Crisis Management Response: Ransomware - The War You Can't Lose!

Estimated read time: 1:20

    Summary

    In an engaging and comprehensive webinar by Cultural Cyber Security, a panel of experts delve into the crucial aspects of managing a ransomware crisis, emphasizing the importance of preparation, communication, and legal considerations. Brian, the host, facilitates a rich discussion covering risk assessment, communication strategies, legal complications, and the human factors involved in crisis management. The conversation highlights the essential need for organizations to have predefined plans, training, and external support ready to tackle such cyber threats efficiently.

      Highlights

      • Brian and his expert panel embark on a journey through the chaotic world of ransomware attacks and their management. 🚀
      • Emphasis on the importance of specialized skill sets and partnerships to navigate a cyber crisis. 🤝
      • Discussion on the necessity of having crisis communication strategies and the role of media. 📰
      • The critical role of legal counsel in managing potential lawsuits and protecting information. 📑
      • Debate on the dilemmas organizations face regarding ransom payments and the repercussions. 💸

      Key Takeaways

      • Preparation is key! 🛡️ Organizations need a strong pre-defined plan and regular drills to manage ransomware attacks efficiently.
      • Communication is critical! 📣 Both internal and external communication strategies should be clear to manage the crisis's narrative.
      • Legal considerations are paramount! ⚖️ Engage legal experts early to navigate the legal ramifications and protect privileged information.
      • Understanding risks and impacts 🎯 helps in making informed decisions during a ransomware crisis.
      • Organizations may face tough decisions on whether to pay the ransom 🏦, guided by legal and ethical considerations.

      Overview

      The webinar hosted by Cultural Cyber Security highlights the multifaceted approach required to tackle ransomware threats, emphasizing preparation, communication, and legal acumen. Through a series of hypothetical scenarios, the experts convey the importance of having structured plans and specialist teams ready to act swiftly. This includes having backup plans and understanding both the technical and human elements at play.

        A central theme in the discussion is the significance of effective communication. The role of a well-prepared communication team is pivotal in managing both internal and external narratives to maintain trust and transparency. The experts shared insights on the delicate balance between operational transparency and legal prudence, especially when deciding on public disclosures.

          Legal considerations are explored in-depth, with a focus on leveraging legal privilege to protect sensitive investigations and decisions made during the crisis. The complex decision-making around ransom payments is also dissected, illustrating the ethical and practical challenges organizations face. The panel underscores the importance of preemptively understanding these dynamics to navigate future crises effectively.

            Chapters

            • 00:00 - 03:00: Introduction and Purpose of the Discussion The introduction begins with a light-hearted and self-deprecating welcome from Brian, a representative of cultural cyber security. Brian humorously acknowledges any potential mistakes due to his recent travels, illustrating a relatable human experience. He then emphasizes the purpose of the discussion: to introduce a distinguished panel of experts. The goal is to shed light on the significant challenges faced by organizations today, particularly focusing on responses to unforeseen crises in the cybersecurity realm.
            • 03:00 - 06:00: Importance of Expert Insights in Crisis Response This chapter discusses the critical role that expert insights play in effectively responding to cyber crisis events like ransomware. It takes readers on a journey of understanding, acknowledging that while not all answers are provided, gaining expert perspectives is essential. A common observation is that many try to handle such crises independently, without leveraging specialized expertise. The chapter emphasizes the importance of evolving both as a community and individually, and recognizing the necessity of expert involvement in managing these challenges.
            • 06:00 - 11:00: Panel Introduction and Crisis Scenario Setup In the chapter titled 'Panel Introduction and Crisis Scenario Setup,' the speaker emphasizes the need for specialized skill sets and partners to navigate a challenging situation. The speaker takes the opportunity to introduce the panel, mentioning that the panel members are experienced and articulate, with valuable insights to offer. Despite the humorous acknowledgement of panelist Simon's lengthy self-introductions, the speaker introduces Lisa Goddard, a media expert in cyber, as the first panelist.
            • 11:00 - 16:00: Risk Assessment and Initial Response Steps In this chapter, the focus is on Risk Assessment and Initial Response Steps. It introduces Ben Warren from Ellen Warren Napa Lawyers, who shares unique insights from a legal viewpoint on crisis communications that may not be typically considered. Simon PT brings his extraordinary military experience into the risk assessment and management arena through his business, Escalade Consulting. Dr. James Carlopio provides his expertise in organizational psychology, contributing significantly to understanding business dynamics during crises. The chapter integrates perspectives from legal, military, and psychological fields to form a comprehensive approach to risk assessment and response.
            • 16:00 - 21:00: The Role of Communications in Crisis Management This chapter is centered on the significance of communication in handling crises effectively. The speaker invites open dialogue, highlighting that the session is unscripted and exploratory. They intend to provide some structure while allowing for flexibility in ideas and approaches. The speaker also indicates a willingness to adapt ideas as necessary throughout the exploration of cyber security and its cultural implications.
            • 21:00 - 26:00: Legal Considerations and Class Action Risks The chapter focused on legal considerations and risks associated with class action lawsuits. It emphasized the importance of challenging each other's perspectives to achieve extraordinary outcomes, highlighting the value of diverse experiences. Listeners were encouraged to engage with speakers through a Q&A session rather than chat.
            • 26:00 - 31:00: Risk Management and Stakeholder Notifications The chapter focuses on the importance of stakeholder notifications in risk management. It emphasizes that the session is recorded for future reference, ensuring that stakeholders who are not present can review the material later, highlighting a commitment to transparency and communication. The speaker thanks the audience for their valuable time, quoting Warren Buffett to underscore the irreplaceable value of time. The introduction ends with a transition to the main content, emphasizing the gratitude towards participants.
            • 31:00 - 36:00: Media and Public Relations Challenges The chapter titled 'Media and Public Relations Challenges' opens with a speaker preparing to share slides on a current event or situation. The speaker ensures that the audience can view the screen and confirms that they can proceed with the presentation. There is a sense of urgency or importance as the speaker sets the scene for what has just unfolded, hinting at a recent event that requires explanation or discussion regarding media and public relations challenges.
            • 36:00 - 41:00: Decisions on Ransom Payment The chapter titled 'Decisions on Ransom Payment' opens with a sudden and widespread cyber-attack across an organization, where multiple computers and devices suddenly display a message indicating that files have been encrypted. The attackers are demanding a ransom of 250 Bitcoin, a substantial amount of money, in exchange for the decryption key. Strangely, they have also provided some login credentials and a password.
            • 41:00 - 45:00: Summary and Key Takeaways The chapter emphasizes the importance of being prepared for cybersecurity incidents by having an incident response plan in place. It highlights that many people fail to practice these plans, mistakenly believing that merely having a documented plan is sufficient. This creates challenges when an actual incident occurs, as teams may be unprepared to execute the plan effectively. Key departments such as IT and cybersecurity are involved in responding to and verifying incidents, emphasizing the need for readiness and practice beyond just having written guidelines.
            • 45:00 - 47:00: Closing Remarks and Audience Engagement The chapter discusses issues related to digital documents, specifically focusing on a document that has only been produced in digital form and has not been printed. The document is currently inaccessible because it is encrypted due to a ransomware attack. The ransomware involved is identified as Haron ransomware, implying a struggle with cybersecurity threats and the inability to access important data. The chapter also hints at the engagement of the audience with the aftermath of such an attack and possibly solutions or preventive measures to handle such situations.

