Cyber incident fallout: What happens when the proverbial bits hit the fan?

Garreth Hanley: 00:04

Welcome to Cross-Examined, a podcast by the Law Institute of Victoria.

Jayne Gurton: 00:12

$97,000. According to the Australian Cyber Security Centre, that’s the average cost of a cyber breach for a medium-sized Australian business.

More than 232 cyber breaches are reported every day on average. That’s 85,000 every year, and that number is growing. It’s not a question of whether your law firm will face a cyber incident. It’s a question of when.

So, what really happens when the bits hit the fan, and how can you protect yourself and your firm from the fallout?

I’m Jayne Gurton and this is Cross-Examined.

Our guest today is Cameron Whittfield. Cameron is a partner at Herbert Smith Freehills Kramer in Melbourne. He is a specialist in cybersecurity and emerging technologies.

Cameron has advised organisations and boards on the preparation and the response to major cyber incidents across Australia. Cameron has seen many a fallout up close, and today he’ll be talking us through how things can go terribly wrong and how law firms can get it right.

Cam, welcome to Cross-Examined.

Cam Whittfield: 01:21

Thank you. Great to be here.

Jayne Gurton: 01:23

Cam, take us into the room. You get the call. A business has just realised something has gone wrong. What does that moment actually look like, and what’s the first thing you tell them?

Cam Whittfield: 01:34

Well, I think the first thing to understand when you get that first phone call – you generally don’t know very much. And, in fact, sometimes you know so little that the phone call can even be premature.

You can often be called into an environment where something unusual is happening, and it ends up being nothing at all. But, by and large, by the time I’m called, and I’m usually called within, sometimes it feels like within minutes really, but called very early in the piece. The organisation’s got a fair idea that there is something unusual occurring within their environment. They may have detected an unauthorised third party in their environment, and they are in a state of almost absolute confusion, lack of information, the need to get information quickly. These things are unfolding very, very quickly. They may be in the midst of an attack, and when you’re in the midst of an attack, you’ve got a very small window in which to perhaps even shut that down. You have very limited information.

So, what does it look like and feels like? It’s inherently chaotic. A lot of this depends on how well organised the organisation is, of course. We can get to that, the value of organisation and planning. But it’s invariably chaotic. We are standing up – just to give you a sense of what we might do in the first, sort of, 24 hours – we are standing up crisis management teams. And those crisis management teams, if it escalates to that level, may consist of both internal and external providers. That, even from a basic procurement level, can take time, so this is why we have to do these things in advance.

We are dealing with a forensic situation which is unfolding in front of our feet, slowly, with very little information. We are making very, very difficult calls about whether to take certain forensic steps, disactivate or deactivate certain things, turn off systems.

We have, of course, internal stakeholders who are interested in knowing what’s going on. We’ve got a variety of external stakeholders that will be very soon interested to hear what’s going on.

You will have to work out what your communications approach is, both internally and externally. You’ll have regulators who will be interested. Some will be interested in a very short space of time. You will be developing strategies around the forensic analysis. You may be dealing with insurance obligations early in the piece. And, on top of that, you may have a workforce or a CMT team, which is under immense pressure.

If you look at that and look at those decisions at each point – and some of them might be legal, for example, setting up a privilege protocol around a certain component – they take time, but those decisions are really, really sticky. We can’t undo them, really. You can’t undo your first communication strategy to the public. You can’t undo some of the decisions that you make to disconnect things from the internet to save your organisation, for example.

So, to say it’s not a high-pressured environment would be a gross understatement. Yeah, because those decisions, the ones in the first 48 hours, may be with you for the next four to five years.

Jayne Gurton: 05:08

So, what is the very first thing that you would say to someone who called you, and they twere in that complete confusion?

Cam Whittfield: 05:15

Quite frankly, when I sit back and look at incidents that we’ve been involved with and the best feedback that we can get, it’s not that you’ve delivered great legal advice – that’s a given. It’s that you brought a calm to the room at a point when we weren’t calm. You brought a structure to the process – the first 24, 48, 72 hours – which we didn’t know needed this type of structure and this sort of thinking. And you did so in a way which took the temperature out of the room. And I have this sort of saying – sometimes you’ve got to go slow to go fast.

