James Davis the Director of the Pax8 Academy in Asia hosts Allan Briggs from Crisis Shield to discuss the need for all organisations to proactively plan for a crisis whether that be for a cyber incident, act of nature or employee created to reduce the negative impacts to our organisations. Allan talks us through the key components of Crisis Planning so that we can scale it to to the right level for our organisation. Understand the proactive steps to break down your planning and how critical clear communication is through the process to keep in control and produce a positive out of a major incident.
[00:00:00] Hello everyone, it's James Davis from the Pax8 Academy again this
[00:00:24] time I've got Alan from Crisis Shield. How are you going Alan?
[00:00:27] I'm great thanks James. Where in this wide world are you located?
[00:00:33] At the moment I'm in our head office in Melbourne in Australia.
[00:00:38] Perfect, well very appreciative of your time and it's going to be a bit of a different conversation to probably what our partners are used to having but I'm going to be talking about crisis management today and those sort of practices that you roll out with.
[00:00:53] You roll out with your clients and some of those frameworks that people can learn and scale down to the SMB businesses and their clients and I'm just really curious to kick things off and put you on the spot and ask you a question around crisis management.
[00:01:11] Is it best to be working out how to deal with a crisis when we're in the middle of one or is there a better way?
[00:01:20] James there is a better way. Something like poor planning ends up with a poor result so if you haven't prepared for a crisis and you have one it is extremely difficult to recover from that crisis.
[00:01:38] So pretty this way it will be a lot more pain and probably a lot more damage whereas if you've got a team you've prepared for it and when it happens you will be so much better at responding to it.
[00:01:51] And I think probably a good analogy is that imagine if you've never done first aid training and you come across someone laying on the ground and you don't know what to do as opposed to you've done first aid training check for danger response, airways, breathing, circulation.
[00:02:06] So having awareness, the training and ideally having simulated a crisis event if you have the real event it's just so much easier to work through.
[00:02:19] And so what do you see in the middle of a crisis and people haven't prepared? What are sort of the real common mistakes that people make that potentially make things worse?
[00:02:31] Well look starting from the basics, if first aid had to get notified about the crisis. So I mean some are very obvious that all of a sudden there's a fire in your building.
[00:02:41] Sure you'll get alerted to that but it might be something that's happened whereas for example the auditor might have come through and say look there's a lot of money that's gone missing out of the business.
[00:02:51] It might be a cyber incident where someone says look there's something a little bit unusual here, we detected something we're not quite sure but something doesn't seem quite right.
[00:03:01] It could be a staff member has been injured and taken to hospital and it's a serious injury but is that going to be recovered or is that going to turn into a fatality?
[00:03:11] And we quite often find a lot of companies who haven't done this preparation work, it's don't know how to determine what is a decent crisis.
[00:03:20] And if I went around a room with 10 people and gave them different scenarios about what is and isn't a crisis, a lot would have different answers.
[00:03:28] So one of the key things to start with is having we call a severity matrix so it's an agreed position in the business of what's a crisis.
[00:03:38] And probably a good example we do a lot of work in the aged care and childcare.
[00:03:44] Now in a normal corporate office if someone's missing most companies would say, some guys missing for four hours, we wouldn't be worried.
[00:03:52] If they're gone missing for the day, we might put it at moderate that's a bit unusual and if they're gone missing for a couple of days then we might be into that sort of crisis zone.
[00:03:59] There's something wrong.
[00:04:01] In a childcare and aged care, some's gone missing for 30 minutes, they're in crisis mode.
[00:04:06] They'll switch on full attention to find that child or that elderly person.
[00:04:11] So it depends on your business, knowing what is a crisis and what isn't is that's the first sort of challenge.
[00:04:18] So if you can identify and it's agreed within the business this is a crisis because of the nature of it, the amount of money, the damage, the loss on production or operations then yeah, okay, we're dealing with a crisis.
[00:04:34] The next thing is who's on your crisis team.
[00:04:36] Now it's interesting a lot of people go, well it's easy, it's just all the executive team.
[00:04:40] Well sometimes it isn't. Sometimes you need some specialist depending on your industry.
[00:04:44] Who's actually going to lead the team and our advice that you don't actually have the CEO they should actually step aside.
[00:04:51] It should be usually a COO or sort of a senior operations person because the CEO should have sort of that helicopter view of what's happening.
[00:04:59] They might have to liaise with the board, regulators and investors and the real is the CEO might be the person that's been in the plane crash that one has been actually kidnapped.
[00:05:10] It could also be the person who's caused the crisis too.
[00:05:13] So quite often CEOs aren't available so we always say step them aside and they can have that sort of helicopter view of the business.
[00:05:22] So just knowing who's on the team, someone to represent your HR, your people we call people in welfare, operations, communications, who's going to do that.
[00:05:32] So having a team set so the minute they're called upon the team will just fall into place immediately.
[00:05:38] That's important and just on it when you're called upon how does that happen?
[00:05:42] And I've worked with companies who in the middle of a crisis, they're on their phone trying to ring people and message them.