            Crisis Management Response: Ransomware - The War You Can't Lose! Transcription

            • 00:00 - 00:30 it's never true I'm wrong welcome every morning did I say you're welcome every morning I've been traveling I'll be on like a flock dog folks so please forgive me my name's Brian hey I'm a complete idiot from cultural cyber security and it is my esteemed pleasure this morning to introduce you to an a wonderful group of people who will hopefully provide an enormous Enlightenment of the challenge that so many of our organizations are facing today and that is what to do when the hell on it all unleashes upon you
            • 00:30 - 01:00 with a cyber crisis event such as ransomware so we're going to take you on a journey this morning we're not going to have all the answers and that's not the point of this exercise it's it's get insights from experts one of the things I constantly see when I'm talking to clients is they're trying to manage things within themselves totally without areas of expertise and the thing is as we evolve to this challenge as a community as an organization as individuals we've got to come to the realization we
            • 01:00 - 01:30 need specialist skill sets and special Partners to get us through this challenge so what I would like to do is first of all introduce you to the panel now these people can talk as you're soon going to find out and they have great things to say so I'll introduce them and uh because I know that if I allowed Simon to do a personal introduction we'd get underway in about another 12 and a half minutes say if I could introduce Lisa Goddard dhoni media expert in cyber
            • 01:30 - 02:00 crisis Communications Ben Warren from Ellen Warren Napa lawyers who is providing gonna provide some pretty cool insights from a legal perspective that I'm sure you've never thought about Simon PT extraordinary experience in his background in in the military and now he's taken his risk Knowledge from those environments into his business with Escalade Consulting and Dr James carlopio um sorry organizational psychology extraordinaire of course with the famous or inFAMOUS business and Company
            • 02:00 - 02:30 cultural cyber security so folks thank you so much for this morning um if I could just put out um feel free with your dialogue we know there's no script this is a confirm this is a confirmation that I'm giving to you that we are embarking upon an exploration I will try to provide that structure and I'm going to unleash some circumstances now I've given you an idea but I will put you in the position of warning that I may change the the ideas
            • 02:30 - 03:00 as we proceed if you're answering the questions and providing too much relevance and what I will encourage you and I know you will is to challenge each other if you don't particularly agree because we need to come together and demonstrate has strong-minded with with great experience individuals can bring different perspectives that can produce extraordinary outcomes okay now folks please engage with these extraordinary speakers and do so through the Q a not through the chat okay
            • 03:00 - 03:30 um we are recording this session for anyone who's not here or would like to have a version of it to to read Canton review it will be made available and to all you uh or the audience out there and the response has been extraordinary Across the Nation so thank you very much for giving your time time is precious as Warren Buffett once said I can buy anything in the world I want except time so your time to spend this with us is a great privilege now that's enough about me I'm going to
            • 03:30 - 04:00 share a couple of slides now thank you again for everyone and I will set the scene on what has just unfolded if someone could confirm for me that you can see that screen yes I can phase one beautiful thank you Ben so what's just happened folks it appears that um this screen or capture
            • 04:00 - 04:30 is popping up on all numerous computers and devices across the organization you know it's 905 and all of a sudden the monitors are displaying to people your files are encrypted you can't they can't access them send some Bitcoin 250 Bitcoin so they're asking for a fair bit of money and they provided some login credentials and a password for some reason okay now can I just say for the purpose of the exercise this is a desktop
            • 04:30 - 05:00 notionally the IT team are on it the secure cyber security team are on it they're starting to look is this real or is it not the incident response plan has been enacted because they're starting to look and say oh my God what do we do what is the instant response plan tell us to do because let me put it out there most people haven't practiced it so they think that document's going to be their start of their response except for one small problem
            • 05:00 - 05:30 um that document is a digital document that's never been produced in hard copy and you don't have it because it's uh it's being encrypted through as a consequence of the tax so 0.1 so what do we do and immediately following this I'm just sending the same tracks we've got another message and the entity that's encrypted our our um our network is Haron ransomware they can't spell very well um but it's ransomware and so what
            • 05:30 - 06:00 they've doing now is providing you access to enter your login and your password details are provided in the original communication to prove that their decrypter works okay then they've sent us another one so you know what we'll give you a sample of files the clock is ticking you've got 24 hours what do we do so Simon if I can go to you first from a risk perspective how would you assess this risk at this point in time it looks like the majority of
            • 06:00 - 06:30 your data from initial scoping by the in IT team have come back to ensue we're in the we're not in a good place this is real so Brian uh thanks for that and great to have the opportunity to speak with you and everybody else this morning the first thing that I'm thinking is um yes I'll obviously be shocked and and any organization when this um occurs would would immediately be thinking that first question and hang on
            • 06:30 - 07:00 is this real and as you describe those I.T organization your I.T team or your external support team in that space will be trying to determine the legitimacy but from a risk perspective surely by now every organization this country and globally is saying it's finally us because the concept of this being um if we talk from a risk perspective about it is it possible or is it likely for organizations at this time
            • 07:00 - 07:30 um absolutely this is something that every organization should be concerned about and should be thinking about what would we do so the first thing that I'm thinking is okay is now on us and what have we done what do we know um the the second piece which you've already um put uh in train for us is the concept of there are plans but they're hidden so my other point in terms of thinking ahead is what did our plan say how
            • 07:30 - 08:00 experienced how how uh what's our muscle memory uh telling us now for for everybody that's listening right now that should be either people nodding along and going that's right we've we've started to practice this we've started to move through or there will be organizations that say actually we don't really know what that next step is so there should be no surprise and if somebody is looking at this and saying I am surprised and I don't know what the next step is from a risk perspective I
            • 08:00 - 08:30 am now starting to increase the concern levels in terms of how far would I look ahead we now need to think about what does this mean so understanding exactly what that application that is encrypted is what was contained in it and what are the consequences of that that can get compound both in Risk assessments but also your business continuity plans that is the piece from my side deter to determine what is the potential consequence of this action and do we
            • 08:30 - 09:00 have a plan b or do we have a plan applicant from here if the answer is no to any of that then we are starting to spin and churn at a higher rate than what we're potentially prepared for for any business yeah and I think to be fair in uh we have I.T I see this all the time I.T and security teams around the country that actually know their structure and they know where their data is uh they know where you know the general processes for the disaster recovery who they can call upon go and get their backups and the
