Cyber hacked: who ya gonna call?

It's one of the most frightening scenarios facing any business. But where do you start when it comes to putting things right?

Cannings Purple 30 Jul 2019
4 mins
Cyber crisis

You’ve been hacked. It’s impacting your entire mining operation.

It is not just head office. Your site is impacted. There is no communication, other than mobile phone. Your production has gone offline.  Your remotely controlled vehicles are down. It has the potential to push back the first shipment from your newly developed mine, which you have been hailing in the mining press as setting sail at the end of next week. It seems like your entire SAP management system could have been infiltrated.

The hackers are moving from one section of your operations to another.  If this were a cockpit, every red light would be on.

The above is every mining company’s worst nightmare. Indeed, it’s a version of ANY company’s most frightening scenario. It was only in June that a massive hack on the Australian National University was revealed, compromising up to 19 years’ worth of student and staff data.

But who do you call first for help in a situation like this?

That was the intriguing proposition for a pair of very topical panel discussions hosted by PwC Australia’s Perth office.

Making their cases to be first called were:

“Who here uses cross walks? Do you still look both ways?”

Cannings Purple Managing Director Warrick Hazeldine highlighted what turned out be a common theme among panellists by noting that it wasn’t only about “who ya gonna call” – but also “when are ya gonna call?” Making the case for establishing contact with communications professionals well before a crisis appears on the radar, Warrick compared a cyber-hacked business to a person crossing the road at a crosswalk: doing the right thing legally but unlikely to find much consolation if hit by a car.

Just as the crosswalk user would be wise to look both ways first, the hacked business is far better equipped to deal with a crisis if they have previously prepared and trained for one. If not, it’s never too late to start rebuilding and repairing a reputation. But time is of the essence, because the need for effective and immediate communications, the sheer volume of communications required and the propensity for crises to gather momentum, make for an overwhelming and combustible mix…and likely an unmanageable one without a communications professional in your corner from the earliest possible moment.

“The sky fell in eight weeks ago. But no-one saw it.”

As PwC Australia’s Jason Knott explained, when a cyber crisis lands on his desk, it will usually be followed by a string of understandable questions. Why us? How did this happen? Who has done this to us? Where is the problem? How do we fix this? When did this happen? And when will it be over?

The answers to the final two questions are particularly interesting. Jason outlined that in many instances, the “sky actually fell in eight weeks ago…when nobody was looking” and detailed that, although fix times vary, they are “not typically in the next 24 hours.” According to Jason, cyber experts like him qualify for first-point-of-call because they can answer all of these questions, plus another query he often receives: “should we pay a ransom?” Jason said his response to that last poser is invariably no, because “what’s going to stop [hackers] coming back again next week?”

“You need to tell the market…immediately.”

With her legal expertise and background in the energy and resources sector, PwC Australia’s Clare Pope said there was a black-and-white reason why she should get the first call. If your company is listed on the ASX (or on other similarly-governed platforms), there are clear rules stating that an incident like the one presented in the panel scenario must immediately be disclosed to the market. From there, decisions will need to be made about whether to voluntarily enter a trading halt.

Clare also touched on the issue of paying a ransom or bribe to end the hack – doing so is unlikely to be illegal, although it may be unethical – and also had some important advice for company directors during a post-panel Q&A session. Asked whether taking out a cyber-insurance policy was enough to demonstrate directors were executing their duties, Clare suggested evidence of implementation of that policy into business practices would make for a far stronger and more preferable case.

“Contact me…and you get all of them.”

Marsh cyber practice leader Kelly Butler offered up a very simple and practical reason why anyone caught in a cyber-crisis should dial her number first: not only will an insurer arrange contact with the communications expert, the cyber response expert and the corporate lawyer, they will also pay for it…provided you have a policy, of course!

Kelly explained that a delay to act during a cyber crisis could exacerbate a company’s problems but so too could a knee-jerk response. So why not leave strategy to an insurance expert who regularly deals with such situations and can engage other service providers as required? Kelly compared a cyber insurance policy to a backstop, describing how many in-house IT professionals might initially be reticent to have an external team investigate an issue – but often changed their tune after realising it would allow them to more quickly return to something like business-as-usual.

For the record, interactive voting among attendees awarded a win in the July 18 AAMEG-sponsored event to Kelly and victory for July 19 to Jason.

But it was a close race. And much of the crowd will have left still pondering that big question.

Who ya gonna call?

Warrick Hazeldine is an expert board-level adviser in the areas of investor relations, M&A and global crisis and reputation management.  Since co-founding Cannings Purple as a two-person start-up in 2004, Warrick has helped drive the business to become one of Australasia’s leading communications agencies, with a cornerstone shareholder in WPP – the world’s biggest communications group. Contact Warrick.