Tech Insights with Alisha Christian

Cyber Risk at the Top: Why Boards Can’t Outsource Accountability

Mercury IT Season 2 Episode 1

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 37:14

A landmark privacy ruling just raised the bar for every Australian organisation handling personal data. We walk through the Australian Clinical Labs case—from the Medlab acquisition and the rapid breach that followed to the court‑affirmed penalties—and spell out what “reasonable steps” now look like when sensitive health and financial records are involved. The lesson is not abstract: legacy systems, weak MFA, poor patching, and unencrypted data turned a containable incident into a costly, harmful event.

We share how ransomware evolved into double extortion, why backups are necessary but not sufficient, and how delayed investigation and notification magnify legal and reputational damage. You’ll hear practical guidance on reporting within 30 days, engaging the Australian Cyber Security Centre early, and using their support without fear of self‑incrimination. We also break down the $5.8m fine components, what the court prioritised, and why this outcome sets a floor for future actions under Australia’s privacy regime.

Directors and boards are front and centre. Outsourcing cyber does not outsource accountability. We outline the questions every board should ask, draw on the Australian Institute of Company Directors’ guidance and the ASD’s new prompts for directors, and explain how the Essential Eight baseline would have cut several risk pathways. Beyond controls, we champion small data: keep only what you need, collect it through secure portals rather than email, set retention with automated destruction, and verify supplier security because liability follows your data.

If you own risk in your organisation—CEO, director, CIO, CISO, or Practice Manager—this conversation will sharpen your priorities and your plan. Subscribe, share with your leadership team, and leave a review with the one change you’ll make this quarter.

Setting The Stage: Privacy Act

Alisha Christian

Good morning, Chris. Good morning, Martin. Good morning. Welcome back to the podcast, everybody.

Speaker 2

Thank you.

Alisha Christian

So maybe we're talking about the Privacy Act today and basically a legal case around the Australian clinical labs.

Speaker

Yep. Big one.

Alisha Christian

Yes, yes, definitely sounds like a big one. Can you walk us through what made the ATL case so significant?

Why The ACL Ruling Matters

Speaker 3

Well, it's the first time the Australian Information Commissioner has actually followed through on fining a company for a uh notifiable data breach. So we've had the laws in place since 2018. Uh so which was an amendment to the Privacy Act 1988. So the uh notifiable data breach scheme of 2018 made uh a few more conditions around uh businesses having to report if they had an issue with a breach and having some requirements around uh penalties if they did have a breach. Since 2018, we've had no actual fines imposed by the office um at all, and the commissioner has not actually imposed fines until this particular case. So this one had to go through the courts as well because even though the legislation was put in place with uh penalties included in it, uh you have to actually make sure that the penalties are reasonable. So you have to then like the commissioner takes it to court, uh, and the federal court will actually define whether or not it's a reasonable um imposition of the penalty. So that's what's happened here. The first case, uh, where it's been followed through all the way through the court. They've been found uh to have um the penalty implied and required, and now we have something to really report on on the fact that the uh the notifiable data breach scheme is is actually starting to have some teeth.

Inside The Medlab Acquisition And Breach

Speaker

Yeah. So it's quite it's quite significant because um, you know, we've we've spoken about notifiable data breach. Uh we work on response plans with uh our clients uh around that breach so that they're meeting those uh requirements. Um not that it's just a response plan, you need obviously a few things in place. But when I say a few things in place, a lot of that's guesswork, right? Uh so it's whatever uh someone in that position, what would reasonably be done, right? And you've got to uh it takes some interpretation of what that is. And those uh penalties that Martin was talking about uh kind of started at, did they start at 2.4 or less? They're about 2.4 million, and then they've been adjusted not every year, but they've been adjusted, I think, about three times. So we're at um 50 million or three times the turnover, and it it could be more than that. So that's where it is currently. But where the laws have changed, I think, has given the information commissioner more powers to actually take someone to court. Um, and that's what's actually happened. And in the 70 plus page document uh that's come out of the uh court papers and the rulings and et cetera, that gives uh people in cybersecurity as well as businesses a much clearer idea of what is deemed reasonable uh to protect uh someone's privacy or private data so that you have actually have a better understanding of well, what it is that I'm actually need to do. So again, it's not prescriptive specifically, like we can't say for definite, but it gives us a much clearer idea.

Alisha Christian

Yeah, wow. Um, so you can tell me a little bit more about this case. So they acquired Med Lab Pathology, is that correct? And then they suffered a breach not long after that?

Speaker

Yeah, it's it's quite interesting. So um ACL, um the uh the company that purchased Med Lab uh Pathology uh is quite a large organization. I I think it's um it's very large turnover. I can't remember how big. Was it a billion turnover? It was it's a large ASX listed business. Uh their security and so forth is actually up to scratch. It's as you would expect from a large organization. Uh, unfortunately, in this particular case, uh they've had a uh under an MA mergers and acquisitions, they've purchased a business. They've determined that there's certain areas that are laxed, and they're like, oh, okay, well, we could we'll just bring them into our systems, as you would, right? It makes perfect sense. Um, but these projects can take a while, like to get around, like I don't know how many sites they had, and you know, the complexities of projects in IET, people, you know, people in IET would know uh these things do take time. But unfortunately, that med labs was uh breached within two months. So they didn't have a lot of time, and then all of a sudden it's ACL's problem, right? Um, so I think that's where it kind of came out.

Endpoint Protection: Tools And Configuration

Speaker 3

Would you call that unlucky or it the some of the interesting parts are that when when they actually had the uh the breach, where they they actually had a uh basically a ransomware event um sort of propagate throughout their the med the med lab um environment, it also attempted to breach into some of the um ACL environment, but their endpoint protection actually stopped it. So Med Lab's endpoint protection was not up to the same standard as ACL's endpoint protection. And that we do talk about that, that that not all endpoint protections are created equal. So, you know, there are better, uh better packages out there, and certainly in a lot of the court documents, they do name this product, although they redact it. They do not see what product it was, but we disappointing. Well, we we have some guesses because you can see how long the name was. So there's a few guesses that we've had about what what product it was, but uh it is interesting that yeah, that it would have been far worse had uh ACL had something similar to what Medlow had in place.

Speaker

Yeah, and something to note just on the endpoint protection, it's not as easy as I'm using the right endpoint protection. There is configuration as well. It's like people going, like, oh, I use Sentinel One, so therefore it's you know it's better than just using Defender. That's not necessarily the case. Um, same with Defender, it's got to be configured correctly, it's got to be monitored, it's got to be, you know, there's there's a lot of uh elements that go with that. And that's where these findings in the court document uh is quite that's quite telling. It is. Yeah.

Alisha Christian

Yeah, wow. Um, so what would reasonable steps have looked like for a pathology provider handling like such sensitive data?

Reasonable Steps And Legacy Systems

Speaker

It's it's an interesting one. You know what? I I we often talk about the basics and uh things like, and and the reason why I bring this up again is it's it is in the court documents of uh patching not being done, right? Running uh old out-of-date software, Windows servers, specifically in this environment, so that are outside an end-of-life situation. So they're not kept up to date anymore. There's no way to patch it to secure. And this is where um Martin, you did a podcast on Legacy, or was it an article? I can't remember. Yeah, but legacy on legacy uh software and and hardware. You know, it is um it becomes a problem within an organization whereby their security is weakened because they're still trying to keep whatever this product is going and they they haven't looked at or they don't want to invest in moving to whatever the the latest is for that product. It's kind of like, well, it's you know, it's not broken, don't try and fix it kind of scenario. But the problem is it is broken, the security is broken. So in this case, some of the basics, no patching, updates, running EDR software, so your endpoint protection and response software that's up to task, MFA lacking, no encryption of data. It's just, you know, it's one thing after the other, and you just go, uh, like no. Right? So there's there's a lot of things that that needed to be in place that just were, and there were a lot more.

Speaker 3

There were and also you're talking about the the data, like the the information. So Med Lab pathology did a lot of tests on things like fertility and uh sexually transmitted disease tests and those sorts of things. So when you've got um patient data that includes uh information that can cause harm if it's actually released, because we talk about the harm all the time when we're talking about the uh notifiable data breach, it's about what harm has been caused. The the likelihood of harm increases quite significantly when you've got very, very private information. And that's the information that was involved in this particular breach. And they had extracted the information. So this is one of those uh ransomware events that we we've talked about this before a few times where ransomware originally was just encrypting the files and then you paid your ransom and you got uh decrypted or the model sort of changed to the point where people stopped paying the ransoms and they would just restore from backups and and be done with it. The criminals got smarter and what they would do is steal the the information first, then encrypt it all, and then make you pay a ransom not only to de-encrypt the files, but also to stop them from actually releasing the information on the dark web.

Alisha Christian

We've talked about that before, haven't we?

Speaker 3

And that ransom piece around the data, because they already have it, that's where we get into these sorts of situations where that likelihood of harm is actually quite high.

Alisha Christian

Because they're not necessarily going to give that information back.

Speaker 3

No, and we had a recent case of this with Qantas. Um their applications was was breached, and uh they were ransomed for the data to be released on the web, and and basically the application provider and Qantas said, Nope, we're not paying that. So it's been released. So all of that Qantas data is actually out there freely available for anyone who wants to pay a few dollars for it.

Sensitive Health Data And Harm

Speaker

Yeah, absolutely. And in and in this case, unfortunately, when we speak about harm, as Martin said, uh, we talk about things like you know, with health data, it could be things like um, you know, reputational uh harm, uh mental health is another one. The other one is financial harm, and that's kind of where we start to get to in the uh personally uh identifiable information, so your PII information, not just health information, could be financial. So then there's financial harm as well. Unfortunately for them, they had both lots, so they had a bunch of credit cards as well. So there was a lot of harm there. So it would have been a relatively easy case, I think, uh, to to find them at fault and kind of lodge that fine against them. So um, not that the information commissioner would agree with me that it's an easy case. I I I was recently down in uh Melbourne uh with uh Martin at the cyber conference. Um that happens every year in Melbourne, and uh I went and watched one of the talks that I saw. Obviously, there was a lot of discussion around this uh particular case. I saw uh two talks independent with lawyers, and I saw one where uh a panel discussion and it uh the guy forget his name unfortunately, was the uh lead of the investigative team for the information commissioner. So, and they've got a lot on their plate.

Alisha Christian

Well, that would have been an interesting talk to the case. It was super interesting, yeah.

Speaker 3

Yeah, so on that, we should probably point out that this might be the last one of these sorts of cases.

Alisha Christian

No, well I'm sure it won't be. Absolutely not.

Speaker

And and he did say as well, because the fine that was issued here was 5.8 million. Um, so it was like four point, was it 4.2, 4.6 million for the the breach, so not securing the data. There was 800,000 for not uh investigating promptly uh of the issue. There was another 800,000 for then not notifying the information commissioner, and then above the 5.8, there's another $400,000 that they've agreed to pay for the information commissioners investigating uh costs. Costs.

Alisha Christian

So well, that certainly all added up fast, didn't it?

Ransomware’s Double Extortion Model

Speaker

It did, and and he did say that would be the flaw. So that would be the the minimum that they would be going after. You've got to remember that this breach took place back in 22. So the fines were set. I think they were probably still 2.4 million at that point, right? Where now it's a lot higher. But it's it was based on per per record breached, isn't it? I think so. I'm not sure exactly how they calculated, but yeah.

Speaker 3

When they calculated out what the potential fine could have been was it a billion?

Speaker

Was in billions. It was in the billions.

Alisha Christian

Ouch. So getting back to the um part of the fine that was the not telling the like not notifying about the breach. Yeah, is that because they thought they would get away with it?

Speaker

I think it's just time. Uh they started off um assuming that data was not taken. So it was very, very slow going. They kind of, I think they even sent out an email to the clients.

Speaker 3

They they thought that the data wasn't stolen. They had a consultant who said it's unlikely data's been stolen. Yeah. And even after they they kind of had a few indications, and the ACSC, the Australian Cybersecurity Center, uh, also said, We we've heard on the dark web that your data has been stolen.