If you can, kind of, decrease the pace of how this is going to unfold, share information which you are pretty confident will occur – it’s not often good news, but you deliver that nice and early – then you’ll feel an audible change of mood, a definite change of mood in the room around the pace. Suddenly the crisis starts to slow a little bit, and you get a little bit more of a handle on how you might handle things. It’s that chaos – where do we start and where do we stop – that creates that sort of frenetic environment.

With someone there that has been through this – and I couldn’t even begin to give you a number, they’ve been so numerous – but to be able to have gone through something and help the organisation at that C-suite level, at the board level, understand this is as about to occur, help them coordinate resources, etc., and focus. That brings an enormous level of confidence to the organisation. It’s sometimes not the breach, right?

We are going to be impacted. I regret to inform everyone – if you haven’t already, you will be. You absolutely will be. And so sometimes the question is, how do you respond? And reputations are won and lost often on how you respond.

Jayne Gurton: 07:09

What is the human reality inside? Those people that are experiencing the breach in that first 48 hours?

Cam Whittfield: 07:16

Yeah, it’s real, it’s real. And I think it’s something that we’ve learned slowly, perhaps too slowly over the years, that there is a significant human toll.

There are those that are in the room that feel they may be responsible. And the worst thing we can do is start a blame culture in a room when we need everyone onside, you know. There’ll be time enough to think about how things have occurred and the like, but no one goes out to do these things intentionally within an organisation, right?

So, there’ll be people that will feel under significant pressure. There’ll be executives who will be under fire from both their, say, for example, their board or their key stakeholders or their investors. There will be enormous pressure, if you’re a listed entity, on public disclosure and messaging, media and the like. And so that level of pressure is unusual and intense, even when you’ve got a short, sharp crisis.

A cyber crisis is one that invariably goes for a number of weeks, can go for a number of months and, in theory, can continue to bubble up and resurface over the course of a number of years. So, you’ve got to brace yourself for a series of crises. How you do that – of course, good planning and having the right sort of discipline – but looking after your people.

I have seen excellent examples of corporates, large corporates in Australia in the last sort of year and a half who focus on their people. And it’s not just their wellbeing. It’s not just, “Don’t worry, you’re in a safe space here”. But it’s also understanding that some people will be awake for 48, 72 hours as we go through this. Our performance depletes as we become more and more sleep deprived, and so great organisations often have quite structured ways to hand over their crisis management responsibilities. Very clean breaks, very clean handovers. And it’s those organisations I find do well, because there’s always clear thinking in the room.

Jayne Gurton: 09:19

Okay. So, Cam, without naming anyone, can you walk us through a scenario you’ve seen out that still sticks with you where maybe the response went well or something went badly wrong that was avoidable?

Cam Whittfield: 09:31

Where things go wrong, more often than not, things go wrong around the way in which the crisis management team manages itself. You need to have accountability, and clear accountability and the like.

It can often go wrong in communications. They say the top three risks around cybersecurity are comms, comms and comms. Because you can’t, you just can’t undo a communication, really, that’s gone public. And so, for me, I’ve seen, witnessed poor examples of communications where it’s either speculative or it talks to things as if it’s a fact, even though the investigation is unfolding. Maybe this is “PR 101”, I don’t really know, but when you’re dealing with an incident which you will not get your head around within the first week, maybe not even the first two weeks, if you’re lucky, you need to be as transparent as you can. You need to be as transparent as you can, but if you can’t talk to a fact, talk to the process by which you’re using to find out those facts. Even that simple step can bring a lot of comfort to those that may or may not be affected: “There is a process by which we are going through to get to the bottom of this”.

One other thing I’ve seen go wrong before is this overemphasis on legal constructs like legal professional privilege. I think we have done ourselves a disservice as an industry to suggest that somehow we can wrap this crisis in some sort of cover of legal professional privilege. And every now and then I see it in the market, what feels like a law firm or a legal practitioner almost selling legal professional privilege as a service. You know: “This is what we offer, legal professional privilege”. And it can be incredibly important, but the law of LPP has not changed. We’ve got a new scenario, but yes, the artifacts and deliverables still have to be for the dominant purpose of providing legal advice, etc.