[00:05:49] You should have a system that can just immediately notify people, they can respond yes available, jump onto a team, Zoom meeting or other platform and you can start immediately to respond.
[00:06:01] So that's the next one.
[00:06:03] Then of course having plans so you know the sort of process and in crisis management it's interesting, it's different to your normal meeting.
[00:06:12] So there's sort of some of the nice cities go out of it and I explain to clients it's actually in a paramilitary mode.
[00:06:19] So is it fair bit of structure? We're not there to chat about the weather and how's everyone feeling?
[00:06:25] This is what's happened, what are the facts that have happened? What's the impact on a business? What do we go to do about it?
[00:06:31] So it's fairly clinical to be honest and you need that because you need to get to the point, do some actions and start responding to the incident or the crisis.
[00:06:43] So that's part and the next thing is just who's your subject matter experts? Who do we have to call? Who are our stakeholders? Who do we have to notify?
[00:06:52] Now all these things, if you're trying to put that together in the midst of a crisis it's fairly challenging.
[00:06:58] If we've predetermined all those things it makes it so much easier. It's all in a sense at our fingertips.
[00:07:05] And of course the last thing is if you've simulated and you've done the training and you've gone through simulations, when the actual event happens you think,
[00:07:12] well I'm familiar with this. The real event will be a little bit more escalating, a little bit more pressure but let's have that experience.
[00:07:20] Alright, I'm going to get all these calls in from journalists and staff. We're going to have these inquiries. People will be upset.
[00:07:28] There'll be a lot of questions asked. They've had that sort of experience or exposure so it doesn't throw them off when the real event happens.
[00:07:36] So even when people call us, I'm quite up front, if you call me in the middle of a crisis we can help but it's still a bit limited as opposed to if you call us in beforehand and we start working and prepare you for the event
[00:07:50] rather than just waiting until the event happens and then throwing ourselves in and trying to recover.
[00:07:57] And when you've just outlined there that sort of structure to it that makes logical sense that we'd want to get that all preplanned, what do you often see for people that don't have that sort of structure preplanned?
[00:08:12] What happens to them during this sort of crisis moment? How does it affect them? How does it affect their decision making?
[00:08:20] Well as you can imagine if you have had no preparation and you're suddenly thrown into a crisis and imagine it's something quite serious.
[00:08:28] It might be death of a staff member, it might be serious allegations of assault or corruption, production could have stopped, it could be food contamination.
[00:08:39] You're under a lot of pressure. A crisis don't happen that often and when they do happen it's a big impact on the business.
[00:08:46] So you can't do your normal job, most of us are fairly busy in our normal job. That has to step aside.
[00:08:51] We have to step into this role of responding to this incident.
[00:08:55] If we haven't got a clear plan of how we're going to work through it and document things which is very important.
[00:09:02] It's just a lot of load on you if you haven't had that training and that testing.
[00:09:08] And again I've watched people in this and it just adds so much more pressure to them when they're already in a pressured environment that they start making mistakes.
[00:09:18] The team can actually start imploding on itself, sort of finger pointing, not having that calm and respectful way of running it because all of a sudden they're thrown in as a team to respond to something that had no training.
[00:09:32] It's not a good mix and it leads to a fairly poor result.
[00:09:38] I've seen this practically from when I used to, I lived in Germany and worked on a caravan park and we had a flood.
[00:09:45] One of my colleagues, she's normally quite a reasonable person and quite switched on, got pressured and went knee deep into water to turn electricity back on because he just was so under pressure.
[00:09:58] So that's a prime practical example of what you're talking about.
[00:10:05] And so that sort of stress and pressure is starting to make a lot of sense of the chaos that we're in.
[00:10:14] What happens to communications when we're in that chaotic situation internally and externally?
[00:10:22] Yeah, it's a good question, James. So one of the things happens, it's interesting if you look historically through all major crises in history, one of the biggest criticisms in each one is the communication.
[00:10:36] Now, I also put out there that I doubt anyone will ever get 100% because people are always critical. We weren't told in time. We weren't told enough information.
[00:10:46] Sometimes people do communicate exceptionally well during a crisis. Those ones that rehearsed it and trained it know their stakeholders, know the channels.
[00:10:54] Some do a really terrific job. They're still criticized. So I did just put that out there.
[00:11:01] But the important thing around communications is that quite often there's sort of different schools that can't.
[00:11:09] Quite often the company will say nothing. They just don't say anything, shut the door, don't answer the phone, bunker in and sometimes that is a good approach.
[00:11:18] Because sometimes this thing will pass and everyone's forgotten about it.
[00:11:23] And again, that's a case by case analysis. Most times however, people want some communication and they want it very quickly.
[00:11:32] They want to know you've acknowledged the event, you're responding to it and you're keeping people updated with what's happening.
[00:11:40] So that majority of cases, that is the best approach to have.
[00:11:44] Now when you're communicating, again if there's lawyers listening on this one, I will concur with me that you got to be careful what you say.
[00:11:52] Because early on in a crisis, you don't know all the information.
