In the recovery position

The inherent complexities of recovering from a cyberattack will test the mettle of even the most experienced board members. Experts explain how directors can best support the process. 

The prevalence of cybercrime in Australia continues to grow, with a 13 per cent increase in the number of attacks last year, according to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report. In 2021–22, there were 76,000 reported attacks, which is the equivalent of an attack being reported in Australia every seven minutes.

The ACSC provides incident response support that is tailored according to the degree of cyber maturity of the affected organisation. A mature organisation is one with strategies in place to mitigate cybersecurity incidents, such as enforcing a strong passphrase policy, using multi- factor authentication, patching and regularly backing up data.

“We also have a growing and capable cybersecurity industry,” says Deanne Sowers MAICD, Australian Signals Directorate first assistant director-general of cyber threat intelligence. “There are a lot of very good incident response providers who can assist Australian companies. The ACSC often works collaboratively with those incident responders to provide technical advice.”

An organisation with a high degree of maturity may also have permanent, in-house incident response capabilities, which would be the first stop to remediate a cyber incident.

It would also have an incident response plan. The ACSC found that while 79 per cent of entities had one, only 49 per cent had reviewed it in the past two years. This is inadequate to meet the challenge from a rapidly evolving threat landscape, says Sowers, who stresses that incident response is a “team sport” that must be undertaken in a cooperative manner.

The information that affected organisations provide to the ACSC is kept confidential and used to help understand the threat landscape more broadly, so that the ACSC can proactively warn other potential victims.

Another indication of maturity is the degree to which a workforce is educated about cyber risks, and how engaged its board is when it comes to data protection. “We want boards to be asking questions about their data holdings,” says Sowers. “How secure is their data and where is it stored? Are there controls in place to ensure it can’t be moved to unapproved systems? Can they identify exactly what data might have been accessed or taken in a data breach? This helps to make decisions quickly about what data has been lost and what the impact could be.”

The ACSC often sees companies without adequate controls in place to track where their data is located or to make sure it isn’t copied across to unapproved systems.

Variables in play

While the immediate fallout following a cyberattack can be dramatic and fast-paced, the path to making a full recovery is often slow and painful, says Sowers. The board will likely need to have out-of-cycle meetings and may potentially need to form a committee to develop a recovery plan.

“There is a much heavier demand on a board’s time if the crisis is escalating or of a great magnitude,” says Claire Pales GAICD, director of the Secure Board and the Security Collective. “Shareholders may also have an expectation that the board is available and that [public] statements will be issued.”

Mark Anderson, CSO of Microsoft Australia & NZ, believes one of the worst things an organisation could do is attempt to minimise a cyberattack — or downplay it. Transparent and frequent communications are critical. “Your organisation will rely on a relationship of trust you’ve built with your customers,” he says.

The time frame of a recovery will vary according to the nature and severity of the attack, the type of data stolen, the technology already in place and how well prepared the organisation was for the incident. It could take days, weeks, months or more than a year to fully recover. Of the three different kinds of cyberattacks, the easiest to bounce back from is when the cybercriminals force a business offline, but do not steal any data.

“The business loss comes from not being able to transact or carry out business while you’re offline,” says Damien Manuel GAICD, chair of the Australian Information Security Association.

The second type is when an organisation’s data is stolen as part of a supply chain attack. It is unlikely for the stolen data to be released onto the dark web, because the cybercriminals are more focused on using the data to learn how the organisation transacts with others in the supply chain.

“The worst kind of attack is a ransomware attack, because at some point, the stolen information will be exposed publicly when you either pay the ransom or refuse to — and this will impact your customers, supply chain, business partners and staff,” says Manuel.

However, according to ACSC data, ransomware attacks constitute just 0.6 per cent of the total. Such attacks occurred against Optus and Medibank Private in September and October 2022, respectively. Months later, Medibank Private chair Michael Wilkins AO FAICD indicates recovery is far from complete. “Given that the cybercrime perpetrated against Medibank Private is still the subject of an ongoing AFP criminal investigation and of a review by Deloitte, I don’t feel it appropriate for me to make any comment at this time,” he said via email.

According to Anderson, the board does not need to take an active role in the recovery of every cyberattack. “There’s absolutely no doubt that the board needs to be aware of incidents, so it knows the scale of the threat. It must be involved when any form of sensitive data, such as personal information, has been stolen. It’s the difference between being made aware and requiring an active role.”

In the event of a severe attack, the board is tasked with navigating through the crisis with the end goal of ensuring the organisation emerges intact on the other side. “It shouldn’t be underplayed that if it’s a truly devastating cyberattack, it could result in the organisation failing to operate,” says Anderson.

In a time of crisis, it may be tempting for directors to get down into the weeds, but doing so would be a mistake.

“The board should absolutely leave the technical response to other parts of the organisation,” says Anderson. “Depth of expertise is required. The role of the board is really to get out of the way and just support them with any resources they need to execute that plan.”

Pales notes that straying into management territory can also damage relationships. “It will signal to management that the board lacks trust in its ability to recover,” she says. “The chair might have to steer the board out of management territory a bit, because those trusted relationships during recovery are so important.”

Avoid a blame game

The board should request senior management to organise an external review of the cyberattack and may need to make the funds available if it was a non-budgeted expense. The review could be carried out by one of the Big Four firms or a cybersecurity forensics company. The insurer may be able to help with recommendations. The ACSC has developed a list of questions that companies can ask incident providers to satisfy themselves of the competence of the provider (available at cyber.gov.au).

“The review is not about working out who’s to blame,” says Pales. “It is to understand how the response occurred, what they could have done better and how they might prevent this into the future. Boards often get independent third parties to come in and do reviews for lots of different crises — this is no different.”

While it isn’t necessary to wait until the dust has settled before the review begins, it must not compromise any ongoing recovery efforts. “If the people who are coming into the organisation to do an independent review are imposing themselves on those who are trying to get the business back up and running, there could be a conflict,” says Pales.

When panic ensues in the wake of a cyberattack, organisations that were underprepared tend to overspend on countermeasures, notes Manuel. “Knee-jerk reactions that aren’t planned and structured in the wake of a cyberattack will result in much of the funds being wasted,” he says.

Moral support goes a long way

Those who have experienced a cyberattack first- hand will understand the strain it places on an organisation.

“When a cyber incident hits the news, it creates an enormous amount of pressure for staff and the board. It is worth remembering that the recovery aspect is going to be a much longer battle,” says Manuel. “You will lose staff during the process because of the stress they’re under. There will be a human capital component you need to factor in.”

In Pales’ experience, a board that demonstrates visible concern about wellbeing within the workplace will provide a much-needed boost to an overburdened team working around the clock.

“A security leader told me that the biggest thing for his team was that the directors physically came into the office and asked whether his team was OK,” she says. “When the recovery goes beyond a few weeks or days, directors need to start asking how team members are able to sleep or tend their children or elderly parents.”

Directors also need to be aware of burnout within the board, and to watch out for warning signs of anxiety and depression.

Light at the end of the tunnel

There is no doubt that recovering from a cyberattack is complex and often fraught, but experts say there can also be upsides.

“If you were well-prepared for the incident, organisational culture may improve by the time you emerge from it,” says Manuel. “There will be greater alliances between teams and fewer silos. If you’re ill-prepared, it could be soul-crushing because it becomes a blame game internally.”

In Anderson’s experience, most organisations make a full recovery from a cyberattack. However, he says it is a mistake to assume that business as normal will ever resume. Risk profiles will need to be reviewed and updated, and internal policies changed to decrease the risk of repeat attacks. A deep dive into how and why data is stored and backed up will also be necessary. “If you go back to business as usual, then I’m not sure that you’re looking at it the right way,” he says.

Build resilience

“Of course, prevention is better than cure,” says says Deanne Sowers MAICD, first assistant director-general of cyber threat intelligence at the Australian Signals Directorate. “Rehearse your incident response plans in the same way you rehearse fire drills.”

She also encourages organisations to become an ACSC partner to stay up to date with the latest cybersecurity advice and access free services such as workshops and seminars. Organisations of any size can join and there are three tiers of membership. The ACSC partnership program had more than 60,000 partners as of the end of 2022.

Three phases of recovery

This three-step methodology takes an organisation from the moment a cyber incident is discovered through to resuming operations.

1. Investigation 

“The first part is the forensic investigation work — that is the incident response. It typically takes a couple of weeks,” says Microsoft ANZ CSO Mark Anderson.

2. Compromise recovery 

“This involves finding out where the attackers got in. Then follows a coordinated moment where all the cybercriminals are removed from systems at exactly the same time. We shut the doors and batten down the hatches.” This takes anywhere between six and 10 weeks.

3. Strategic recovery

The strategic recovery phase involves rebuilding lost or damaged systems and trying to get the organisation back to being fully operational. This can take between three to six months.