il businesses rely heavily on a number of different tools and systems, whether cash registers or POS systems, back office, inventory control or payroll systems, and have large databases of customer information - this presents a large attack surface, whether for phishing, email compromise, ransomware and other cyber threats.
The retail industry faces real challenges for complying with a number of information privacy and data protection laws, often across multiple Australian and international jurisdictions. Responsible handling of personal information is not the only concern - payment fraud, loss of confidential information, and supply chain threats are real and potentially costly issues for business.
Leaders and managers will need to understand and address the diversity of compliance and information privacy issues. Planning and preparing for cyber incident management and response will help the business to reduce cyber and legal risks, build and preserve customer trust, and minimize business impact and cost, if (or when) a cyber incident occurs.
City Beach suffered from a cyber incident in May 2020. Yet by having a plan and a team of business, legal, forensic leaders at the table, City Beach was able to recover within 48-72 hours with no impact to trade or operations. City Beach CIO, Rhian Greenway and HopgoodGanim Partners, Hayden Delaney and Steven Hunwicks discussed these issues and more, in a recent case study with host Nathan Bush.
Getting legal involved early on
Having lawyers engaged early, allows them to attach legal professional privilege and ensure that that privilege attaches to the communications between the data breach response team. To manage a potential data breach properly, the team needs to have communication channels set up where they can talk freely, without fear of said communications being used against them later on by a regulator. This is a critical first step.
Your legal advisors are also a great sounding board, as they deal with cyber security incidents often. In a situation where the first reaction is to panic, simple mistakes can be detrimental.
How did you know to bring legal partners in so early?
90% of IT managers will do a root cause analysis from a technology perspective first. But the City Beach leadership team knew that if a significant event had occurred, it affect the business more widely than its technology systems alone, having the legal team onsite and engaged early would allow them to make the right moves.
“We knew we’d need the legal and technical assistance that we didn’t have internally,” said City Beach CIO, Rhian Greenway.
By being engaged early, HopgoodGanim was able to provide initial legal advice and also bring in the cyber forensic team from McGrath Nicol, who were on site from 10am, with their kit, set up in the boardroom ready to go.
McGrath Nicol relieved the City Beach team of intensive technical tasks such as forensic system, logfile and email analysis of the cyber event.
Is there a checklist or a process that you work through for every breach?
There is a process that needs to be followed for every breach. However, every breach has its quirks and differences, and the cyber response team needs to be agile when reacting to a breach.
There are always things that we need to look to do for every breach.
One primary aspect is establishing legal professional privilege around the cyber response team’s communications. This is critical as it ensures the business has the comfort to communicate freely without concern that documenting their findings might come back to bite.
Another critical next step is having your legal team engage digital forensic experts on your behalf — making sure that they capture and preserve the relevant information promptly. The response team need to forensically capture and preserve logs and other evidence relating to the cyber event, as it can be so important for analysis down the track.
Your legal and forensic teams can help ensure the business, in its vigour to get operations back up and running, doesn’t overwrite logs and lose key information. That information can be very important later, when trying to understand whether there’s a real risk of serious harm. Legal teams rely on that data and use it to determine to whether it’s necessary to give a data breach notification to a privacy regulator, affected individuals or contracted counterparties, and potentially how many people need to be notified.
During a cyber breach, there is often panic and team members going into fixing mode, especially when CEOs and CFOs are involved and seeking to return to normal revenue operations as promptly as possible. It’s important to consider not only fixing the problem, but diagnosing it and how you use it, post problem analysis.
Why is it important to have a relationship with a legal team?
Building relationships with your lawyer, accountant and technology providers, as part of your everyday business is critical, and particularly so in preparation for an incident such as a data breach. This allows you to pick up the phone to those trusted relationships and engage early when an incident occurs.
Cyber security incidents are all consuming and you need a team behind you. Your team should be assembled rapidly and include:
- your internal leadership team and subject matter experts;
- a legal team;
- an external forensic analyst; and
- a communications or PR advisor.
This team should constantly modify its approach as the incident progresses and more information comes to light, to facilitate the best response and outcome. It may also be important to have two other players on this team, depending on the incident:
- An insurance advisor (broker or insurance relationship). Often, it’s necessary to make an insurance claim on your cyber policy after the event. That claim needs to be started in parallel with all the legal and forensic work.
- If you may be required to notify individuals whose personal information was affected by the incident, a service provider like IDCARE can assist with managing communications in an effective, scalable way and ensure the message that goes out is clear and consistent, without drawing those resources away from the business.
During significant data breaches, companies may have to correspond with over 100,000 stakeholders. For some businesses, coordinating this volume of communications is a huge distraction from day-to-day business.
How did you keep your stakeholders aligned and informed?
City Beach had a strong leadership team with a strong tenure between them and with the company. This allowed the team to carve off those key components and delegate, allowing for the IT team to focus on remediation, assets and providing different technical information required by the forensic and legal teams.
As a legal team, how did you coordinate the flow of information between the business and technical team?
Coordinating communications is always a challenge. It’s a process to capture data, and then understand the extent of what has happened. In City Beach’s case, the internal team worked seamlessly with the external cyber forensic team.
For a good result in a cyber security incident, it’s critical that good data is salvaged early, and that your legal partners don’t shy away from technical data.
How did the story conclude?
There were a lot of sleepless nights and hard work for City Beach, but ultimately the business had a great outcome, with the number of effected individuals narrowed down.
The incident resulted in significant and serious lessons learned about controlling the company’s technology space. Staff members don’t intentionally do malicious things, but can often be the weak link in a company’s cyber security. In City Beach’s case, a recruitment application wasn’t downloaded to circumvent IT but was seen as a practical solution to an organisational need. This small proof of concept for recruitment became a core part of how the company operated and held large amounts of customer and employee data. In a data breach, this weak system is an easy target.
City Beach returned to a normal trading perspective in 48-72 hours, with no impact to trade or operations. The journey to revisit and implement City Beach’s entire IT strategy took much longer.
What were the key activities and outcomes that followed the breach?
Staff training and education is key to ensuring a business’ cyber-security is as secure as it can be. Educating staff on immanent threats is critical, and underappreciated in the retail industry.
Unless people know how to interact with technology, the problem will still exist. City Beach hosted an education campaign called Cyber Month to up-skill all team members.
In mind of trying to be ahead of threats, as opposed to behind them, City Beach’s revisited its entire security stack, to the length of engaging third parties in the security space.
What are the common threats that you see in the retail sphere?
The threats to a retail organisation is the laundry list of potential cyber attacks. With the attack surface of the business, there so many touchpoints involved, meaning almost anything is a target. Whether it’s the cash register on the desk, or the IT system in the back office.
Phishing scams are commonplace, and have the potential to be quite targeted. This could be trying to compromise a highly credentialed account, or to gain access into the organisation’s systems via a compromised lower-privilege account to then leverage or upgrade this access into a highly credentialled account. These types of attacks can be very damaging to a retail business.
Businesses should also be aware of email compromise attacks - not just phishing. Once an account credentials have been obtained, some attackers will look to create financial exploits. If they can detect that there is a financial transaction being conducted over email, or if they can intercept and modify an invoice, they may be able to be paid tens or hundreds of thousands of dollars without the business detecting it, for weeks or months at a time.
Currently, there also is a high volume of ransomware activity within the retail industry. Ransomware uses data encryption to prevent a business from accessing its own files and applications. These types of attacks occur on a regular basis, and businesses need to be prepared for them.
Is most of the damage done by sophisticated schemes?
No. The whole idea of Software as a Service (SAAS) is great when it’s benefitting a business, cloud based providers are everywhere. But that’s how ransomware operates as well. Attackers can buy malicious scripts and rent a server for an hour, say $15; then acquire a list of potential targets for say, $100, and the ransomware incident they trigger could result in a million dollar pay day.
From a regulatory point of view, what’s in place to protect retailers? And what do retailers have to comply with?
Having lawyers engaged from the start is ideal as it maximises the potential timeframe to understanding the incident. When something happens under the Australian scheme, there is an obligation to potentially investigate and notify as soon as practicable, and no later than 30 days from reasonably suspecting that a notifiable data breach may have occurred within your organisation.
Understanding what has occurred is critical, as if there are other jurisdictions involved, your reporting time may differ. For example, under General Data Protection Regulation (GDPR), there is a much tighter, 72 hour window. It doesn’t necessarily require that you have all the information immediately, but it’s important to have the right response team available to understand as much as possible. The legal regime is geared around ensuring organisations investigate, understand what’s happened and consider if there has been a data breach which has a real risk of causing serious harm to an individual. If that is the case, it’s important that the business does give notice to the regulator and to the effected individual.
If an individual knows that something has happened to their data, they can take proactive steps, including cancelling credit cards, notifying government agencies that their government related identifiers have been potentially compromised. This can all be done to help mitigate the damage for others.
The role of the legal advisor in a cyber security incident is to come in and help the client understand the process and minimise the impact on the business and the end individual.
There is no point in falling on your sword straight away, and giving notice as far and as wide as possible, even if they don’t have a real risk of serious harm. That will cause panic and damage customer trust, which is so critical to the retail industry. These are the types of things a legal advisor can encourage retailers to think about.
Is there an end to the threat of a cyber attack?
It’s not if, it’s when this will happen to your business. Every business is going to suffer something at some point — it’s a sad reality.
Ensuring that your business is prepared is the only way to weather a cyber attack relatively unscathed.
What are your top tips for retailers, to be ahead of the game?
1. Invest in IT
A lot of the retail industry is lean in the IT space. Agile retailers should look to revisit their technology stack regularly, perhaps every 6–12 months, and consider all key components, not only ERP but anything that protects your network or moves data around. These are the kind of things that often get overlooked.
Rhian suggested that security doesn’t make your business faster. It will slow things down. But the reality is, without robust security systems and response plans in place, really bad things are going to happen.
2. Get your legal team involved early on
Involving your legal team is critical in ensuring that:
- the organisation can freely communicate about the incident with the added protection of legal professional privilege;
- the organisation and stakeholders are protected; and
- the response team understands what legal and compliance risks are out there, and the timeframe for meeting its legal obligations if a data incident occurs.
A cyber-aware legal team can also advise on:
- how to navigate the incident response;
- how to work effectively with your cyber insurer to deliver an optimal claim outcome;
- what legislative requirements and compliance obligations are involved;
- what the company’s contractual obligations might be; and
- what is best approach in a PR sense, to maximise and hold that customer trust.
These are key considerations that organisations should take away and think about carefully. When thinking about the legal provider that you use, making sure that you engage someone that does this on a regular basis. Cyber attacks require an experienced pair of hands. Our IPIT team advise on cyber-attacks regularly and know exactly what’s at play and when stress is high.
3. Take the opportunity a cyber security incident presents
A data breach is a painful, uncomfortable experience to go through. By responding responsibly and in a way that protects the business, its people and its customers, the business can yield better outcomes than an unmanaged event.
In a never-let-a-good-crisis-go-to-waste way, a cyber attack can be a platform to move the business to the next level, by putting it on a different trajectory in terms of systems, processes, people, and technology.
Difficult and stressful times, like a cyber attack crisis, make great teams and great businesses. It is a time to learn and get better from it.