Speaker

And they still there were definitely indicators and they they should have done more. So quicker, more prompt at their investigation. And as soon as they knew that there was a even a potential problem, they should have notified the information commissioner. Now, legally, you have I think it's 30 days to notify the information commissioner. So if you're dragging your heels on that, then that's going to be a problem. And you know, we've got a thousand dollar problem in this case. Correct. Uh and the thing is, and we've we've advised customers as well. Um, obviously, always get your own legal advice. Often this runs through their insurance broker, will then get legal and forensics and so forth involved. Um, I literally dealt with the case last week. Um, and um it's all it's very specific. You and if there's any hint that there is a potential problem, that is enough to go and uh notify. Absolutely. But again, speak to your lawyers, they will give you the proper legal advice of of what you should and shouldn't do.

Alisha Christian

Well, I have a little note here, and I am going to read it. Um, Justice Haley, it was clear that outsourcing or lacking internal expertise doesn't absolve directors. So this might open up a little bit of a wider conversation. Um, how should boards balance reliance on external cyber expertise with while maintaining director oversight? Is this something Yeah? I feel like this is a Martin question.

The Fine Breakdown And Precedent

Speaker 3

I think a big part of director oversight is that they need to maintain uh sort of visibility over what's going on. And that requires them to be involved. So uh and asking questions. I mean, the biggest part of a board is they need to ask questions of their management team, of their CEO, of their CIO. They you know how how are they availing themselves of the information of where they are? So they should be asking, what have we got in place to protect data? What have we done to try and uh mitigate an issue if something like this happens? It's it's the questions that they have to ask, and then they have to get the answers back from their management team.

Speaker

Absolutely. And just and just so we're clear, uh there's and it was made clear again in in the uh court findings and that, it's uh yeah, they cannot absolve of those duties or just pass them out. So it's like, oh, we've got this IT company, or we have a managed security provider looking after that. You absolutely cannot do that. Um, I've got a number of meetings lined up over the next couple of weeks and into next year bookings to go and actually brief boards on what it is that they need to be across. And again, there's absolutely no excuse. It's not a case of uh hiring someone like ourselves to go do that. You don't need to do that, right? Um, it's we're there to help, and it can certainly give you more insight into what that looks like. But the uh Australian Institute of Company Directors has a cybersecurity governance paper, right, that you can go and get. Boards can read through it. There's even a summary version of that that literally has boxes of going, what should directors be asking in these five areas uh around cybersecurity? So you definitely need to do that. What we're also seeing is that boards are kind of now looking and reaching out to get someone on the board that has more IT or cybersecurity expertise to give them some sort of guidance across that board. So lack of education around that is not going to cut it anymore. And it never has, to be fair. Ignorance has never been a defense. No.

Alisha Christian

So it's ignorance is not bliss. Helps you sleep better. But I think until it doesn't. Yeah.

Notify Early: Timelines And Pitfalls

Speaker 3

I think part of what companies need to start looking at. Now I've been banging on it at this for many, many years is small data. We for so many years we all talked about big data. Let's collect as much data as we can, hold on to it, save it. Didn't even know what we were going to do with it 10-15 years ago. We just wanted to collect it all because at some point when you would be able to use analytics or data mining to to find some golden piece of uh uh epiphany out of that information. But now we're at the other point. We need to go small data, keep only what you need and not keep old records, PII, you know, employee records, anything. Should all be gone.

Alisha Christian

I think we did actually a whole episode on that, didn't we? Data hygiene.

Speaker

We did, and I'm having way uh a lot more conversations with businesses around uh where that data lives. Now, I I would say if you are a in health, uh pathology lab, anything like that, you know, your um uh doctors and so forth, as well as professional services. So your legal and finance tend to collect a lot of PII. Legally, they have to, unfortunately. They need to look at that as well. But that's a different story. But what you do need to look at is where that's kept and how it's kept. You know, there's there's far too many organizations that just expect their clients to fill in a tax return, as an example, and email it back to them. You Can't be doing that sort of thing. So same with lawyers, like, you know, oh yeah, just take a photo of your driver's license and email it to me. No, absolutely not. That's not how it's done. And it, and if if you're a private individual or in an organization and you have a company asking that, you need to push back straight away. I've done that a couple of times this year, and I've had every single one of them actually turn around and adjust their systems. They've gone to their IT teams and worked out how to do that better. So instead of me sending in a tax return, they created a uh secure SharePoint page that I could upload that to. So there's there's always a way, but you need to ask the question.

