said.
This happened recently in the aviation sector, he detailed.
“Frequent flyer data that was exchanged between groups of airlines that share such data ended up in one place where it was hacked and leaked,” he said.
Law departments must ensure such mock attacks are carried out, Mr Truswell continued, also given how little time a business may have to respond.
“The GDPR gives you a 72-hour window, which is barely sufficient. It doesn’t allow for a root cause analysis, and if rights and freedoms of the data are affected in that period, you have obligations to the regulator.”
In response to such challenges, he noted, “standards should be applied”.
This includes, he listed, standards for compliance, data backup, hacking protection and information security.
“If you have standards across the board and apply them through a network of contracts, that basically strengthens the whole plumbing system of data. So, if there’s a vulnerability or attack, it’s the same across the whole network of contracts,” he concluded.
The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Andrew Truswell, click below: