Building a security culture

CANNINGS PURPLE WHITE PAPER

Data breach

Chris Leitch is Cannings Purple's data breach communications lead, driving risk management projects and shaping strategies for clients that allow leaders to be prepared and agile in crisis and issues management.

He is available to lead or support projects around data breach preparedness, including development of communications plans, scenario planning, auditing and testing existing plans, helping to build a secure data culture and developing data breach simulations to test resilience.

We can help!

Cannings Purple is your partner to build and test data breach resilience. Start a conversation with our data breach lead Chris Leitch today

The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history. Up to 9.8 million current and former customers had personal data such as phone numbers, addresses, Medicare and driver’s licences stolen.

Optus CEO Kelly Bayer Rosmarin, reflecting on the data breach at a business lunch in March 2023, said the company did everything it could to protect customers but it was clear they were unprepared in terms of communications.

“We sent out 16 million customer communications [with] 110 different bespoke messages for the different cohorts...

“There were a couple of messages that, when you read them, you thought: ‘Oh, this looks like it’s been written by someone who hasn’t slept in four days’.

“I wish every single one of those 110 communications had been to our usual level of quality.”
- AFR, March 2023

Communications with clients and customers are the public facing interactions but the clarity of messages to staff, suppliers, and other stakeholders are equally important.

The Optus data breach

Close

Case study

“

Continue reading below

Technology and data security are important factors in the safekeeping of information but data breach protection is not just an IT issue – it’s a human issue.

The Cyberthreat Defense Report released by US firm CyberEdge earlier this year suggests that 82% of all cyberattacks involve the human element – whether that is sensitive information accidently made public, staff unwittingly clicking on a phishing link or a person allowing their network access credential to be compromised.

Building a security culture

What is "security culture"? It is the ideas, customs and social behaviours of an organisation that influence its security. It is the most important element in an organisation’s security strategy. And for good reason: The security culture of an organisation is foundational to its ability to protect information, data and employee and customer privacy.”

Perry Carpenter, KnowBe4 Inc, writing for Forbes

All the technology in the world is not going to help if an employee clicks on a link, shares their login credentials with a third party or is careless with storing sensitive information.

Business leaders should be considering how they might upskill or reskill employees to strengthen their data governance as scrutiny on privacy becomes tighter.

One of the lingering cultural issues, particularly among small and medium sized businesses, is the belief that their organisation isn’t big enough to be targeted for cybercrime.

Big data breaches are the ones in the headlines, but the latest OAIC information shows 91% of notifiable data breaches involve the personal information of 5,000 or fewer individuals worldwide.

The supply chain risks also need to be understood in a strong cybersecurity culture and to do that, it is important to think like a cyber-criminal.

Smaller organisations can be more easily accessible, and the gateway to bigger entities, such as the companies that might source or contract its products and services.

If a small operation supplies a national firm, who does it make more sense to target?

Attackers can gather details about systems, expose client relationships and gather confidential information about directors, partners and other stakeholders.

A business that proves to be a weak link in the value chain for an attacker to break in could be flagged as high risk and severely hinder future opportunities.

A security culture is an important application of risk management because it empowers people within a business to identify and deal with potential security risks.

A typical multi-stage risk analysis might consider:

Identifying existing risk areas, such as security processes for how data is accessed and shared, which includes who may have access to the network.
Assessing risk areas, weighing up how they could be addressed, identifying potential solutions and examining their impact on workflows and operations.
Once solutions are determined, explore how those changes might be implemented and communicated, both within the organisation and externally if necessary.

The temptation among leaders and executives is to think about cyberattacks and data breaches as a technology problem but a security culture touches every part of a business.