And one of the worst things you can do is have privilege get in the way of an effective, essentially, disaster response or crisis response. And that can cause a number of problems. It can create a bottleneck in communications when you need communications to be moving freely. It can also put legal teams, particularly if they are not advised practically around this, in a very poor position internally, because they are seen as a bottleneck or at least everything has to be vetted, yada, yada, yada. And so, there are practical ways in which we can manage legal privilege so, we get those things that are for the genuine or the dominant purpose of legal advice protected, but not have that undo the great work that you need to do during a crisis, which is to move fluidly.

Information needs to be shared, and it needs to be shared at a rate of knots.

Jayne Gurton: 12:34

At some point, a business has to pick up the phone to clients and suppliers whose data may have been compromised. Cam, what does that conversation look like, and what professional obligations might change how law firms have to respond?

Cam Whittfield: 12:48

Yeah, the law firm is an interesting one. I think we have to be careful we don’t compartmentalise law firms as being anything particularly special.

Of course, we have our duties, of course, and we are regulated uniquely as an industry. But I tend to look at law firms in the same way as I look at the general business landscape.

What is a threat actor, let’s say a criminal threat actor or a financially motivated threat actor, after? They are after organisations that, if they are operationally disrupted, they have to stop or their data is compromised – both of those things are of extreme value, and someone will pay their way out of it. That’s really what they are looking for. That can be anywhere. That could be our critical infrastructure. You think of anything in our ports, aviation, trains, planes or the gas supply, electricity supply – it can be anywhere.

As a legal profession though, I think we need to be acutely aware that, while we may not be sitting on large troves of personal information, apart from our employees, we are definitely sitting on highly confidential information, and that information has value. And also, if you think operationally – what may occur, you know, if there’s a proceeding tomorrow in court or there’s an M&A transaction closing on Wednesday, and things like this. There are things inherently that can be disrupted, in the same way that, what if gas supply was turned off or what if any other professional services, whether it’s legal or otherwise?

Jayne Gurton: 14:30

So, Cam, is there a mistake you see repeatedly across businesses of different sizes and industries and is there anything that sounds obvious in hindsight but keeps happening?

Cam Whittfield: 14:42

A blame game. The natural tendency to say, “Who did this? Who was responsible? Which of our third parties did this to us?” And I think that is one of the biggest mistakes you can make early in a crisis – to start thinking you can allocate blame.

What you need during a crisis, during the first 48, 72, a week, whatever – you need friends. And you need friends from even those that may have been inextricably involved. And so, those that get on the sort of blame game or have any sort of blame game part of their culture, I don’t believe it works out well. Because what happens when you start blaming? People start shutting up. That’s just human nature. So that’s probably the first thing.

Knowing your roles. And this goes towards planning. What did Eisenhower say, a plan is nothing without planning? You can have a plan, but if you don’t actually practice the plan or actually run yourself through the plan, then you’ll be doing it at a time when it’s least opportune and you’re most at risk, and I don’t want you learning your plan on the day that an event occurs. And so, a failure to consider what is unique about your organisation and develop a plan.

For example, a law firm will have multiple clients, but also multiple stakeholders, perhaps hundreds of them. They are called partners, and the partners will have clients and personal relationships, for example. So how do we coordinate communications, for example, in that space? So, there’s that.

And then also perhaps a failure to understand and map what I’d call your data holdings. Mainly because many of these threat actors love the easy extortion attack, or the easy disruption attack, is to steal your data, and then say, in order for us to not publish that data, you must pay us $6 million.

Jayne Gurton: 16:32

Can you explain data holdings?

Cam Whittfield: 16:34

Sure. So, a criminal will usually come into an organisation if they can make their way into it through various means – social engineering maybe – and they will try to do two things usually. They will try to lock up your systems, encrypt them, and they will also try to exfiltrate or take data out of your environment.

Encryption is becoming harder, data is becoming easier because we’ve put in place good protections in place around business continuity and the like. So, data has become the easy extortion process. So, grab some data sets and remove it.

How do we minimise the risk of that, apart from obviously never letting these people into the organisation in the first place? When I say letting in, you know, where they find their way in. It is to identify the information which is of value to us and make sure we protect that information, whether it’s our crown jewels, whether it’s our people information, whether it’s a particularly confidential information in relation to clients and the like.

And so, a mapping of your data holdings. What data do you hold as an organisation? Where do you hold it, and how are you protecting it? Is it behind password protections? All that sort of stuff. Really kind of basic cyber hygiene, actually, to prevent someone coming in, extracting information and making hay. I would say that 85 per cent of the incidents that we have to deal with would be successfully repelled through fundamental and basic cyber hygiene.