[00:11:56] And if you start saying things like look we're sorry it was our fault or something else went wrong and start making those statements.
[00:12:05] Later on it might be found out that actually it wasn't your fault or something beyond your control but you've opened yourself up to a lot of liability.
[00:12:14] So important with again by rehearsing, so if we had a cyber incident, if we had a death of an employee, we had a product failure.
[00:12:23] We've already templated up a release, a media statement which has been signed off by the comms team, the legal, the head of the organization.
[00:12:32] And then we can comfortably put that out as an early response to the incident.
[00:12:38] As things unfold over the next few hours, days you can then say look we can give a little bit more information because we've got a little bit better handle on what's happened.
[00:12:47] So communication is always paramount.
[00:12:50] People now you're fairly exposed to social media, employees, unions, yep just regulatory, some's got it, you've got to notify.
[00:13:00] So it's going to be out there.
[00:13:02] So you want to be, you know, sort of directing that message, not just seeing back trying to defend it.
[00:13:09] Yeah I wouldn't want to be in the middle of the crisis trying to work that out while trying to work out and solve what we need to solve.
[00:13:18] And I know you're very experienced in this era and if we bring it sort of the technology space you mentioned,
[00:13:24] cyber security incidents are probably a prime example of what we face more frequently I guess.
[00:13:33] What are some examples that you've seen of people that have, and organizations that have handled these sort of crisis as poorly compared to the ones that have done it well?
[00:13:45] What sort of the contrast look like?
[00:13:48] Yeah look good.
[00:13:50] So look in this, it's fascinating. In this industry we are getting a lot of work at the mail, a lot of inquiries around cyber incidents because that's really front of mind and for good reason.
[00:14:01] I think any business that's not preparing for the cyber attack is a foolish business because it's not a matter of when that will occur.
[00:14:11] Now for all your cyber security and everything, all the good measures you've put in which is very important, it can still go wrong.
[00:14:19] And a lot of people are lulled into this false security and I meet with these companies, they say we have put all this effort into our IT, we've spent a lot of money, we've got a CISO, we've got a CIO, we're in a really good position in IT.
[00:14:34] And I go, terrific! And so you should be, that's great to know.
[00:14:37] However running parallel to that IT component needs to be the executive or what I call the strategic response.
[00:14:46] Now I'll give you a couple of examples, hopefully this will really drive the point home.
[00:14:52] If we all look back at Optus and I picked that out because he's a good case study, when Optus had their major cyber incident, the CEO went out and she said, we are not the villains, we're not the villains here.
[00:15:07] Now technically she was correct, they weren't the villains, they absolutely would not want her to have a cyber incident.
[00:15:14] However all the Optus customers, they saw them as the villains.
[00:15:18] You've lost my data, you didn't have enough security on cyber security.
[00:15:23] So while technically the executive was saying the right thing, the perception and the basic, if you like the key stakeholders, their clients, their policy holders or phone plan holders were very upset.
[00:15:41] So again their strategic response was very poor then.
[00:15:45] Now nothing they did, they put their head of communications up to do a radio interview with 2GB and I actually felt sorry for the head of comms.
[00:15:53] She was exhausted, I think probably worked three or four days straight, no sleep and she basically had a breakdown on national radio.
[00:16:00] So during a crisis you want some very solid, calm people with good information not breaking down because that certainly may have even less confidence in that organisation.
[00:16:12] So that's one example where Ms Paul had managed and the next one just on the Optus when they had their major outage earlier this year.
[00:16:20] And again these things happen, so people are found to not so critical when something goes wrong, they're critical about the way you manage it.
[00:16:28] So they had their major outage, could happen to Telstra, could happen to Vodafone or other networks.
[00:16:33] So I think we all accept that but what happened in the wash up is the executive, again this strategic decision, the executive said, look we'll give all our customers, I think it was 200GB of free data.
[00:16:47] Now 20 years ago that would have been a pretty good offer.
[00:16:50] Today most of us don't use our data, so it was a bit of an insult and again that was then they made the situation even worse by a really poor offering.
[00:17:01] And I always say had I been on that team as an independent, obviously why don't we give everyone 5% off their bill for the next two years.
[00:17:09] And two things out of that, Pearl go well that's going to cost you a bit of money, good, you need to experience a bit of pain because you upset me on that outage.
[00:17:16] And secondly those customers will stay with you for the next two years and basically you had two years to get your good real bank up and running again so people would renew their contracts.
[00:17:25] So there's a good example of strategic response.
[00:17:28] Another Paul, I just thought sorry on that, so I overlay that, Optus had their cyber attack and only a short time later remember Medibank had a major attack.
[00:17:38] Now with all honesty I think Medibank handled far better than Optus and I don't necessarily think it was because Medibank was better prepared initially.
[00:17:49] I think they watched Optus and thought I can see what we should not be doing and they learned very quickly that Optus says some pretty bad things and didn't work for them.
[00:18:00] So Medibank did a far better response because they didn't make the mistakes that Optus had.