            • 09:00 - 09:30 the notional response or the obvious response is okay let's go to your design into disaster recovery mode we've confirmed it's real and we'll start to um see what we can get from our backups and reinvigorate and get back online and Brian probably probably kind of a question back to you um is who's leading at this stage because from a side of the statue this is we're still an activation because there is a lot of businesses there's a lot of Executives and boards
            • 09:30 - 10:00 that are expecting the size though or the IT team to become this magic organization so from your perspective resolution yeah my perspective at this point of the time it's led by the I.T and cyber security primarily the cyber security team and those responsibilities for Disaster Recovery who and that can vary upon different climates for the purpose of this exercise that's where it sits so the uh the CIO has been briefed they briefed the CEO the the chain of commanders uh is it the you know the dialogue has been forwarded
            • 10:00 - 10:30 and they're still trying to get an assist assessment on what is the extent of the impact Upon Our networks how long can they expect to be down for and what's our point of recovery and what we should be considering the other question the executive asked two things I had was what what's this Bitcoin stuff and how much does that cost in real dollars because there will be knowledge Gap we take it we live it we breathe it we take it for granted that everyone knows but the truth is they don't so it's about
            • 10:30 - 11:00 understanding that sort of position um and I think sorry I just say and I think this is where from my perspective um when we start to pardon the partner escalate this as we go this is probably our only opportunity to get in front of it and this is probably a really nice segue to Lisa in terms of um even though it may be being led operationally doing that by that team that ability to understand where it
            • 11:00 - 11:30 could go and starting to make people aware of of the potentials uh the potential consequences means that this may be your only opportunity to get things in place before it goes loudly so I I think from a comp's perspective the more time the better yeah preparation is King when it comes to situations like this and look we get phone calls all the time where you have corporate organizations who don't have a Commons plan in place they don't have an updated media policy so when these things have oh social media policy for that fact so when these
            • 11:30 - 12:00 things happen the best Advantage you can give yourself is to bring the the crisis comms team in early you may have an internal team but they don't have the scalability to deal with potentially something that is well beyond their scope and you know by bringing in outside experts you're then able to have someone there who deals with crisis situations and has it media relations relationship um active and and dealing with it every day or every second day they can come in and back you up but at that point we come in and we start to say where is
            • 12:00 - 12:30 your comms plan who what is the hierarchy as to who do you have for a spokesperson let's start asking questions about holding stuff elements what are your key messages around this all that documentation should be sitting there so that we can quickly activate and then work out what the line of responsibility is as to who will be briefing the comms team and the operational response team because comms need to be a key part of that structure and Simon you would know that from what you've done how if you don't have that Conference Team involved early you really are behind the eight ball but at
            • 12:30 - 13:00 this stage we're hoping for a quick recovery so one of the things I would challenge out there they the criminals provided us with an opportunity to a test their decryption with a sample of the data they allegedly take and that's that's straight away that implies they have exfiltrated data now what we've seen with recent events here in Australia is they have exfiltrated very large volumes of data but it's still handy to know
            • 13:00 - 13:30 from a forensics investigation perspective where that data came from what part of the organization was it when was it last sourced is it data that's 10 years old 10 minutes old um 10 days old and all of these things go in so it's interesting when you have conversations there should be a debate you would expect all right hang on there the criminals asking us to click on the link to get access to the data so the obvious thing
            • 13:30 - 14:00 right stand up a separate system that doesn't connect to your network and test that environment so you can make that termination and met often it's oh we don't click on the link but if you take the appropriate steps that intelligence that you can gain for that is important and should be considered can I just can I just ask it let's ask a point there because you're talking even with that question that you're asking many organizations will not have the knowledge base or capability to answer
            • 14:00 - 14:30 that and even even um small medium Enterprises and I would even argue that some larger businesses across Australia and globally who have got teams that are there purely from an I.T systems maintenance perspective um so that concept of expertise and I think this time advising to again how far am I looking ahead is understanding from an organization what is your capability and what are you going to be
            • 14:30 - 15:00 able to do internally and what do you need um external support and advice on um again Lisa's talking about getting in front of a marketing uh sorry other Communications message again we have seen consistently through real events and crisis events that their Communications team is purely a marketing team it's not a crisis Constantine and again I would argue from a cyber perspective that they're being cyber team is very good at managing
            • 15:00 - 15:30 their systems but very important understanding what does what is our requirement and what is our capability because you even talk about forensic analysis does your team even have that that capability and so who else are you going to ask do you know that now or is that something that you're going to have to discover through through the crisis event Simon will you stop being proactive and moving forward please so allow me to guide this conversation where it appropriately needs to go so such pertinent valuable information may
            • 15:30 - 16:00 be considered okay so at this stage we're still trying to find out so for the purpose of the exercise guess what we're going to find out that um the backup data is also encrypted so the the IT team and the security teams have gone away they've done a bit of a restoration sometimes in some organizations this can be quite quick because of the systems in place and other times it can be much longer sadly there are organizations out there sadly
            • 16:00 - 16:30 have never done a full-blown data backup and restoration recovery exercise so they don't know how long it'll take and another message has now been received that if payment is not made quickly that data will be leaked publicly into the dark web by tomorrow afternoon okay they're restricting the timelines they're putting more pressure on the business the situation is looking more dire and just to throw it in there media are now making inquiries that someone has posted the incident on social media
            • 16:30 - 17:00 so it's got worse the uh the risk has now increased on suggest and the media involved now Lisa when the media re not gets you know they're knocking on the door for answers because we have now lost control if before we go down that path I'd like you if you could share in terms of a crisis how quickly should organizations let's go back to the just one step phase one
            • 17:00 - 17:30 there's internal awareness because that message is popping up how critical was it that the internal comms team try and contain that situation with internal messaging look it's essential what they need to do is you need to look at this from two different specifications one you've got your internal Communications and then you've got your external Communications so external we're talking about those media that are calling turning up at your front door demanding answers internal is also critical you must bring everybody into the tent with you so you've got your internal staff who no
