Once engaged, King and his team worked with the Australian Red Cross Blood Service and, presumably, the organisation’s technology partner, Precedent, to resolve the breach and mop-up the potential fallout from the incident.
King and his team habitually take a six-phase incident response approach to such breaches. The first step is preparation, followed by identification, containment, eradication, recovery, and lessons learned
“You’re trying to lessen the chance that you will have a data breach or a cyber incident. But where companies generally fall down, is that they don’t plan for what happens afterwards; they don’t develop, as part of their preparation, an incident response plan,” King said.
“I’d say that for the vast majority of cyber incidents that we help manage, the companies don’t have an incident response plan. And even most of the ones that do [have one] don’t use it in an incident because it’s not usable. Situations in that case are often so fluid that the plans they’ve written really start coming apart.
“With mandatory breach notification coming in, that will be an issue,” he said.
In the case of the Red Cross Blood Service, it was the willingness of the organisation’s leadership to comprehend the situation, act quickly, and ask for help that got the ball rolling.
“She [Park] got it, and she owned it, and she understood how important this was,” King said. “They [the Red Cross Blood Service] stood up a business stream and a technical stream in terms of the crisis management, and they worked tirelessly.
“They let us in every meeting. They took the advice. At the end of the day they had to make the decision about what was right for them, but they took all our advice, and I’d say that is another very important thing,” he said.
After preparation, the next phase of the response was identification and analysis, according to King. For the Red Cross Blood Service, this step involved others, with Hunt and his anonymous source informing the organisation of the breach. This is not unusual, with a large proportion of breaches going unknown until a third party picks them up and reports them – or not.
“Troy [Hunt] disclosed to us very ethically and very early,” King said. “That was good start to a very bad situation. And we were able to get the offending website taken offline the same day, later that night we were able to get it down.”
“At the end of the day, that mattered. For Australia’s biggest incident so far, that made a material difference. That we could talk to someone in Australia who had the authority to make a decision, and took that website down for us,” he said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.