[00:18:08] The other example I want to give you and I think this will resonate for a lot of people who listen, there was a company called Parento Phone.
[00:18:17] They sat in Brisbane and they were fundamentally a call centre who would make calls on the behalf of not for profits around 70 customers and some of their customers were clients of ours.
[00:18:30] So they would then take the database from that not for profit phone numbers, emails and they would reach out to those people on behalf of the not for profit seeking donations.
[00:18:42] So it's a good business model. I believe they had around 200 staff around 70 not for profits on their books.
[00:18:48] They had a cyber incident. It happened, it's not good but it happened.
[00:18:51] Numbers and Round I think April May last year and they did all the right things as far as notifying the regulators, did all their compliance notification.
[00:19:02] They just missed one big stakeholder, their customers.
[00:19:05] So they failed to tell a lot of their customers about the breach in sufficient time and of course over time the customers found out.
[00:19:14] That then caused the customers to be quite concerned because they said we accept you might have had a data breach.
[00:19:22] We don't accept that you didn't tell us in sufficient time.
[00:19:26] So for into phone I think it's October now that they're closed. They're no longer a business.
[00:19:32] So you've gone from a, you know, from what I understand a very profitable, well run business, good, good operational business, 200 staff and here you are six months later and your business is closed.
[00:19:45] And it wasn't because of the incident itself. It was because of the strategic response.
[00:19:50] And I think for me that just really highlights the value in you're trying to shore up your building for a cyber incident. Absolutely.
[00:19:58] But you need to show up more importantly, your team to respond to it because the cyber incident within reason will be tolerated.
[00:20:09] The response to it might be something around well.
[00:20:13] I think that's a very important perspective that not a lot of people are talking about especially in our part, our industry.
[00:20:22] It's always focused on the tech side.
[00:20:24] You know, we put enough technical controls in place. We have we have our backups we can recover it's all good.
[00:20:31] But that's the real example of the wider implications of these sort of incidents, crisis is that where we're not able to have the conversations with our clients and help them understand this.
[00:20:46] We don't necessarily need to solve those sort of communication challenges that the our clients have but us highlighting that to them can provide a lot of value.
[00:20:59] Yeah. And look, I want to put this out that I'm not an IT expert, but you know, we try and read and we watch and from talking people like yourself and in the industry.
[00:21:09] The way AI is traveling at the moment and the other thing is this deep fake.
[00:21:16] So there was a Japanese company who the criminals actually created a fake replication of the senior partner of the business and they'll see folks.
[00:21:32] Sorry. And one of the staff got a message said, look, you got to transfer some money and some urgent payment.
[00:21:36] Stuff was good. Said, look, I think this is fake. I don't trust it. Then got on to a teams meeting and the people in that teams meeting were actually I generated and weren't real.
[00:21:46] And the AI had they'd actually listen to these people's voice language behaviors and then this person was on the call and believe they were talking to real people and made the transfer.
[00:21:59] I think it was something around 40 million dollars was transferred out.
[00:22:03] So what I'm trying to say this is that with all respect to the industry, even with the most secure encrypted well trained organization, things go wrong.
[00:22:14] Another example of seeing where there was a company got hacked because I went through all the business and said the people that had a sort of the link into the crown jewels or the vault all had have multi factor authentication.
[00:22:27] All signed the documentation yet we've done the training. We've done that among the people in the company didn't do it and that's where the hackers got in through there.
[00:22:36] So there was a few things out of that one that they got in, stole the money made so forth and the data.
[00:22:41] The other one is that the insurance wouldn't cover it because when you submit your insurance policy, everyone has done two factor authentication yet we're fully secured.
[00:22:50] Well actually you weren't.
[00:22:52] So these are some of the challenges we're getting and you know we've always got to be working on the I.T. posture and that's great but voice worker premise.
[00:23:01] If we get done or we get hit, we need to have a good strategic response ready to go.
[00:23:07] And again I keep saying the public will tolerate what if that we found will tolerate an error even if it's your fault, they will not tolerate if you don't manage it well.
[00:23:16] It's human nature isn't it?
[00:23:19] Absolutely yeah. I always say you think about it we've all done things that we probably regret back in our life and yeah but most people will turn around and go yeah well you did make a mistake there but yeah you acted responsibly and yeah you recovered from it and yeah we're still with you, still backing you and support you so.
