Lessons from Optus for Board cyber readiness

by | Oct 26 2022

The Optus cyber-breach in recent weeks has boards and executive teams once again reviewing how to approach cyber security and information management. Divergent views exist regarding how it happened, how it should have been handled, and what post-attack management and communication should have looked like.

For me, in the very first instance, a well-handled response to a critical situation like this comes down to the board and CEO staying focused on the main people they have to answer to — the customer.

I have some empathy for the sheer number of external stakeholders bowing in on Optus and its leadership team “demanding answers”. This is important, ultimately, but in the aftermath of the attack, what’s critical is managing the customer, their data and providing them with communication that is clear and actionable.

It is easier now to interrogate the do’s and don’ts from the Optus incident, but this is in hindsight and we are all good at that. The key consideration is what were processes and reporting in place at Optus ahead of the attack and what may have been avoided if these processes had been more robust.

At this point, it’s crucial we acknowledge that it’s a question of when not if, all companies will experience a cyber incident, large or small. Not everything ends up in the public arena, however.

The role of the director

As directors, we need to remember that boards have a unique role in helping their organisations manage cybersecurity threats and attacks. We do not have day-to-day management responsibility but oversight and fiduciary responsibility.

The key piece of advice I’ve received regarding cyber is to not leave any questions about critical vulnerabilities for tomorrow. I have also personally learned this the hard way, having experienced two cyber incidents in my board career.

Asking the smart questions at the board meeting may mean that you don’t avoid a breach, but you may avoid it becoming an operational crisis.

This is the time to interrogate the business’s cyber processes and protections, breach surveillance and response mechanisms, the board’s role when an incident occurs, recovery plans and current and future investments to keep the business ahead of a breach.

If there’s one thing that’s been highlighted by the recent Optus data breach, it’s that nobody is immune to being hacked. What many people don’t realise is that breaches happen all the time, they just aren’t publicised as widely although many big-name companies have been the subject of attacks in recent weeks, including Medibank.

The need for swift communication

On the back of this week’s Medibank announcement, Cybersecurity expert and founder of StickmanCyber, Ajay Unni, says the key takeaway for business is that a transparent, proactive and accountable reaction to a cyberattack is the best way to protect the reputation and operation of an organisation moving forward.

In the Optus attack, while the communications were numerous they continue to be subjected to criticism for their response to the attack. Optus subsequently announced that professional services firm Deloitte would conduct an independent external review of the incident, as well as its security systems, controls and processes.

Of course, different people will be concerned about different things, and different individuals will have different kinds of data that has been exposed. For some people, the financial risk of identity fraud is going to be the primary concern, for others, it will be the ‘not knowing or fully understanding’ that’s the major concern. The role for the board is to ensure communications consider all types of audiences, and their reactions and that the messages coming from the Company are straightforward and demonstrate an understanding of the various likely concerns.

In the case of Medibank, or any medical or health organisation, the risk of exposure of personal medical data might be something that they’re much more concerned about as this is highly emotional and extremely personal and will cause a more visceral reaction by many due to the sensitivity around such data being exposed.

Is the board receiving enough Information?

As directors, it’s our role to determine whether the board is receiving enough information and communication around IT risks and cyber particularly to ensure the board can advise well.

Trust and two-way communication is crucial to the board’s ability to interact and engage with management to determine the appropriate level of knowledge and insight around cyber and IT protection protocols.

In every organisation, different data holds various degrees of security importance. The scope varies from personnel records to ID documents to financial information or health care records. In order to unravel the complexities of what data is held and its ultimate threat value, the board needs a clear view of what data, if it were to be compromised, would do harm to the organisation and the customers or suppliers.

The appropriate security controls for the crown jewels need to be identified and integrated into workflows with clear lines of accountability, so that the data is protected by both the technology and the people surrounding the data.

Assessing the risks in this unchartered territory

There is some personal upskilling board members should do, as well as some whole-of-board learning, which can be developed through the use of external experts.

To be across this business landscape and have enough insight and information to ask the right questions, to assess the risk and get a personal level of comfort as Directors we need to know enough to ask the right questions, and the only way we can do this is through training and learning.

By differentiating what’s critical from what isn’t, as leaders we can successfully maximise the return on our security investments, working hard to anticipate problems that could irrevocably damage external and internal confidence in our organisations.

The objective is to allow all communication– technical, legal, strategic, or operational – to be mutually beneficial for all stakeholders. As previously outlined, it’s about asking the right questions and knowing which details matter, ensuring they are meaningful for everyone. In the end, a proactive approach helps shape the proper dialogue and will improve the information flow for greater transparency and sustainability and enable as much preemptive management to be in place as possible and provide a high degree of comfort for the Board.

We will all learn more from the Optus data breach in the months and years to come. It happened to be very public, not something that we always have a chance to see.
We have the opportunity to apply the early learnings we have amassed now to the betterment of the companies we advise.

Cyber is constantly changing – an understatement I know, especially in light of Optus – but the more we keep it as one of the highest priorities in the boardroom, the greater ability we have to help businesses address cyber threats well (because avoiding them entirely is impossible). In the end, judgement is about stakeholder management and handling people’s private data and as Optus has been doing, constantly, communicating with the customer, even as new information and changes come to light. A lesson for us all.

Cheryl is an independent non-executive director on listed boards Ai Media, Beston Global Foods and HNG Ltd as well as unlisted CAANZ.