Simulation model to test data breach response plans

The impact of recent widespread data breaches has illustrated the need to consistently review, test and revise incident response initiatives. While many Australian private and public sector organisations have crisis management plans in place and conduct a program of penetration testing and network security stress testing, many fail to adequately prepare for the other side of a data breach, where massive communication requirements occur.

According to Rhys Ryan, CEO of PR firm Porter Novelli Australia, companies that experience real reputational problems following a data breach were simply not prepared.

“We are called in for particularly difficult incidents, not run-of-the-mill data breaches. What we see over and over are organisations whose leaders simply did not anticipate the challenge of communicating simultaneously with hundreds of thousands of people, often in an environment where they can’t use the normal tools of communications because of the incident itself.

“Since the Notifiable Data Breaches scheme was introduced almost five years ago, we have responded to scores of these incidents. In some cases, you find out you’ve had a data breach at the same time as everybody else, which is tough if you’re a listed or government entity. This is happening more often because the threat actors have markedly improved their targeting over time.

“In that scenario, having a specific data breach response plan and regular simulations puts you light-years ahead. At this point, it is really a matter of good governance,” he said.

Having honed its response models in partnership with forensic firms, legal partners and insurers over five years, Porter Novelli has bolstered its cyber incident response offering with a new data breach simulation model. It is now being used with executive teams and boards, to test their existing plans against a realistic and escalating scenario.

“Our model is designed to find gaps in clients’ plans, and to test their executive teams’ response before they’re in a live breach simulation. We create a series of scenarios that are realistic, but also test against a worst-case scenario to ensure our clients are fully prepared when the inevitable occurs,” Ryan said.

This level of “inevitability” is the reason cybersecurity is now considered a top risk by corporate Australia. There were 396 notifications reported to the Office of the Australian Information Commissioner in the first six months of 2022, representing a 33% increase in the number of breaches involving the data of 5000 or more Australians.

“No one has less time than the executive who has just been informed of a data breach,” Ryan said.

“Consumer, stakeholder and regulatory expectations on how corporations respond to a cyber incident are specific and evolving, which means that relying on existing Crisis Management Plans will no longer suffice. Great response requires good preparation, so we have developed a simulation product to build on our long-standing experience in reputation management and data breach response.”

The simulation is a half-day event that can be coupled with executive media training specific to data breaches and cyber incidents. It has been rolled out to clients across the financial services, retail and education sectors over the past three months.

As a first step, the company urges all organisations to ask themselves five questions:

1. Is cyber incident response a board-level issue in your business?
2. Do you have board-level agreement on your guiding principles in the event of a breach? The 24 hours following a ransomware attack are not the time to decide whether you would pay a ransom.
3. Do you have a data breach plan for the first two hours?
4. Do you have established relationships with experts — specialist legal counsel, forensic IT experts, specialist communications — who can help you at a moment’s notice (and an insurance policy)?
5. Beyond your crisis plan and business continuity plan, do you have a specific response plan for cyber incidents, ransomware attacks and data breach scenarios? Have you tested it with a simulation?

Image credit: iStock.com/Haspion