            • 17:30 - 18:00 doubt possibly could have seen this or have heard you know that there is something happening so you have to ask yourself some really serious questions about how many people are aware of what's happening what is the risk to our business continuity at this point what's the chance of this being found out you know outside of our walls and then how we're going to manage that and then you need to start looking at structurally what have you got in place like do you have all the stakeholders that you need to contact on from an internal perspective do you have lists that are current up-to-date contact details for
            • 18:00 - 18:30 all of your stuff all of your stakeholders all of your Consultants all of your contractors what about the government what about The Regulators then you look at the media what contacts have you got there that you need to you know update or inform them of what's Happening so many times we will go in and people don't have as ridiculous as this may sound a a spreadsheet or some sort of data list there of who they need to contact should this happen and then therefore you have teams of people scurrying around trying to find current
            • 18:30 - 19:00 emails or current phone numbers it can be an absolute nightmare so one they need to have that in place two the internal Conference Team need to think about how are we going to communicate this and so yeah we work with them then to say is a scale that's looking like we need to activate a hotline if there's a hotline set up do we or a credit call center where's the script for that all of this takes a lot of time because it's not just a simple you know hello you've reached someone say how can we help you you need to work out how to divert those
            • 19:00 - 19:30 calls through is it media is it a shareholder is it a customer so you manage that and have it all come into one Central Point as well you need to look at do you need a landing page on your website so that you can inform people on what's Happening websites working well exactly or how else would you set up another landing page somewhere to inform people you have to be seen to be out there and try and stay ahead of it and communicating with people because if you don't then you really do lose control of that narrative and then you've got other people filling that space so you're suggesting right at
            • 19:30 - 20:00 point one even though the situation was relatively unknown with certain events were happening but you would have preferred to been a part of the awareness of that incident right almost from the immediency because at that point we are doing that audit what do you have in place and what do we need to start building out because if it does go out into the media and it does become a bigger a crisis situation then you don't have time on your side time is
            • 20:00 - 20:30 really critical and I'm talking minutes and when the the media storm hits anyone who's listening who has had to deal with the media in a in a small Time Crisis knows how quickly those calls and those inquiries come through and if you don't have systems in place whose logging calls from the media if they start to come through who are they being sent through to what's your Frontline staff going to say if they pick up the phone and there's a reporter on the line what's happening only what are your internal staff doing with emails or information that they're getting
            • 20:30 - 21:00 put in place that you are right to as soon as you need to push the button to go live you're right to go so just on the issue this was leaked out and this is for the purpose of the exercise on social media by pursuing an internal member of Staff who saw one of these things what any ideas tips or strategies to um the organizations could evoke or invoke um to try and limit how do you manage that internal social media leakage
            • 21:00 - 21:30 challenge the preference is always to try to keep it in-house if you can contain it and look I do know of a very very large private company that had a Cyber attack and it shut down their internal systems nothing was put in writing but all staff were told this is to stay internal they were very lucky everybody kept their balance closed and it wasn't put out into the public at all importantly and this will talk to about Simon's involved with they managed to keep the business
            • 21:30 - 22:00 operating so to the outside world nothing had occurred internally they managed to contain it but I would say that that's a rarity you know it's human nature someone talks to somebody and it gets out and then if you're an ASX listing company or or you have to meet your requirements for reporting which Ben and Simon can talk about then you know you once you have to report it you've lost control there like it's it's out there you can't stop it so you have all of those plans in place okay I would
            • 22:00 - 22:30 just want to defer to James here if I can and then Ben I want to come to you with a question James looking at what Simon and Lisa have said how quickly then if you can't communicate your to all of your people because your systems are down or inhibited and things are happening so fast how critical is it to have your people both aware and behaviorally sound
            • 22:30 - 23:00 through an organizational culture that they know what to do and that is what if we're faced with this event we definitely do not tell the world first absolutely no the the first time you think about all these things and that's why everybody's here on this call today right because the first time you think about these things cannot be during the actual crisis right that's that's in Insanity 101 right you have to have thought through this you have to have done the practice and the desktop exercises but right Back to Basics and
            • 23:00 - 23:30 we did it in this call right as soon as you flashed up phase one everybody's brain went to this is a network and technical issue what you need to do as soon as you see this is get this is a staff issue a customer issue and a business issue the IT people know what they're doing what we need to manage the crisis is in people in staff in customers in business so yeah absolutely Brian they have to have thought through this and the the culture is you know what what makes it
            • 23:30 - 24:00 automatic because they've practiced it before and it's part of what they do it's how they breathe yeah so it can't be just a process that's got to be embedded in instinctive Behavior doing the right thing because that's in your DNA in your organizational culture okay thank you uh Ben I know you've been sitting there very silent which is unusual for uh people of your ilk and your background because you get paid to write words and speak words same may I ask you at phase two would
            • 24:00 - 24:30 you have liked to have known a bit had an inkling to this at Phase One or no I'm happy to wait to phase two and if you after you went to that if you get you please explain what is going through your mind from a legal perspective at this time yeah um all right well look I think there's a couple of words that came up in earlier in this conversation that should be trigger points for people to contact the lawyer um one of them was exposed ex-fil trait
            • 24:30 - 25:00 meaning the data has not only been encrypted within the company system but rather it's being taken out of the company system and is in the possession of the Criminal um and I use you know the word criminal deliberately um and we'll come to I later so the second one that I've heard used is investigation and so in the context of data has left
            • 25:00 - 25:30 the organization it's in the hands of criminals and we're investigating it I want people to think about lawyers at that point because um one of the things that people often don't think about in this context are words like class action there's a massive class action Brewing by a large National class action firms like Morris Blackburn
            • 25:30 - 26:00 um against the likes of medibank private um you only need to Google you know class action medibank private and you'll quickly find their website for breach of personal information but I also want people to think about um the potential for massive uh statutory fines for a breach of the Privacy legislation privacy legislation in many years gone past used to be sort of a toothless Tiger but since