Jayne Gurton: 18:07

A lot of what you just said is to be more proactive rather than reactive.

Cam Whittfield: 18:13

Oh, definitely. Yeah, definitely. And look, what does that mean? Because there are those investments that we should be putting in place to maintain our basic cyber hygiene. There should be processes that we have in place that help with our business continuity if we were to be disrupted.

Sometimes we are disrupted not because the threat actors encrypted us, but because we don’t know whether they are still in our environment. So, we have to deactivate certain things until we know they are free – so, free of our environment.

So, putting in those protections in place. And then, importantly, of course, what happens if it occurs? And I hate to sort of put it this way, but it will occur. It will occur in some form or another. It may have nothing to do with you. It may have to do with your vendor, your third party, your vendor’s vendor’s vendor – they may be responsible for this.

So, this is the interconnected world we now live in. So, we must be prepared for something to occur. And then, like I said, reputations can be won and lost on how you respond to a crisis.

That’s why I believe some of the responses we saw last year out of some of our largest corporates were just exemplary, because the way they responded demonstrated a level of crisis management sophistication and transparency that I think won them a lot of friends.

Jayne Gurton: 19:34

We’ve spoken a lot about crisis management.

Cam Whittfield: 19:38

Yes.

Jayne Gurton: 19:39

For the businesses that you have seen handle a breach well, maybe give me the top three things that they had in place beforehand that really made the difference on the day.

Cam Whittfield: 19:50

I’ll sound like I’m repeating myself a little bit, but they will have invested in fundamental cyber hygiene, whether that’s MFA in place for access, putting remote desktops behind firewalls, you know, really kind of basic stuff. You’ll be surprised how often that does not occur.

Ridding yourself of legacy systems and the like, and legacy data systems. So, taking care of your business as it exists at this point in time – that’s the first thing, and that’s a given.

And, of course, your people – I talk about social engineering. I just cannot, if I could call every single person in my organisation, your organisation, just say, please, if you receive a phone call, have a protocol in place where you’re not taking instructions on that phone call. You’re ringing back, or there’s some sort of protocol to protect you. That’s that.

The second thing is that they prepare for it. They anticipate it and prepare for it. They don’t like to do it, it’s not a pleasant experience. We have to lean into something which is ugly and complicated. But, like I said, we don’t want to be floundering at that point in time. And you can do a lot in advance. There’s a pattern to these things. You can have your privileged protocols in place. You can have your team, both external and internal, on standby. You can have holding statements prepared around reactive comms. You can have a position on whether or not you might engage a criminal threat actor or even pay an extortion demand.

All of those things can be thought of in advance. And, what’s our regulatory engagement strategy? You know, who are our regulators? What’s our timeframes around that sort of stuff?

All of that I can tell you right now. I can give you the list. I can give you the 24, 48, 72-hour checklist about what things that you’ll have to come across, and I can guarantee almost 90 per cent of those you can prepare in advance, and I recommend you do.

When an event occurs with our clients – I am not talking about law firms here, I’m talking about the business community just generally – it’s a sensitive topic. It’s not a nice conversation, but you must kind of go through and assess what we did right, what we did wrong, how do we learn, how could we have done better in this sort of circumstance. No one does it perfectly, of course.

Jayne Gurton: 22:05

Cam, thank you so much for all your expertise and for talking us through everything. That was incredible.

Cam Whittfield: 22:09

You’re welcome.

Jayne Gurton: 22:10

The biggest thing that will stick with me from this conversation is that the firms or the organisations that handle it well might not be the ones with the biggest IT budget, but the ones that made the right decisions before the breach happened and prepared properly.

Cam Whittfield: 22:28

Yeah, absolutely. Like I said, a plan is nothing without planning. develop a plan that’s unique to our business, unique to the risk that we face as a business and make sure that that plan works.

Jayne Gurton: 22:41

Thank you so much, Cam. It’s been great having you on the show.

Cam Whittfield: 22:43

You’re welcome.

Jayne Gurton: 22:45

If you want to go deeper on anything we covered today, the show notes have links to the LIV Cybersecurity Hub, resources from the Australian Cyber Security Centre and Herbert Smith Freehills Kramer’s Cybersecurity Practice.

Until next time, thanks for listening to Cross-Examined.