Notwithstanding the widely believed simplicity of the Optus Hack, an often overlooked element of organisational preparation is how to respond and manage the ramifications of a cyber breach. Even if Optus had been the victim of a sophisticated attack, penetrating otherwise sound cyber security defences, this ‘victim’ status would have flipped quite quickly to ‘villain’ due to perceived and real aspects of mismanagement of their response.
In fairness to Optus, the magnitude of exposure of an attack is typically difficult to confirm at the outset of discovering a breach, and this takes some technical investigation which will always take some time. The standing up of the necessary resources to undertake outreach and to field customer enquiries also takes some time, however these response elements should be identified and rehearsed in advance. Stakeholders should all be identified and mapped with relationship owners and pre-prepared messaging. Public messaging must be carefully aligned with the response management actions being undertaken in order to superimpose as closely as possible the perception of the corporate response with the reality of the response management. A company in this situation must have pre-approved financial response delegations to enable the CEO to offer and announce suitable, if not excessive, compensation to those affected customers.
I am not suggesting Optus had not undertaken preparations to respond to a cyber breach, but I question whether or not they had sufficiently practiced their response in order to effectively leverage that planning. Observations of their response suggests not.
How prepared is your organisation to respond to a cyber breach?