Director Duties And Board Oversight

Alisha Christian

Well, I think I have mentioned before that I had that similar situation with enrolling one of my kids at school, and they asked us to email all the application or the rate, everything to say that you were in um in the area, and I was like, I had Chris on one shoulder, mum on the other. So hand delivered it. I just thought, well, that's crazy. It's not a small school. No. And I just thought, yeah, wow, that was a good idea.

Speaker

Same and I'm I'm having a lot of conversation, like I said, a lot of conversations about where the starter is, how it's collected, how long is it kept for, etc. And I'm pleased to report that I am having more of these conversations. And you know, there's organizations that are dealing with uh kids as an example, same sort of thing. So talking about their suppliers, if they're using software as a service to do whatever they're doing, same thing. Looking at the contracts, how they're keeping the data, how they're storing the data, how they're securing the data, because unfortunately, you are still responsible for your data. It doesn't matter where you put it, right? So I'm having those conversations. I'm having conversations around uh data loss prevention, uh, as well as putting in um systems like whereby on your email, it just won't accept something that's a driver's license. It'd be like, it's a driver's license. I'm not, I'm not accepting that email, right? So it, you know, kind of forcing uh the the correct collection mechanisms. Also, data expiring. So we've got a couple of again, it's around kids, this particular one. So miners, and after they, I think they have to keep it for five years. So we've set up policies. It's five years and one day, it goes into a review process and it's actually destroyed. So and uh yeah, I am glad that we're having more of those conversations now.

Alisha Christian

Do you think um with businesses, companies that are still using the old email situation, is it just lack of information or lack of resources, combinations?

Speaker

It's it I want to say lazy because it's easy to be able to do that.

Alisha Christian

It's easy as being diplomatic.

Speaker 3

No, no, it is it is easier. It they've taken the the path of least resistance, yeah. It's just easier to accept it for and there's probably still also a bit of lack of understanding of the the consequences of of what that looks like, and perhaps they don't understand that uh email is is not quite as secure as they think it is. Yeah. Uh, you know, that the concept that all of that those emails that sit in those email boxes, if there's an email compromise, uh that they actually get an email compromise, every single part of every one of those emails is is subject to someone going through it very quickly and getting all of that uh private information out. Absolutely. Yeah, they'll get they'll just export the whole mailbox sometimes and they they can just go through it at leisure. Um, but they can do searches on on passwords, driver's licenses, all sorts of things.

Small Data, Better Collection Practices

Speaker

So they'll just use AI to run those searches and like look for passport numbers, look for driver's licenses, Medicare. Another one. So as Martin said, like a lot of the time, uh, you know, cybersecurity goes into this a kind of fear-mongering type situation, right? And they'll talk about the hackers getting you, and you know, email's not secure because you know it's uh it's going through the internet. So obviously it can just be grabbed out, which is true, but the likelihood is low. What's more likely is your email account is uh broken into because you're you've used the same password everywhere. It's been, you know, so then Canva has a breach and you've used the same password for your email on iCloud, and then they pop in there, and then there's all your email. So for a business, same sort of thing. They're sitting on 0365 or you know, Google, they haven't got MFA turned on, password gets breached somewhere onto the dark web. They just lock because they talk about it and they can hack in. It's like, I don't know if it's hacking if they just use your username and password and go in, right? So so it's it's a lot less sexy than it sounds. It's literally, I get a username and password, I log in, I then just sync the mailbox. So I've pulled all your mail, all the files that were ever sent to you straight onto my machine. Then I run searches and I pull out all the data. So if this is a lawyer that's got all the, it's just it's so much.

Alisha Christian

It's a lot.

Speaker 3

And even phishing. So phishing is still a big way of people getting those credentials. So we still see every single day uh staff members in organizations giving over their information in uh you know phishing emails. And and we have talked about it before. Even with MFA, we're now getting to the point where we need fish resistant MFA. Correct. Because, you know, even now, some of those uh uh MFA methods can still be breached or well. They can steal the session tokens as they're they're going through it. So it's it's becoming more complex. As we've said before, we've always got to stay one step ahead of the criminals, and and they only have to get it right once, we have to get it right all the time.