[00:23:44] It's as you're talking about that sort of approach to the technology aside from the cybersecurity side is sort of tweaking my thoughts from my experience as well often from us as technology people we're brought in for other types of crisis is often like the the insider threat of someone's
[00:24:03] gone and done something that they really shouldn't have like you mentioned like corruption and embezzlement those sort of harassment cases the things around them trying to take business from that business and start their own all of those kinds of things but to me those are examples of those sort of
[00:24:22] Yeah absolutely I mean our approach is called all hazards so it's interesting Pearl County's look I really want to try and up so we've got a cyber you know response team you know so that's great but that's so we're response team the strategic side is the same
[00:24:39] response team if there was a death or there was a fire or corruption so we even have what we call a cyber playbook so that team will come together no matter what the the incident is if it reads the criteria and sometimes for HR you've got a HR playbook about you do
[00:24:56] it's safe for example death if there's a cyber reason we now have a what called a cyber playbook and it's a guide for that team who the regulators what sort of time frames you know what sort of things questions should be asking the IT team
[00:25:11] Again it's quite interesting I've been in crime crisis rooms or board rooms and with no disrespect but the CEO or size will come in and talk about what's happened and then there's a look around going well that is like another language because we don't understand
[00:25:27] or so it's really just you know deciphering that and go well what does that mean in real terms you know what data has been compromised what we've been locked out of you know what's operating so forth so it helps that team to make an assessment so they can understand you know the implications on the business
[00:25:45] From your professional perspective you know we stick to the cyber incidents for the moment because that most applies to our interactions with clients are the technology partners the right person people to be managing it from a crisis perspective in your opinion
[00:26:05] Look for my experience no I mean this I haven't seen all of them but from our experience we've dealt with some pretty major ones there's some very small MSVs generally no I mean it's a bit like saying we're crisis shield cutting and do the IT absolutely not we'd make a real mess of it
[00:26:23] So what those companies should be doing is partnering with someone who can then work with the client and say you know particularly a client going so look we've got your IT covered have you got a good crisis team ready to go and drilled and prepared
[00:26:40] and some companies will go good that's good you got that all prepared if you haven't you should go and do it because we are actually finding some of the MSPs we partner with they are coming to us saying look we have had clients come in and ask us can you start writing media releases
[00:26:56] and you know doing that strategic response they're going whoa it's not our area of expertise so you need a partner who either company does has done it internally or they partner with someone who can do it for them
[00:27:09] Hopefully people are listening on take a big sigh of relief that it's not our burden to carry but we should be being proactive and highlighting that this is a thing and recommending partners and that sort of stuff to help our clients that's our value
[00:27:27] Yeah it's not only a value added to the necessity I mean as I said people will be tolerant of your cyber incident within reason they won't be tolerant if you don't manage it well
[00:27:40] So yeah being on the front foot and I'll give you another example always when we go into a client and we're talking about cyber I say what sort of data do you hold
[00:27:50] If you've only got persons phone number and email address we call that very low sensitivity so if someone's you've been compromised and you rang me up and said look Alan we've had a cyber incident with you know the hackers have got your phone number and email
[00:28:04] I go well great it's on the web anyhow they ring out say Alan they've got your bank account details your passport your driver's license you need to get card I'll be freaking out because that is very sensitive data they can do a lot of damage
[00:28:18] Now under regulatory obligations you've got some time to report that but if you're a company who's holding very sensitive data I would expect to be told that day the sooner the better so again if you're holding that data and you haven't got a plan
[00:28:34] Prepare to know who your stakeholders are be able to communicate with them you know within a few hours you're in danger this is where people are the expectation is up there now again you've got the regulatory side of it
[00:28:48] It gives you quite a bit of time but the practical realistic sign is people want to know straight away
[00:28:56] It's fair and reasonable isn't it that's the approach that you've been talking about that human centred approach to the crisis management
[00:29:06] And just go and unpack that a little bit more another thing is we find we've worked with companies and said now so yeah look we actually hold passports and drivers license bank account and I said why
[00:29:18] And they go oh that's just what we do you know for ID validation and said well you're holding very sensitive data you're very exposed if you don't need to hold that data get rid of it
[00:29:29] I went with a major utility company recently and they said we're cleansing because we had all these account details credit card numbers from clients from years ago people no longer using our service they're cleansing
[00:29:41] Because they knew that's a huge liability a huge danger of holding that data so it's good for companies have that sort of going through the simulation and are looking to go wow we're actually holding a lot of sensitive data that we don't need to
[00:29:56] And then again looking at their processes going save example I started a new account must have done the ID checks they can get rid of it
[00:30:05] They've established who the person is we don't need to hold that data anymore with disregard it lowers our exposure if we do get a cyber attack
[00:30:13] And one other thing I just want to touch on is the when we do the simulation it's interesting that people go oh yeah look we've got insurance cover
[00:30:22] So we have one recently so bring the insurance company tell them you're doing exercise tell them what's happened
