On 23 May 2018, the Australian HR recruitment platform PageUp announced that it had detected a major breach of data: A hacker had accessed the personal information of a large number of users. The breach includes exposure of email addresses, telephone numbers, street addresses, gender, dates of birth and employment details. These are more than enough for a hacker to use to break into bank accounts or other financial sites.
A month later, it became clear that the company was not prepared to control the breaches. The CEO, interviewed at the time, could not give a definite amount of how many users’ files had been breached, Although estimates were published placing the figure at about 120,000 in Australia.
PageUp has been pulled by a number of its major clients, and its reputation has been severely damaged. The General Data Protection Regulation and the aspect of the infringement are still being investigated.
James Turner, a cyber security consultant, says PageUp’s experience should be reminiscent of a cyber incident.
“All businesses should have a security plan in place and for large organizations not doing so could be negligence by the board. It is not inevitable that a breach will occur, but the probability is high. New Zealand Technology Industry Association’s Chief Executive Graeme Muller , “The technology is making good business sense .”
There is a considerable reason for concern by ANZ businesses. There were 812 data breaches reported to the Australian Information Commissioner (OAIC) in 2018. In New Zealand, the number of breaches was 347 in 2017 (latest available statistic).
Australian and New Zealand Boards Must Put Response Plans In Place
A crisis of this sort requires rapid action to be taken in the information system, and in the process of managing the crisis – stakeholders, the press, the authorities. Given that there is a legal obligation to provide the data protection authority with accurate information about the breach in a very short time.
In a recent survey , the New Zealand Office of the Privacy Commissioner found that some organisations had no processes in place to deal with queries raised by data subjects and were not equipped to handle data security incidents.
It also revealed:
- Organisations were generally found to be quite good at giving initial data protection training to staff, but often failed to provide refresher training.
- 25% say they had no program in place to conduct self-assessments and / or internal audits.
- About 50% of the organisations surveyed indicated that they have no incident response procedures, and that they are not up to date.
- Nearly 15% of organisations have indicated that they have no processes in place to respond appropriately to the event of a data security incident.
Board management software is part of an effective response
In a well-thought-out response plan for a data breach crisis, board management software can play an important part.
Stage 1 – Communicate and Assemble the Crisis Response Team
The first element of a response plan involves communication, and it is sensitive communication – imagine the consequences of a leak, warns a recent article in CIO magazine. The first hour after a breach is the so-called ‘Golden Hour’ dedicated to isolating the intrusion and reaching out to all the actors who need to get started on a response. These include the CEO, the chairman of the board, the general counsel, and the public relations team.
Top-notch messaging and calling software with the highest possible level of security is nearly indispensable. The board management software therefore wants to provide background and insights needed to help take the appropriate actions. And the software should make sure the virtual meeting rooms are available for meetings at any time.
Stage 2 – Crisis Containment
What caused the breach? How did the criminals gain access? Have credentials been stolen or is this the result of third-party vulnerabilities? What have they stolen?
“Unless you know what caused the initial breach, you can not contain it and you can not contain it, you can not mitigate the financial costs and reputational damage to your organisation,” the CIO article warns. This is the time for IT forensics to go to work, getting facts and numbers together.
Again, the high-quality board management software can provide all the information needed in a secure environment, as well as providing rapid written communication among directors and operations experts.
Stage 3 – Impact Assessment and Reaction
Once the full depths of the data breach are known, the board and the PR team can assess the best way to react. Certainly, a statement should be drafted and released as soon as possible – delays in making this matter.
All of those affected by the breach must be reported within 72 hours, according to the GDPR rules. Most countries impose short delays in their legislation. These permits the victims to take action as much as possible.
With high-quality board management software, boards and teams can work together on virtual whiteboards to collect information and draft statements. They can also use secure channels of communication to notify major shareholders.
Diligent Governance Cloud enables rapid reaction in crises
With its cutting-edge communications software, robust collection of applications, and secure environment, Diligent Governance Cloud enables directors to respond rapidly in a crisis.
Board members can call and message each other, as well as management, in complete security. Applications to write and research external communications are also available. And virtual meeting rooms with controlled access are also available as directors to make use of them.
Diligent, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.
With ongoing investment and dedication to security technology, resources and infrastructure that can not match, diligent clients gain a strategic partner.
Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001: 2013 certified and our cyber security framework is based on NIST standards.
February 9, 2021
Governance Trends Shaping 2021: 4 Priorities to Drive Success
The COVID-19 crisis, new workplace paradigms, extreme climate change, political and economic volatility, and urgent calls for racial justice have driven a shift to virtual operations. This shift, alongside a move to stakeholder-centric capitalism, has elevated “digital resilience” to a core focus among leadership. These principles must now be translated…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…