Email Risks, MFA, And Phishing

Speaker

Absolutely. And then just on the fear mongering side of things, right? Because I know this comes up and we do need to talk about it. So we're talking about this particular case. It's the first time it's been, you know, so a company's being fined, etc. We've got to, we're not fear mongering here. It's not like the information commissioner is gonna go after every business now and they can find them like at least you know a million dollars because they didn't, you know, that secure 400 clients um, you know, details. That's not what we're saying. There's there's a risk there. Obviously, the information commissioner is gonna go after the larger companies first, right? Low-hanging fruits that are not doing the right thing and impacts more people. So it makes sense, right? If there's a million people involved, you know, whether it's Qantas or whoever it is, those are the companies that you want held accountable, make it better, sort your stuff out. For smaller organizations, uh, this is not a case of like run to the hills, etc. Like it, it's just not. Like the information commissioner is not going to come and hound you. But there is a risk statement here. So there is a risk if you don't look after the data properly. So it's more just again, like Martha said, it's basic hygiene. How do I reduce the data that I've got? Don't I need it? Delete it properly, put MFA in, put the basics in. That that is essentially what we are looking at. So this case highlights the risk, and it's just back to the directors of doing their duties as they should.

Alisha Christian

Do you think that this case um will give you more sort of evidence, speaking with boards, like you know, that this happened to ACL? It's a real life situation.

Speaker

At least it's not theoretical, right? It has happened, and this is what can happen. So whether they face the same risk, it depends on the size and how much data they have, because it comes down to harm. How many people are gonna be in harm's way, etc. So it everything is a risk conversation because that determines how much money uh and time and effort that you're gonna put against it. What we don't want to see is just that it'll be fine.

Speaker 3

It does highlight, though, that when a board is sitting there and if they have their CISO or CIO or or an external consultant like coming in and saying, these are all the areas where you are at risk, and these are the things that we should be doing to reduce that risk. And that board does nothing with that information, that is a big risk for them because they become personally liable then for actually ignoring that information. So it goes on that a breach does occur because of something that their sizo told them that they should be doing differently. That's not on the CISO anymore, that's on them. Yes. So they have actually chosen not to uh you know use that information in the way that it was presented and do something about it in their organization. So what we will see at some point is probably you know board members getting uh either uh sanctions through uh the Australian Securities and Investment Commission. So we've seen a couple of those starting to come through. Very interesting cases where you can get fines individually for the directors for not doing their director responsibilities correctly. And that's where that starts coming in. So then you could start to see you start to see a few different ways that uh your corporations and your your companies are actually at risk.

Proportional Risk For Large Vs Small Firms

Speaker

Absolutely. So if you're in the financial services industries and etc., where the the risk is a lot higher because you have this personal uh identifiable information, uh definitely go check out those particular cases. So there's two at the moment. There was uh RI Advice, so this is the uh ASIC going after RI advice. So there was a fine lodged against them, and this is around those particular duties for businesses as well as uh directors, and the other one is FIG. Um, so you can go and look up those two. I think FIG is not closed yet. I think they're still deciding on the uh final fine or somewhere around that. So those those two cases are super interesting. Uh, not not anything to do with um you know the privacy act, but around uh director responsibilities and company responsibilities for securing data and doing doing the right thing. So but these kind of all link together and they are quite interesting. It certainly uh pushes forward what directors should be thinking about. Like I said, I've I've named it before, but the uh governance uh paper from uh the AICD, so the Australian Institute of Company Directors, that's a great one to look at. And also the uh ASD just launched last week. They launched their top uh directors uh uh questions and things to think about, etc., around cybersecurity. And uh this sort of conversation wouldn't be complete, and again, it will come out from those court documents. Um, if you are in any of those industries where your risk is higher, essential eight uh that the government kind of uh pushes and says that's what you should have should be doing, that is definitely a good one to look at. If you've got essential eight, you are definitely uh doing the right things because if you're meeting those specific essential eight requirements correctly, and not just saying you are, obviously, uh then you're gonna have the right things in place. For example, if um ACL or Med Meds specifically had Essential 8, they would have been patching correctly, they would have had MFA on correctly, uh, they wouldn't have been using out-of-date operating systems and so forth. So that definitely brings you up to a level that's seen to be reasonable.

Alisha Christian

Yes.

Speaker

So it matches what you should be doing.

Alisha Christian

Trying to do the right thing.

Speaker

Correct. Yeah.

Alisha Christian

Well, it's a lot to take in.