[00:30:28] So they come set up so they rang the insurer and I said we're running a simulation this is what's happened there's a ransom demand
[00:30:35] Locked out of the account so forth and insurer said our first thing do not talk to the media and we had a simulated media crew at the front door of the company
[00:30:44] And they're demanding to have an interview and the other thing is they said we're going to send three experts to help you
[00:30:50] And anyhow the head of legal hung up and they looked at me and told me that and I said well ring up the insurance company say who they sending and how long they'll be
[00:30:59] So I rang back insurance company said oh we can't tell you we don't know I couldn't answer that question
[00:31:06] So doing the simulation actually fleshes out what's actually on that insurance policy what does it mean are we covered for a ransomware
[00:31:16] Can we talk to the media who's going to come how long will I get there will I be from overseas another simulation we ran where they emailed the insurer
[00:31:25] And they got an email back saying someone will respond to you within 24 hours not what you want to hear when you're in the figure of it
[00:31:35] So again these simulations are good just to flesh out you know another one is would you pay the ransom
[00:31:41] Now the federal government in Australia is recommending you don't pay the ransom and for good reason so I'm supportive of that theory
[00:31:49] The catch with that is it's all good and well if you're under government agency because you think well it's the government
[00:31:56] If I'm running my business and I've been locked out of my account and the ransom for example might be five million dollars
[00:32:02] And I think if I don't get that data back this could impact my business by tens of millions of dollars I seriously consider paying it
[00:32:10] And there are different levels of threat actors who will some actually sounds bad but they're actually quite legitimate hackers in the sense that they will actually release the data back
[00:32:23] So again it's not always a simple answer so I just don't pay the ransom or you could have a scenario where some very sensitive data has been held
[00:32:31] And there's a few funny stories if you do some research of data that's been held and the ransom's been put forward
[00:32:40] And some people said look I just don't want that out in the public domain and they've paid it
[00:32:44] So again doing a simulation just having a position on that will we pay, will we not pay, what's the threshold, how we again insurance companies can sometimes look like they do have the capability of looking at going
[00:32:58] That hacker is we don't know who it is I wouldn't trust them all this one yep we're aware of them and yeah if you pay generally they'll give you back the keys
[00:33:08] So again this is, you don't want to be trying this out during the middle of a cyber incident
[00:33:15] You want to walk through all this headless conversations fleshed out what insurance policy covers what your board position is on this
[00:33:23] What the executive position is on it so if it happens you know remember we walked through this we've had this agreed position and we can go from there
[00:33:33] And what I, that all makes 100% sense to me and we always talk about business continuity and disaster recovery and doing those that sort of simulation so we know that we can recover the data
[00:33:47] We know the time to recovery and all of that kind of stuff it's the same principle in a different way
[00:33:53] Yep
[00:33:54] But I can just hear people going well I'm a small business this crisis management stuff sounds like it's for enterprise and big governments is that the case
[00:34:04] Look unfortunately it's very wrong, you know it's look you're right I mean there's an expectation of being enterprise would have this no you're sure
[00:34:14] You know you're an enterprise that's a big business and big companies and you're not like a big company
[00:34:23] So that's a good example
[00:34:25] Now when you get to a small operator might be a one, two, one million, ten million turnover and I think look I can't afford to have a company like, say like gas come in and spend that
[00:34:36] and you're right, it is a lot.
[00:34:37] What you need to do is then go and start looking more.
[00:34:39] I need to have some sort of crisis model
[00:34:42] and we do offer that in an online version
[00:34:44] but you need to have something in place.
[00:34:46] So again, putting together,
[00:34:49] we call it just an actual plan, the light plan, a team
[00:34:53] and then you're ready to respond.
[00:34:54] And there's a couple of things that will happen at this.
[00:34:56] One is if you're a small firm and that happens
[00:34:59] in that initial phase, you may be able to manage
[00:35:01] if you've prepared for it
[00:35:02] and you might be able to take the heat out
[00:35:04] of Perlgar Look Get, we're well communicated.
[00:35:07] Are you on top of it?
[00:35:08] You're a small business, you're not sort of in the spotlight
[00:35:12] of the media and others or regulators.
[00:35:14] So you can manage that way.
[00:35:17] If it escalates up and becomes a huge event
[00:35:21] then you call someone like the likes of ourselves
[00:35:23] come and help you assist in it.
[00:35:25] So every business no matter what size
[00:35:27] should have their basic crisis plan.
[00:35:31] So who's on it?
[00:35:32] Who's gonna fulfill what roles?
[00:35:34] How are we gonna log it?
[00:35:34] How will meet some prepared response drills
[00:35:38] that we've run through?
[00:35:39] And again, not just for cyber,
[00:35:41] but if we had the death of employee.
[00:35:43] For example, if you're a trucking firm or a transport firm
[00:35:47] well, one of our trucks goes through.
[00:35:49] I mean, maybe we have that horrific action
[00:35:51] on the freeway in Melbourne
[00:35:53] and a four police got killed.
[00:35:55] And the driver was, I think he was on drugs at the time.
[00:35:58] So imagine that business, this suddenly escalates up
[00:36:03] and not only is just killed four police officers
[00:36:05] it was only influenced the drugs and so forth.
[00:36:08] So no matter what you should think
[00:36:10] what's on our risk register?
[00:36:12] What do the insurers charges the most for?
[00:36:15] They see the risk in our business.
[00:36:16] There's always the two things I look at.
[00:36:19] You go, all right, well there the months
[00:36:20] we should be much prepared for.
[00:36:22] Other things can happen
[00:36:23] but how we prepare for these things
[00:36:25] that have been identified.
[00:36:26] If it did happen, how we got the team together
[00:36:29] how we communicate, how we record it
[00:36:32] and we've rehearsed it.
