Mr Winokur has worked on hundreds of cyber incidents and emphasised that cyber security is “one of the biggest challenges companies around Australia are facing today”.

After working in the cyber security space since as early as 2010, Mr Winokur said that, unfortunately, the breach was not a surprise.

“I strongly expected something like this to happen. Unfortunately, I expect more of these types of things to happen, whether it’s major data breaches, whether it’s ransomware attacks against major Australian corporations, [or] whether it’s the targeting of critical infrastructure. These are things that we’ve seen building; we’ve seen it happen overseas. It’s, in my view, the natural progression of where I think this is going. I don’t think that Optus will be the last of it,” he said.

“I think [it] puts cyber on the tips of everyone’s tongues. Every person I think in Australia was either affected or knows someone who was affected by this breach. Watching it play out so publicly in the media has, I think, resulted in everyone having an opinion and thinking about these risks.”

The fact that Optus has strong cyber security teams and controls also means this kind of attack could happen to any kind of company, Mr Winokur warned.

“When you stop and think about it from a legal perspective, and if you look at what the courts or regulators say about that, in a widely discussed court decision earlier in the year where ASIC brought its first-ever court proceeding against a financial service licensee, the case of ASIC and RI Advice, Her Honour Justice Rofe said in that case, and I’m paraphrasing here, but there’s an understanding that you can’t eliminate cyber risk. You can’t reduce your cyber risk to zero. But she also followed up with a statement that there are things that you can do to mitigate that cyber risk,” he added.

“And that is the prevailing message that I’ve been talking with companies about for a number of years. You can’t eliminate cyber risk, but there are a lot of things that can be done to mitigate the risk of being attacked in the first place. And then, just as important, if you are attacked, be sure that you’re well prepared to handle it in the right way to mitigate the risk that the attack will have on your business and your customers. [But] I, unfortunately, think we’re going to see more of these large attacks in the coming years.”

VIEW ALL

As these sorts of issues are among the most prominent for in-house lawyers, the data breach has likely changed the nature of legal department roles, despite there being a common acceptance that cyber is a major risk.

“A lot of law firms or in-house counsel or companies themselves will characterise cyber as a top-three risk that their business faces. So that’s been the accepted position before Optus,” Mr Winokur explained.

“Now, we’ve had Optus, so what difference do I see? Well, again, that perception of the risk that cyber poses, I don’t think that that’s going to materially change. What I do think will change, and this is the key thing, is I think now on the back of Optus, and given how public it was, there’s going to be a moment where legal departments or companies themselves will look at the situation and say, ‘We actually need to do something about this now’.”

In terms of how companies can actually start to tackle the issue, Mr Winokur advised companies to look at cyber as an “enterprise risk”.

“It’s not an IT issue; it’s a company issue. It’s an overall risk issue, the same way you’d look at any other general risk that businesses face. I like to look at it as a holistic risk. One part of that is definitely going to be the IT issues. Let’s not kid ourselves; at its core, it is an IT issue, but it is a lot broader. That’s one component of it. And I’m a lawyer; I’m not an IT expert, but I do get the privilege of working with some of the best cyber security practitioners in Australia when I assist companies’ work through cyber incidents,” he said.

“I think it’s really important that if you’re a legal department, you’re speaking with either your internal and or your external IT teams to ask, where are we from the IT side of things? Do we have an alarm system? Do we have complete monitoring of what’s going on?

“And if we’ve got monitoring, and we’ve got our CCTV footage; and that’s really your logs if you’re looking at it from a cyber perspective; how far back do we keep the videos? You need to have logs that monitor everything that goes on inside your network, and then you need to be keeping those logs for a sufficient period of time so that if an attack happens, you’re able to trace it back. And I’ve seen it firsthand so many times where the logs that are maintained are just not sufficient, so that we get there and we can’t actually figure out what the cyber criminal’s done because those logs are unfortunately no longer being maintained.”

Therefore, moving forward, in-house legal teams can not only communicate with their IT teams but also think about whether having an external source come into an organisation to test its cyber security measures may be a positive learning experience.

“Do some penetration testing, really have someone try to hack into your systems and see how they can go. It’s almost like hiring someone to try and break into their house with all of that excellent security in place, because those vulnerabilities can be the difference between your company being attacked and not being attacked,” Mr Winokur added.  

“That’s the key with IT. Really get into understanding where your systems are at. And I would recommend actually bringing in people to try and break in. That’s the IT side. Then you’ve got to look at the legal side of things, and that’s really where I think the in-house legal teams have the most work to do.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Eden Winokur, click below: