When you are discussing cyber security breaches with Senior cyber policy expert Peter Coroneos, the conversation will inevitably come to the current My Health Record debate.
“People are opting out, because they’re fearful, they don’t trust the security of the national health scheme,” he says.
“They are being a little nervous about having their health records in a centralised database, where 900,000 GPs around the country can access them with their own little PCs. Health records are very valuable, once stolen, they are sold in the ‘dark web’ for about 50 times more than a financial record, so it is natural to ask how secure is this system.”
This mistrust is hardly unreasonable, he argues, pointing to 14 different case studies in major organisations that have been under some sort of cyber attack, three of those being Australian government organisations. This research has resulted in him writing The Cyber Breach Communication Playbook, along with Communications Expert Michael Parker. The book is a manual on how to handle a security breach, once it happens.
“This whole book is dedicated on the idea that any a relationship requires trust; if trust is lacking, the foundations of the relationship are at risk,” he explains.
“With the corporate and organisational perspective in mind, when customer trust or citizen trust is eroded, then the result is a damaged reputation.”
So what should the government have done to avoid the current backlash?
“They should have done a lot more to educate people, before they initiated the program, rather than just saying to everyone ‘now you have three months to opt out’; and they should move from opt-in to opt-out,” he argues.
“That’s a radical shift. The scheme has already been in place for six years, but up to now you had to voluntarily agree for your records to be public. Now it means that your records are there by default, and unless you take affirmative steps to remove them, they are there for anyone to get them potentially. How are vulnerable people able to exercise their right to opt out? How is an elderly couple – maybe not even English-speaking – to understand what opt out means, to go to a website and select what category of information they don’t want to be shared?”
CYBER SECURITY REQUIRES A CULTURAL CHANGE IN BUSINESS
All these are valid questions and the answers – or at least, a roadmap on handling such issues, is presented in Mr Coroneos’ book.
The necessity of such a guide presented itself after a new legislation in February that made a legal requirement that people should be informed when a breach occurs in a company.
“Up until now, companies preferred not to talk about these issues, to avoid embarrassment, but under the new law, non-disclosure is no longer a viable option for most businesses,” he explains; businesses that make under $3 million a year are exempt, but Peter Coroneos believes that the principle should be applied by all businesses.
“I was noticing how badly they were handling their communications,” he says. ” In some cases they were trying to cover up, so I thought there should be some guidance for companies and government bodies, what to say when you have a breach.” In a sense, this playbook is a leadership guide for decision-makers in organisations, addressed to people whose jobs are at risk, if they fail to manage these issues. “In the old days, that is five years ago,” says Peter Coroneos, laughing at “how quickly life changes these days”, a security breach would be the responsibility of the IT department, but more recently, the accountability rests with the entire executive team.
“This is why companies are so slow to adapt and put appropriate protections in place, because generally IT managers don’t have that much power in the organisation,” he says.
“Traditionally the Chief Information Officer and the Chief Technology Officer are seen as enablers of the business, but when cyber security is brought into the equation, these people are calling for more money to be spent on things that haven’t happened yet. Their challenge has been to gain leverage to get the entire organisation to understand that cyber security is a shared responsibility, it doesn’t rest with the people whose job has the word ‘technology’ in their title.
“Cyber security requires a cultural change within the organisation, because it is as much a human issue as it is a technology issue; a phishing attack can be targeted at anyone in the organisation who has email access, and once the malware gets into the system, the entire organisation is at risk.”
EVERYONE SHOULD BE CAUTIOUS
Anyone worrying about how to protect themselves from such incidences should not look for easy answers.
“This is not a manual on technology prevention or human prevention,” explains Mr Coroneos.
“This is about developing pre-breach communication strategies and pre-breach preparation for the kind of disclosure that needs to be made at the time of the breach,” he says, stressing that the book is based on the “fairly good assumption, unfortunately, that it’s not a matter of if, it’s a matter of when it is going to happen to you.”
Which raises the greatest question of all. If cyber security breaches are inevitable, who safe are internet users?
“I think we had hoped by now that the internet would have been a lot safer than it is, but unfortunately the bad guys have been investing heavily in technology and human attack techniques,” says the former head of the Australian Internet Industry.
“We are reaching the point when the average internet user is going to be challenged to to tell the difference between malicious and legitimate communication,” he adds.
“We are in a fairly risky time and it remains to be seen whether the new technology coming through around Artificial Intelligence can empower the good guys more readily that the bad guys. That would determine who finally wins the war, but in the short term, anyone should be on reasonably high alert. I’m still using the internet, but I’m certainly much more cautious than ever before.”