[00:36:33] So if it does happen, we are absolutely ready to go.
[00:36:36] So small businesses, you can't just walk by
[00:36:39] and say look, we're small, we're exempt
[00:36:41] it doesn't work like that.
[00:36:42] Well, well there's some good practical insights
[00:36:47] to bring it down into reality.
[00:36:49] And I think what I hear from a lot of that
[00:36:53] is it's mainly the human element
[00:36:56] especially in the small business.
[00:36:57] It's all our reputation, all our relationships
[00:37:01] these stuff happens, it impacts our employees
[00:37:03] it impacts the employees of our clients that we work with.
[00:37:07] It's a bit probably, there's faces to it
[00:37:10] compared to the big optus breaches
[00:37:12] and stuff that are just a faceless big event.
[00:37:15] This is actually, this is very personal.
[00:37:18] So take that responsibility on, take some steps
[00:37:22] and like you said doesn't have to be too overly
[00:37:24] complicated because we're usually dealing
[00:37:27] with smaller crisis generally.
[00:37:30] Well, it could be a big crisis for you
[00:37:32] but if you're, you imagine you're a small firm
[00:37:37] and yet you might be a B2B
[00:37:39] and the people you're dealing business with
[00:37:40] you've got a good relationship with them
[00:37:41] and for example, we had a major cyber incident
[00:37:43] for you it's major.
[00:37:45] You've locked out your account, you may have a ransom.
[00:37:47] Now, if I'm trading with you doing business
[00:37:51] with a new contact and say look, this is what's happened
[00:37:53] we've got our IT working on it.
[00:37:56] Don't accept anything from us as far as payments
[00:37:58] or anything concerned.
[00:37:59] We think everything's been compromised.
[00:38:02] We'll come back to you in 24 hours with an update.
[00:38:05] If you've got any questions, here's like a hotline
[00:38:07] or here ring me on the CEO or a CO bring me on this number.
[00:38:12] I'll be very comfortable by that.
[00:38:15] Now, that all sounds very simplistic
[00:38:16] but to do that and work across all the different
[00:38:20] and things from regulators, insurance companies,
[00:38:24] communications, internal stuff
[00:38:27] external stakeholders.
[00:38:29] That's where you need that team formed and ready to go.
[00:38:31] So if it happens, you go, all right, bring the team in.
[00:38:34] This has happened with walkthroughs before.
[00:38:36] Bang, let's do our, we call the action plan.
[00:38:39] We know who's going to do what jobs
[00:38:41] that's regrouped in a few hours.
[00:38:42] We'll all go off and do our tasks
[00:38:44] and we'll reassess it then.
[00:38:46] Could high chance you'll get through okay.
[00:38:51] We could keep diving deeper and more deeply in this.
[00:38:54] You live and breathe this type of stuff
[00:38:56] and I find it extremely fascinating.
[00:38:59] We've covered a lot of things today.
[00:39:02] What do you really want people to take away
[00:39:04] from this session?
[00:39:06] And what's the practical next steps
[00:39:08] if they don't have a crisis management plan?
[00:39:11] What should they do?
[00:39:13] Well, I think the first thing to look at
[00:39:15] is look at your, no, you shouldn't be fully aware
[00:39:17] or your risk register and the insurance.
[00:39:19] So in your business, what does the insurer
[00:39:22] and what is your, should have a risk register
[00:39:24] and saying what's the risk in your business
[00:39:25] is that, you know, your food delivery,
[00:39:28] is it your staff?
[00:39:31] Is it the region you're working?
[00:39:33] So look at that and go, all right.
[00:39:34] So just say something went wrong.
[00:39:37] So let's face for example, manufacturing cupcakes.
[00:39:41] And for some reason, a whole batch goes out
[00:39:43] and there's something wrong
[00:39:44] and people got sick, some of them even died.
[00:39:47] What will we do?
[00:39:48] Yeah, so we've got finzans,
[00:39:50] we've got regulatory, we've got put notice,
[00:39:53] we've got to notify the regulators,
[00:39:55] we'd have to put advertising in newspapers,
[00:39:58] we have to notify our distributors.
[00:40:02] So if you could then think,
[00:40:04] how would I doing the team together?
[00:40:06] Who would be on the team?
[00:40:07] How to manage that?
[00:40:08] If you've got that all well packed and rehearsed, great.
[00:40:11] And I always say, a simulation is the best thing
[00:40:13] because that really starts to flesh out
[00:40:15] just how ready we are.
[00:40:17] And if you haven't, give us a call
[00:40:19] or give someone who works in this space a call
[00:40:22] because you need to have a basic plan at the minimum.
[00:40:26] And the other thing I keep going back to this too
[00:40:28] is it's interesting, our industry's not regulated.
[00:40:31] There's no regulatory requirement
[00:40:35] to have a crisis plan.
[00:40:36] There is a requirement for an emergency plan,
[00:40:40] AS 3745, plan for emergencies in facilities.
[00:40:44] And sometimes there's a regulatory requirement
[00:40:46] around business continuity.