            • 26:00 - 26:30 um the European Union brought in gdpr and then Australia followed suit relatively recently by bumping up fines they can now include a percentage of total company Revenue got turnover um and so think of fines think of class action think of Legal Professional privilege which I'll just very briefly explain Legal Professional privileges like the trump card for keeping things
            • 26:30 - 27:00 confidential in a legal progress so um often in any kind of legal process there is the right to subpoena documents or obtain access to records through a disclosure or Discovery process and legal professional privilege is um uh protects the secrecy of confidentially confidentiality of these records in circumstances where the purpose that the record was created
            • 27:00 - 27:30 was for the was to seek and obtain legal advice um and so I think it's you know Brian very cleverly left at 25 minutes into the webinar before um introducing the lawyer um it was a good reason for that we're paying by the minute you just call it a fortune yeah yeah so I'm very cleverly left at 25 minutes and I would argue that that that was way too late in a real life um because one of the things you want to do is get in contact with a lawyer and
            • 27:30 - 28:00 say hey look we need some legal advice because we think that there's been a data breach incident that could um lead to potential legal action and we want you to give us advice on it and then the lawyer says all right well if I'm going to give you advice on this issue I need you to go away and investigate how it is that this incident arose um and what your options are from a technical perspective on how to deal with it and then I can give you legal advice on you know where your exposure might be and
            • 28:00 - 28:30 um what sort of defenses we might have to claims and then there's at least an argument then that the results of any investigation become the subject of Legal Professional privilege because they're being the investigation is being conducted at the recommendation of the lawyer for the purpose of then giving the results of that investigation to the lawyer so the lawyer can give legal advice and that means that um if you hadn't done that and the investigation found wow we
            • 28:30 - 29:00 really dropped the ball that becomes records that other people can access down the track if um it is subject to Legal Professional privilege and the investigation finds wow we really dropped the ball um that's something that you can keep behind um I want to come to you Lisa because what I'm hearing from you know the sneaky lawyer in the back corner of the room that says let's shut down all containment flow of information which is
            • 29:00 - 29:30 in complete opposition to some of the from a communication strategy that you must engage and give something because does that mean then your comms crisis comes needs to negotiate with the legal team to get the right message that's good for both parties absolutely well firstly put a different cap on it as my journalists which I was for decades I absolutely load the idea of what the advice that Ben just gave but it's spot on from a crisis perspective hold on
            • 29:30 - 30:00 because it's about protecting the company the journalist sent me my heart breaks that we don't get that information very clever um the prices comes perspective when you're looking you have to you have to go out there a lot of people will say no comment or Worse we've had incidents where the clients will just ignore media calls we had one where there were 36 media calls within a couple of hours and they just chose to ignore them and so by the time they came to us we had to clean that mess up and then try and get them in front of it which we did but you can
            • 30:00 - 30:30 always say something no comment isn't the answer if you say no comment or um the journalist can has the opportunity to say x company didn't respond to our phone calls or wasn't available for comment you look like you're hiding you look like you're guilty of something and you don't want to do that there is always something that you can put into that initial holding statement and forward through the rest of your messaging which says that you there is an investigation underway that's safe ground that an incident has occurred
            • 30:30 - 31:00 what you're doing so the we've been talking about crisis comms and that holding statement acknowledge action and update there you there are three key points you must provide information on those and you can do it in a way that you're not uh giving information that you don't want out in the public Arena but you are giving yourself a voice in that narrative otherwise you are silent and I'm sorry you look like you're hiding it or you're guilty yeah you might just want to jump in there Lisa because I think we're on exactly the
            • 31:00 - 31:30 same page as much as I um and everything that we do has to go through legal as part of that internal structure when you're dealing with the CMT and you're running through this crisis everything that the comms puts out needs to be legal not only does it need to have an approvals process and sorry Ben just quickly what you need to do internally is position somebody who is the the lead contact for your crisis comms and internal comms experts because
            • 31:30 - 32:00 we need fast approval when when things moving so quickly and you've got media inquiries coming through and you've got various questions being threatened you on social media you need to be able to get what you're writing those documents approved quickly so you can distribute them because often you get caught in the it has to go to as a person it goes further up the chain you don't have time for that in a crisis yeah and and look and on that legal professional privilege point the um the the objective is to break the heart of the journalist
            • 32:00 - 32:30 um or to break the heart of the class action lawyer um or to break the heart of the um the claimants who want to say that oh we've suffered loss because of your negligence and um and you know we want compensation for that offering the heart of the client when they get the bill is that what you're saying that's just a given with anything I know I know Simon very quickly say 25
            • 32:30 - 33:00 words or less yeah um just very quickly say that um it's about controlling the flow of that information the lawyer's job is not to close up every little bit of information we do want to work with the comms team because God knows that I'm you know I'm not too bad at giving people bad news but I'm I'm hopeless at giving spin I'm I'm only basically there to go yeah it's and then you've got to deal with it um and so it's about like containing all
            • 33:00 - 33:30 right well this is what we are going to keep within closed doors and then this how we control that message okay thank you Simon if I could go to you and ask you to if I could so how was the risk position changed at this point in time well what are you starting to think from a risk management perspective well I I think tying into those conversations that have just occurred to Brian um I'm not gonna that the catch-all is it depends but the reason why this is so critical is you've just heard from from
            • 33:30 - 34:00 experts in terms of what their expectations are and going to James's point of the worst type of learning how to do a crisis is in a crisis that concept of if you have engaged your Communications response team if that's an external prior to so you know exactly what Lisa is looking for you've already received training on for all of your management and Executives on what their expectations are and what would be expecting from from that team as you're
            • 34:00 - 34:30 going through that if you've already engaged with your legal council be it internal or external to understand through one of these types of events um what their expectations and what how quickly because I've seen the difference been in legal privilege in real events between days when someone thinks of it as an afterthought or in the first crisis management meeting it's one of the first things that's raised and and we're moving from there so Bryant has
            • 34:30 - 35:00 specifically answer your question provide preparation and that that opportunity to have had these things in place is real controls and treatment actions to the material risk will judge the risk position that you're in in terms of how it has changed from here from what we've seen there is absolutely an increase now in being associated risks that we now need to deal with um as we're moving forward so with starting to get more information and that will
