Navigating the ripple effects: Lessons from a year of third-party breaches

Wednesday
 
27
 
November
2:20 pm
 - 
3:00 pm
Topic
Crisis Management / Incident Readiness / Planning Recovery / Forensics
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 213
Theme
Leadership & Governance in Cyber Security

Speakers

Kathy Nguyen
Kathy Nguyen

Kathy Nguyen

Kathy Nguyen

Manager
McGrathNicol
Jesse Pearce
Jesse Pearce

Jesse Pearce

Jesse Pearce

Senior Manager
McGrathNicol

Synopsis

In recent times, incidents like the Outabox breach, which impacted clubs and licensed venues across NSW and the ACT, have highlighted the vulnerabilities organisations face through third-party partnerships. In this presentation, we will discuss the challenges organisations face when their third-party partners are compromised. Drawing on a year of notable third-party breaches, this talk will not only cover technical controls but will also explore often overlooked aspects of third-party supply chain risks. The session will start with a broad overview of the challenges in managing third-party breaches, followed by specific technical, legal, communication strategies (lessons learned) to prepare for and respond to these challenges.

1. Understanding the Challenges in Third-Party Breach Management:

  • Overview of the complexities and potential security vulnerabilities introduced by third-party relationships. Most common challenges arise when third parties lack transparency or are uncooperative in disclosing breach details.
  • Examples of recent incidents such as the Outabox incident.

2. Technical Safeguards and Controls:

  • Emphasis on the implementation of stringent access controls, network segmentation, and regular security audits and penetration tests of third-party products.

3. Emerging Threats: Ransomware and Customer Extortion:

  • Exploration of the increasing trend of threat actors targeting customers of breached third parties for ransom, including case studies and strategies to handle such threats.

4. Crisis Communication, Media Control, and Public Relations:

  • How to ensure stakeholders (internal, regulator, customer) are informed and reassured through correct channels during a crisis to maintain trust.
  • Approaches to controlling insider information leaks and managing media relations to Insights into managing information sharing risk when liaising with third parties.
  • Do you have a plan to “turn off the tap” for breached third parties?

5. Financial Implications and Cost Recovery:

  • Analysis of the financial implications following a third-party breach, including costs from system isolation, data recovery, and customer compensations.
  • Insights into negotiating with cybercriminals, the role of cybersecurity insurance in mitigating losses from third party breaches.

6. Data Governance and Redundancy:

  • Highlight the need for redundancy strategies and maintaining visibility of data shared with third parties. Discuss compliance with contractual obligations for data security and the secure disposal of data post-contract.

7. Contractual and Regulatory Strategies:

  • Analysing how contracts can include security clauses, incident response requirements, and liability clauses.
  • Overview of the complexity of third-party breaches reporting and notification requirements in a multi-regulatory environment.

8. Concluding Strategies and Best Practices:

  • Wrap up with a summary of key strategies and best practices to address the challenges presented.
Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country