[00:40:48] So a lot of people go, well,
[00:40:49] there's no regulatory requirements, so I won't do it.
[00:40:52] However, if you haven't done that
[00:40:55] and you're starting to do B2B
[00:40:57] and insurer's looking at that,
[00:40:59] if you can't demonstrate
[00:41:00] you've taken good steps to be prepared,
[00:41:04] they won't be favorable on you
[00:41:05] because they know there's operators out there
[00:41:08] who can provide these plans and training
[00:41:11] and you haven't done anything in this space.
[00:41:13] Not only just the real implication
[00:41:15] of not being able to manage it
[00:41:16] but when it comes to applying for insurance
[00:41:19] and there's an investigation,
[00:41:21] people go, well, you actually had no preparation whatsoever.
[00:41:25] And it doesn't look favorable for you.
[00:41:29] So yeah, I'll start this underlying thing out of this.
[00:41:33] Yeah, go and do a simulation.
[00:41:36] Do it internally.
[00:41:37] Get someone to just call in,
[00:41:40] maybe go home and talk to your partner and say,
[00:41:42] all right, you're the CEO.
[00:41:44] I want you to ring the office tomorrow and say,
[00:41:46] pretend you're a hacker
[00:41:48] or ring and say that you've eaten some of our products
[00:41:51] and you've got sick,
[00:41:52] you've been harassed in the office,
[00:41:54] you're going to fair work
[00:41:56] or you're making a civil claim
[00:41:57] and just see what the business would do
[00:41:59] and walk through by it.
[00:42:00] How will we notify each other?
[00:42:02] How would know if that was a crisis?
[00:42:03] Who would come in on the team?
[00:42:04] How will we document all this?
[00:42:07] And if you can flow through that comfort, great.
[00:42:11] If you have fine your struggling
[00:42:13] well, you can multiply that by 100 in a real event.
[00:42:17] I love that.
[00:42:18] And I think what I've taken away from this episode
[00:42:23] and all the lessons that you've been sharing with us, Alan,
[00:42:26] is as technology partners,
[00:42:30] the best thing we can do is shine a light on this
[00:42:33] and elevate it up
[00:42:34] and have that partner ecosystem
[00:42:36] for someone else to come and fill it in
[00:42:37] for our clients
[00:42:38] and get someone external to help us
[00:42:41] with our own stuff as well
[00:42:43] because if we want to be treated like a tradie still,
[00:42:49] if you act like that
[00:42:51] and you won't have these sort of conversations,
[00:42:53] you won't be at that sort of board level,
[00:42:54] you won't be at the strategy level.
[00:42:56] But if you start to bring extra added value like this
[00:42:59] to help your clients in a more broader way
[00:43:02] even just by sharing a contact to get them help,
[00:43:08] that's what elevates you up the decision tree,
[00:43:12] the value chain, whatever you want to term it.
[00:43:15] So I see these as sort of fantastic ways to help us,
[00:43:22] help our clients.
[00:43:22] So this has been awesome, Alan.
[00:43:25] I really appreciate your time.
[00:43:27] Yeah, just one last thing on that is the,
[00:43:30] you say you've got a client, your MSP,
[00:43:32] you're providing a client and they've had a cyber incident.
[00:43:35] You've gone in support
[00:43:36] and you've done a terrific job
[00:43:39] but they've done a lousy job on the strategic side
[00:43:43] and the net result is the thing was a disaster.
[00:43:46] They've lost clients,
[00:43:48] they've had a huge hit on their reputation.
[00:43:51] So it's gonna actually, Glenn, shine back on you,
[00:43:55] you go, well gee, we did everything textbook.
[00:43:57] We recovered the system very quickly and like
[00:44:01] but the net result for that business
[00:44:02] was there was a shit outcome
[00:44:04] because everyone thought we handled it poorly,
[00:44:06] we didn't notify people.
[00:44:08] Yeah, so it's really complimentary
[00:44:11] because if and on the other hand too,
[00:44:14] if the IT recovery side didn't work so well
[00:44:18] but it was very well communicated,
[00:44:20] okay, well, IT side still wasn't great
[00:44:23] but you know what?
[00:44:24] You guys are so good at communicating,
[00:44:26] keeping us up to date and that, yeah, great.
[00:44:29] I'll stay in with you
[00:44:31] and it could still end up being a reasonably good result.
[00:44:35] They're either one, you're gonna win with a good strategic.
[00:44:39] So that's a really good point to wrap up on.
[00:44:44] You've given us some amazing insights
[00:44:46] and a different perspective to this
[00:44:48] and I hope the listeners and viewers take this
[00:44:51] and action something out of it
[00:44:54] because the ones that do are gonna flourish,
[00:44:55] the ones that don't are gonna struggle.
[00:44:58] So thank you so much, Alan, for joining me
[00:45:01] and I appreciate your time.
[00:45:02] Great, thanks, James.
[00:45:03] I really appreciate the opportunity
[00:45:04] and yeah, I hope that has been
[00:45:06] as valued for people today.
[00:45:07] Thank you.