            • 35:00 - 35:30 then start the feed out into what other things we need to consider from here already at this point I'm starting to again ask that question about what is your plan B at phase two you know one of the other things that you need to put in place can I just ask you um when do we start thinking about notifying the board uh so again the catch-all would be what is your plan say however the the right but remember we don't have the plan
            • 35:30 - 36:00 because and again it's encrypted so there's there's two kids I I sorry um I take the point D and I always go back down how do you build that muscle memory but the the answer to this is the last thing that boards want is a surprise that is that is if you ask any board um globally or in and in this country what do they not want is to be surprised um we're not talking and asking the board to activate come in hold a war room of their own but a notification and
            • 36:00 - 36:30 the appropriate point that you know that this is a legitimate Threat all the possibility of it of it becoming a strategic event the notification is clear do not withhold that information because you will regret it later so can I ask you and then I'll defer to the others and I think Lisa has already mentioned it and Ben has um I said right at the beginning a lot of organizations tend to immediately close
            • 36:30 - 37:00 shop how critical is it to help address a crises event to ensure you've got the right skills around the table and embrace the your external stakeholders for those specialist insights and experiences that can help you shape your response um it's it is absolutely critical when it comes down to accountability um Brian with within an organization there will be some organizations that that have
            • 37:00 - 37:30 um outstanding capability in the certain response areas that we would expect um any of us on this call would expect um but I'm not having a realistic understanding of your capability and what is available to you through different areas because we talked about notification the one that we haven't discussed is whether or not you've notified at this point you're insurer because do you have coverage or a policy for this because that can open up for you and entire um stream of additional supporting
            • 37:30 - 38:00 assets with some risk that comes to it in terms of ownership of um and prioritization but um if you it comes down to capability comfortable with and you the worst time to learn that is in the crisis you need to have known that coming through what about intelligence how critical is it to get the right information and Intelligence on the situation you're faced within your adversary for that matter yeah it is absolutely again he's absolutely critical because that will
            • 38:00 - 38:30 inform your decisions if you are making decisions blind and again as we potentially learn more about this we've we've got the adversary's name we've got the attacker's name believe it or not the first thing that came up is is this is this a um being called them criminals but is it uh food criminal like a legitimate criminal well-known criminal that we're going to be able to to learn more about in terms of their tactics techniques and procedures and again getting that from an expert who can verify and have that
            • 38:30 - 39:00 understanding or is it is it literally a kid in their basement in a hoodie which we don't see often anymore but that concept of is this going to give us options in our response moving forward intelligence is going to inform us is whether or not as to whether or not those options are available to us right beautiful now we're now going into a high stress environment you know things are getting worse and we're going into the lockdown so places are Buzz James in times of crisis with these high
            • 39:00 - 39:30 stress levels what would you suggest from a your perspective should be management and leaders start to think about coping strategies for people to deal with this absolutely great great question what the brain does in stress is basically the executive function goes offline and the amygdala you know hijacks us we've all heard of the amygdala hijack and you know emotional intelligence and all that sort of stuff this is exactly where that becomes
            • 39:30 - 40:00 relevant because your brain under stress Narrows shuts off and it is totally normal and look and people might not know why we you know the criminal keeps wanting to do things quickly as you said the data is really really clear if they get paid within the first hour the first half a day their chances of getting paid after that go way down so they want it to happen
            • 40:00 - 40:30 really really quickly and they're going to put stress on us and pressure on us and we have to be able to breathe I know this sounds stupid you know as a as a personal thing it's the most direct way we can reduce our stress to just keep breathing but go back to the plans and practice and practice there's no there's no professional on the planet who got to world class without rehearsal
            • 40:30 - 41:00 and practice and what we're talking about here is the exact same thing you folks out there who are listening to this you have got to practice and practice and rehearse and practice so that when you're at the T or you're about to kick the ball or hit the tennis ball or whatever it is it's just in your muscle memory yep okay well I'm gonna mix things up a little bit I'm just conscious of Tom I want to go to phase three we've got information that's now received from a dark Market intelligence provider that the company's data has now
            • 41:00 - 41:30 been offered for sale in the dark web what that data is is unknown okay at this stage now it begs two questions we know data has been exfiltrated the the uh the obvious linked people will come to is that data is what was Excel trade well it may actually be from a different hacker if you've had a vulnerability that's been exploited it may be from the ransomware or it may be something completely separate so
            • 41:30 - 42:00 something to think about and just a happy recovery efforts um the you that you're now being hit by a DDOS attack and again to James Point putting more pressure on the decision makers complicating and making Messier uh that is the the the issue of considerations and the volume of issues to contend with and now uh Lisa clients now that's out there well and truly it's in the media
            • 42:00 - 42:30 and they want to know what the heck is going on social media is going gangbusters and that momentum of public expectation is building what are the I know you've talked a lot already Lisa about getting things in place what are the systems you need to set up for this ongoing enduring challenge that is going to be the communications yeah this is the tsunami this is what everybody dreads so the reason you have to do all the prep work as you say Brian is when this happened you are right to go so you can manage it
            • 42:30 - 43:00 you've got the channels in place so one you have to log all of the media calls that are coming through you have to have a point of contact within that comms team that all that information is Flowing to you need to arm your Frontline staff who are receiving these inquiries with the right questions to ask of the media so that you can help the comms team better manage those inquiries so who is the journalist where are they from what's their deadline what are they asking when you're talking about customers who are online well they want to hear from you they want empathy
            • 43:00 - 43:30 number one you have to provide some sort of statement which says that you understand that you are what action you were taking as before it's the acknowledge action and then update to stay ahead of the media and to try to contain the the I imagine it's a growing rage at this point and confusion from people who have been potentially impacted by this is how often are we going to get updates from you are you across this there might be um you know frantic activity happening
            • 43:30 - 44:00 in the war room but the front facing of this business has to show that we are calm and that we are working through this and we have your interests at heart can I just on that point your age groups obviously some extraordinarily valid issues and you you something you said just triggered me back to my my days in the in law enforcement when you had a major event happening one of the things we used to do was tell the media list give us some breathing room and set up