Speaker

Just a little bit.

Alisha Christian

Um, is there anything else either of you would like to add about the ATL case or just obviously breaches in general, or anything else that you think might be relevant to the listeners?

ASIC Cases: RI Advice And FIG

Speaker 3

Uh I I think probably the takeaways were for from this particular case was being able to report early. That's a really big takeaway that that was kind of highlighted a lot. That that I think one of the things that really went against them was that they just didn't report. Uh because up to that point companies hadn't been fined for reporting anyway. So you you kind of weren't in a a bad situation for reporting no matter what. That that was kind of one of the things. Ignoring some of the kind of indicators that were coming through was a a bit of a telling point for me as well. Like that if they the Australian Um Cybersecurity Center contacts you and say, Hey, you might want to look at something, you might want to actually investigate that. That that one I think was a bit of a a bit of a sticking point for me as well. Uh and also just on that, they did put through the legislation not that long ago where if you engage the ACSC uh for assistance, so if you have got a breach and you engage them, they can't actually report the fact that they're helping you to the Office of the Information.

Speaker

And they can't disclose any information either. So they can't, yeah. So they can't share that information with any other department, right? Uh, to then bring a case against you or anything like that. And that that's a really, really good point. Uh and I do want to mention it, just this case I was dealing with last week as an example. Uh, the the uh a a great uh legal uh person, a lawyer was on there, and she was speaking to uh this client and just said, just so we're clear, right? You you're not in trouble here, right? You've you've done the right thing. We're going to report. A lot of uh businesses or individuals, owners, businesses, etc., feel like they're gonna they're gonna get fined or in trouble because they're reporting. It it doesn't work that way, right? Um, you should be doing the right thing and reporting if there's a uh a potential problem, right? Um by reporting and doing you you get support. You can get support from your IT department, your um the uh ASD, etc. They there's a lot of people that can help. There are so yeah, the Australian Signals Directorate or the Um uh Cybersecurity Centre will have resources. We we get an email every now and again that will say, Oh, we've found XYZ, you know, for a particular cut, you know, can you go and investigate? And then you investigate it, right? That's what you should be doing.

Frameworks: AICD, ASD, Essential Eight

Speaker 3

So yeah, so I think that that's kind of the the point is that reporting early or get engaging those sorts of departments early is is one of the key takeaways.

Speaker

Now, this is not a stick your head in the sense of the same thing.

Alisha Christian

Yeah, just that say don't go into denial.

Speaker 3

No, and and we do know that the criminals, one of the one of their really clever ways of of making people pay their ransoms uh is when they have stolen data, is that they will report it to the office of the information commissioner themselves. Yeah. So when you if you refuse to pay or you refuse to do anything about it, they will do the reporting. So just kind of forcing your hand to ignoring reporting is not the answer. Uh it's about doing those things beforehand to try and prevent it or mitigate it or minimise the issue. But then when it does happen, own it. Yeah and really start working towards it. Because I think even in the the med labs, if they'd reported early, I think that they would have been less likely to have as much thrown at them as they did. Yeah. I think I think that was one of the key areas where I I I feel that they kind of did themselves. Because it wouldn't have looked good.

Speaker

No. Yeah, going, uh, okay, they were just kind of ignoring it or not putting enough uh uh importance or impetus around it to actually get moving on it. I think the biggest takeaway for me that I that I took out of this was uh going back to um setting that bar at the top, so the governance, so it's come comes back to the directors to set their expectation and then move that through the organization, and it does start at the top because it that's how it gets driven. So I think uh directors, boards, etc., need to have a think about it, pull it together. It wouldn't be a bad idea to read up a little bit about this case to get an understanding of it. Uh, go look at the AI CD documents, uh, get those questions and start asking questions. Yes. So that that you get that stuff in place.

Alisha Christian

Well, we could pop a couple of those links into the show notes. Yeah, absolutely. Yeah, yeah. Let's make it be easier. Well, thanks for coming along and yeah, and sharing all that information about the case is actually very interesting. And yeah, I think it will be a time of change for boards for sure.

Speaker

Yeah, definitely. Absolutely.

Alisha Christian

So we'll see you again soon. Thank you.

unknown

Thanks.

Head Shot

Alisha Christian

Host