This book starts at 2:30am. Waking to the news of a serious cyber security breach, this is a time as a Director or Executive you are best already prepared, rather than scrambling to get with the cyber jargon and have the first read of the Notifiable Data Breach legislation. There are new obligations and an ever increasing expectation on companies and organisations subject to the Privacy Act to get the response right.
“In today’s highly and widely connected world no one is fully prepared. We need more books like this to lift our cyber resilience.” David Spence, Chairman PayPal Australia
As a ‘playbook’, the authors have set out to provide clear guidance of a practical nature, so that if organisations are faced with, say a ransomware demand, they have a decision-making framework to help ask the right questions.
Providing a ready-made communication strategy, with sample statements for media and social media, and an internal capability in place that is based on ethics, openness and maintenance of public trust – this is a playbook best kept at the bedside just in case the early morning call does come in.
The book delivers on equipping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.” And if you were going to seek advice, then the authors, Peter Coroneos and Michael Parker have the experience and qualifications to call on with confidence.
“Cybercrime is a genuine existential threat to all of the organisations upon which our economy depends. This extremely useful playbook is a weapon for the good guys and should be compulsory reading for all executive and non-executive leaders.” Justin Milne, Chairman MYOB Holdings and Netcomm Wireless
The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format with a focus on ‘The Context’, namely the cyberthreat landscape, ‘Best Practice Communication Model’, with the internal and external postures and decision-making framework, and then provides an assessment of recent case studies. The latter could be invaluable to many executives, as it includes the evaluation methodology and ten grade criteria in which they are most likely to be judged. These are best to get right to avoid ending up in playbooks of the future. Case studies kick off with the infamous Census DDoS attack, followed by Uber, Equifax, Australian Electoral Commission, Ticketmaster, Geoscience Australia, Republican National Convention, Target, Ashley Madison, TalkTalk, Yahoo, JP Morgan Chase & Co, Verizon and Pageup – quite the list!
With six conclusions, one is drawn back to the start of the book to read a second time and ensure it’s understanding – best heed these, as follows;
- Breaches will be reported by the media irrespective of your posture or preparedness.
- The C-suite will be called to account and resignations often follow a large and poorly handled attack.
- Brand and reputational damage can translate to major write-downs in valuation – and if you’re in the unfortunate position of being involved in a merger or acquisition at the time, expect headlines to be used as a huge negotiating lever against you.
- The attacks which have occurred in the case studies were not particularly sophisticated not hard to prevent.
- The cost of the damage far outweighs any investments in better security practices and communication preparedness that could or ought to have been taken.
- In the end, the examples provided were all failures of governance. Boards are on notice that community, stakeholder and regulatory expectations are for the better performance all round.