            • 44:00 - 44:30 regular sick reps to the media room so if the media scrum would form and they knew you were coming to give them this latest update and that gave us a greater sense of control to a lot of that noise is that something you recommend exactly if you could hop back and I don't know how many people on here are old enough to remember but so Joby Peterson used to say it's feeding the chooks right so when you've got this crisis and it's moving very quickly in the background for us we need the media to be uh okay we will update you again in an hour or two hours we know where
            • 44:30 - 45:00 they are hopefully that then stems the flow of media calls that are coming in which is adding to that high stress environment that we're operating in so the more control you can put around that and James is right you have to try and bring that pace back so that's why we have systems in place so that like I said if you have a call center set up those calls are coming in the information is flowing into the conference team from one channel the Channel's coming in from all the front front stuff front desk staff who are receiving phone calls
            • 45:00 - 45:30 um our numbers are now out there so that media know to call us and to take the pressure off the company so you have to have all those structures in place so that we can control and control is a good word so Simon how important is setting up and I'm going to use you know paramilitary terms urics military but I'm going to use how important is to set up a command and control structure to manage this to a manager crisis so control measures provide Clarity in the chaos
            • 45:30 - 46:00 um that's that's the one um when you when you have Control emergency price and in this case um a clear understanding of roles and responsibilities um uh it means as James was talking about in terms of of operating under stress um major muscle movements rather than fine motor skills it's that Clarity of being able to know uh where do I go and adjust is something that is something else that nobody uh that you don't have to critically think of under that stress and pressure
            • 46:00 - 46:30 um but the other thing about about the command aspect just really briefly is making sure that the people that you put into those positions have the kind of ability to do it because not everybody can um so again preparing them finding them ready probably the right person in the room because just because somebody's in the leadership position the business of visual does not mean under stress and pressure they're going to be the right person and you can only learn that in exercise excellent and talking of stress and pressure I've just invited the lawyer
            • 46:30 - 47:00 into the room to answer this pertinent question that is going through the minds of the board and that is should we just pay these bastards and get our data and our situation sorted Ben that's to you by the way just yeah yeah good question so um lawyers can often justifiably be accused of um hedging in their answers to direct questions
            • 47:00 - 47:30 and the reason is because it's complicated really what you're trying to do is balance two competing interests um or at least two competing interests on the one hand you have to act in the best interests of the company as a director um I mean that's just given any director that doesn't know that it shouldn't be in the role um the second thing you have to be aware of though is that there is a risk associated with paying the ransom
            • 47:30 - 48:00 earlier I used the the word criminal um uh for the people that are doing this because quite often as Brian you know um these people are not the guy in the hoodie in the basement they are organized systemized experts at um organized crime and or potentially funding terrorism and I use those uh
            • 48:00 - 48:30 terms deliberately because it's important to be to be aware that there is legislation that says that if you are Reckless to whether or not you're funding terrorism or organized crime um there's a potential criminal consequence now nobody has in Australia been uh prosecuted for this crime of paying a ransomware demand and um and then it being asserted against them that they funded terrorism and now face jail time for doing that
            • 48:30 - 49:00 um for the purpose of the exercises just for you know based on history so far in ransomware gangs the way they operate let's just say for the purpose of this exercise Haron is actually against terrorism from some of the postings they've made in some of their forums and in the dark web so we know with Clarity they are completely driven by profit not any ideology yeah yeah yeah so this is like a what a funding issue I mean once
            • 49:00 - 49:30 you've handed over the cash um you don't know what they're going to do with it and just because somebody professes to have a particular um objective or um uh rationale for their conducts doesn't necessarily mean that it's true I mean they're a criminal after all but um but I think the key thing to be aware of in trying to balance these competing considerations is that and it's come up before and it's really
            • 49:30 - 50:00 important I think insurance insurance is one of the themes of this seminar or should be um I think the other thing with this webinar is um planning you know train in advance of the incident and that's what insurance is for it's um it's the premium you pay or the price you pay the training is the price you pay as well for um being in a position when the proverbial is hitting the fan that you
            • 50:00 - 50:30 you can respond appropriately with the right resources look I always relish the opportunity to cross-examine a lawyer and I just want to take you back to something you just said Hey listen I had many many many days in the witness box that's it's nice to have a crack back but you said that there are conflicting areas so if I put forward to you this proposition could the circumstances be that in a Christ cyber crisis ransomware event
            • 50:30 - 51:00 if say the demand was a million dollars the cost of recovery to the business it is so devastating that to rebuild and everything else it could actually be was estimated at 40 million dollars which would bankrupt the company could the directors be accused of filing their duties to act in the best interest of the company by taking a moral stand not to pay therefore face charges under
            • 51:00 - 51:30 the corporations Act yeah that's a risk so you're saying payment may actually be the best action in the interests of the directors in a pro and behaving in the interest of the company as as long as they're not on the sanction list yeah that's right um I think it is like but having said that I think far better than having to make that
            • 51:30 - 52:00 decision to pay themselves is the decision they should have made now or well in advance of the incident occurring to get insurance for this sort of thing yeah I think you've raised a brilliant it provides a great point a lot of people tend to think things in black and white you can your can't you and I've never heard that perplexing challenge raised before and I think I've never even heard of being discussed before um
            • 52:00 - 52:30 and we've just got a a q a you know a comment by Robert from the audience who said you'll always also have to discuss with your insurer about payment and that's a great question I assume Robert's talking about is it can they or will they will they cover the cost of that ransomware payment uh that's a great question anyone's going to comment on that yeah so it's not only the insurer because um but but it's also there's and that there isn't president of this yet I believe that is
            • 52:30 - 53:00 definitely a discussion as to whether or not your financial institution especially post the banking Royal commission here in Australia whether or not your financial institution will release the funds for that uh for that particular payment as well there's a there's a really interesting line um again I go back to um even even Brian your point um and your scenario that you place the band about does an organization has an organization actually done analysis to understand what the cost of recovering
            • 53:00 - 53:30 critical operations are with the VA business continuity uh and type uh analysis discussion prior to the event because it that that is not an easy question no not at all these are even tougher question for Lisa and least of that is would you inform the public that you may have paid them [Music] uh yeah that's a tough one uh look I think the public need to know that you if you've recovered the data or
            • 53:30 - 54:00 what the risk is to them now or if you've contained that risk to them uh I I think that would be a case of the comms team working in with you the risk management and the lawyers and and the execs and working out what they want to be out there publicly um and can I just say I think you've made it from my opinion that made the the most Salient points is what you've done to protect the data of the public um and to resolve the issue and really
            • 54:00 - 54:30 to me the only ones that should know about whether Ransom was paid or not is the uh is the organization itself because normally that's a you know question from those Prime members of the media it makes a great story but Joe blog sitting at home just wants to know well okay is my data now protected has a threat been removed and what do I need to do comes back to to sort of communications 101 you always have to think about who the audience is so if you are say in a
            • 54:30 - 55:00 medibank type scenario you're talking to the people whose personal health records have been compromised as well as their personal identification data so the the way that you write the holding statements and the ongoing statements media releases the language that you choose is really really important and we saw we didn't think back to optism many bank medibank will really um I think made some very deliberate choices about the language they use and there was a lot of you know we've managed to where
            • 55:00 - 55:30 we protect um and that the number of various other potential attacks that they've sort of thwarted over the time or Protected Their their clients or customers from so we spend a lot of time as much as you can and then that sort of fast-moving environment working out what is the exact language that we can use for the effect that we want to achieve when by the time we hit the target audience so identify the audience support backwards okay and I just want to jump in quickly and thumbs up 25 words or less Simon and Lisa double click double
            • 55:30 - 56:00 thumbs up um yeah the uh five words or less Brian you're a bastard yeah you've just used up 12 30. 15 left but um because the Privacy Act breaches relate to whether or not you took reasonable steps to protect people's personal information so um you want to be able to a truthfully and accurately say that you that reasonable steps had been taken and then of course you wanted to communicate that
            • 56:00 - 56:30 yep thank you good job now folks here's the real challenge by the end of this hour I would last like to ask you all for a couple of tips that you would give in summary of of this process and but before that we've got two great questions uh we have four and a half minutes left so I'm just conscious of time so very quick fire one question from Jamie is that do we feel that some of the organizations subject to recent
            • 56:30 - 57:00 events refusing to pay a ransom and highly sensitive personal data being released to the public has set a precedent in Australia going forward that exposes us as individuals so if the process is they're going to allow the data to set out there they're not going to pay anything to recover it or get it back does that make us more vulnerable as people moving forward yeah I might jump on that like I think it does set a precedent I think it was probably the wise decision because
            • 57:00 - 57:30 um as hard as that is a cell to the public to say you know we didn't pay because and then the message can be interpreted as we didn't look after your interests the fact is is that there's no guarantee that by paying you've Protected Their interest anyway once it's leaked it's leaked and um you can't necessarily trust the criminal goals to hand it all back and not resell it even after they've received the ransom money sure absolutely any anyone else on that yes so I I agree with Ben like the breach is
            • 57:30 - 58:00 obvious obviously it could but the answer to this is yes um I I think uh this is the first time that Awards and Executives have um have seen a response to it they've been there and they were able to plead that they were still the victim um it has enabled organizations to consider do we just go ahead and and uh us because again there was no there was no encryption it was just a data breach which means that the business impact was less good yep okay I've got
            • 58:00 - 58:30 another question for you specifically in a minute at least I'll just make one very quick comment and that is I think there's been a lot of hype around my identities being compromised and that's it but I asked an audience well do you have a Facebook page in your own name and of course nearly everyone puts up the hand well haven't you already surrendered your identity to the internet and therefore have you not lost troll so the challenge is how do we manage the risk that it's used as a consequence of that identity being stolen but I'll leave that there so
            • 58:30 - 59:00 um question Lisa and it's specific to the um I won't say which company but one of the the big breaches their initial approach was to only issue ASX announcement and do zero zero media I think you've probably answered this already um what's your opinion on that in uh 25 words a mistake I think as soon as you know that it's out there you need to be in front of it yourself and again you need to be showing some sort of empathy and
            • 59:00 - 59:30 that you understand the enormity of what has happened and the impact it's having on people and reiterate again what action you're taking uh not to do that I think is is to be I think people feel betrayed I think they don't feel like they're being um considered to be important in in all of this if they're if you're not going to speak to them directly through the media you can also do it through your own channel so you can put out your own videos through social media and control the narrative that way as
            • 59:30 - 60:00 well thank you um Adrian I see that Simon's typing you a response uh now so please I hope you did a decent job for your sake and I hope you answer the question for you folk we have exactly 90 seconds left so if I could just uh ask you to if there was one or two things very quickly that you would and asked from from the business um sorry that you would give advice to people as a takeaway for this what would it be if you could one critical thing
            • 60:00 - 60:30 Lisa uh we've talked about planning part of that planning media training make sure you know who your spokespeople will be and make sure they've been trained so that you can roll them out there when you need to too many organizations thank you Simon uh I would say uh what are your realistic vulnerable points and what are your plan B's for your most critical business functions thank you James we've got to rethink the way we treat customer information we used to think it was an asset to hold I think we now need
            • 60:30 - 61:00 to start to think about customer data as an actual liability and we we can't keep it for long periods of time it's just a disaster thank you very much Ben Yeah final word to the lawyer in the room plan including Insurance have a plan train on that plan thank you very much uh panel you've been absolutely astoundingly fantastic uh delegates thank you so much for giving us your time today I hope it's been uh
            • 61:00 - 61:30 wonderful for you and really informed uh going forward in your considerations and deliberations around this we're we're all I hate to use the term we're all in this together but we all are all confronted with this Challenge and it's about how we prepare to meet it going forward because one thing I'm going to assure you that the threat is going to increase and it will diversify and it will become more complex however with the right preparation you we can all meet this challenge stay safe have a wonderful day enjoy a
            • 61:30 - 62:00 brilliant weekend you know what if you've worked hard this week take tomorrow off and we'll see you in the future and we will be sharing this and providing linkage for everyone thanks everybody cheers