DP World cyber-attack

Late Friday 10 November, Australia’s largest port operator, DP World, suffered a serious cyber-attack. To minimise the impact of the attack, it shut down its connection to the internet, causing considerable disruption to port operations. It is gradually restoring operations, but could suffer additional pain due to industrial action.

“Even if DP World recovers from the cyberattack to full operations shortly, GuardianAustralia understands customers remain frustrated at the prospect of delays due to protected industrial action from dock workers in coming days.”

News item, Cyber Security, Supply ChainPatricia Scheltus17 November 2023November, 2023

APRA getting serious on cyber

CRN reports that APRA is losing patience with regulated entities:

"Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans," APRA Chair Lonsdale said.

"With the potential for serious impact to millions of Australians, our patience has run out."

Don’t forget that APRA not only focuses on regulated entities such as banks, insurers and superannuation companies, but also on the suppliers of material services to these entities.

In July, APRA also announced the new standard “CPS 230 Operational Risk Management”.

Chair John Lonsdale said “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”

The key to becoming CPS 230 compliant is to start now! There is a lot to do and July 2025 will come around very quickly.

News item, Cyber Security, Regulatory CompliancePatricia Scheltus17 November 2023November, 2023

Lessons learnt from the Optus outage

We reckon that there are two big lessons for all of us that have resulted from the Optus outage.

Lesson 1 - Our dependence on functioning telephony and data networks

The breadth of the impact has been enormous and our dependence on all things digital will increase over time. The use of multi-factor authentication to verify your identity using your mobile phone made the outage even more impactful. Here are useful ideas we have collected in the last few days which will help reduce the impact of the next outage:

Paul Budde’s recommendation that we should be able to roam on the network we normally do not use (pretend you’re overseas during the outage of your BAU provider).
Great Vox article on ensuring you can survive if you lose access to your mobile.

Lesson 2 – Good crisis communications is critical

The importance of clear and effective crisis communications is essential to maintaining your good reputation. Even though Optus last year was subject to a major cyber-attack that impacted many customers, it has not improved its ability to communicate. Madonna King neatly sums up the essentials of good crisis communications management:

Communicate quickly and stay on the front foot.
Be clear and don’t sell.
Be sincere.
Be mindful of the impact on your stakeholders.

Incredibly, telcos are currently not part of the Federal Government’s Security of Critical Infrastructure Act (SoCI) !

Another interesting AFR article comparing the treatment of Optus and DP world in the press.

Crisis Communications, News itemPatricia Scheltus17 November 2023November, 2023

Cyber Security priorities and investments with an outcome-driven approach | The Reboot Show and TrustedImpact

Often when I ask an executive if a service provider's Continuity Plan has been practised, they don't know, which is worse than having no plan. Ben Scheltus, General Manager, Continuity Matters

Readiness to detect, contain and respond to Information Security threats is measured by an organisation's state of Cyber Maturity. The Cyber Maturity journey requires strong leadership direction and sustained action - it's not a software procurement matter that can be left solely in the hands of IT departments or Information Security generalists.

An organisation's state of Cyber Maturity, at any point in time, determines its level of Cyber Resilience - which is the organisation's ability to recover from a cyber crisis when it happens.

The Reboot Show, in conjunction with TrustedImpact hosted a series of leadership discussions, for executives and board members, with 9 Cyber Security experts in Australia to unpack modern security perspectives and reflect on contemporary misconceptions.

This discussion paper summarises key insights shared by 9 Cyber Security experts including:

Executive responsibility for preventable crises
The Cyber Maturity continuum and building Cyber Resilience
Navigating business risks at the speed of software
Unique risks associated with cloud services
Creating engagement through training and awareness
TrustedImpact's Cyber Security Training and Awareness Program Pillars
Limitations of Penetration Testing

You can download the discussion paper here.

The expert discussions can be viewed here.

Cyber Security, News itemPatricia Scheltus18 February 20222022, February

A guide to the TCFD

The casualties of the climate crisis could include financial stability, the global economy, and the value of investments. As governments catch up to the realities of climate change and the policy response continues to gather pace, global markets need transparency into the financial impacts of climate change on companies.

‌The Task Force on Climate-related Financial Disclosures (TCFD) released their recommendations in 2017 to improve and increase reporting of climate-related financial information. Today, 2,000+ organizations support TCFD, including 110+ regulators and government entities across 78 countries.

Why read this guide?

It outlines the benefits of climate reporting to firms such as yours, and explains how companies and regulators are implementing the TCFD recommendations.

Firms implementing the recommendations are able to:‌

Efficiently identify climate-related opportunities and risks
Proactively address investors' demands for climate-related information in a framework that investors are increasingly asking for
More effectively meet current requirements to report material information in financial filings
Enhance risk management and strategic planning, through better understanding of climate risk

‌Bloomberg has created this guide to help you better understand the benefits of implementing the TCFD recommendations.

News item, TCFDPatricia Scheltus10 May 20212021, May

Global silicon chip shortage hits supply of phones, TVs, cars and Australia's NBN | The Guardian

A global shortage of one crucial piece of technology is causing delays in everything from cars and televisions to video game consoles and Australia’s National Broadband Network rollout.

News itemPatricia Scheltus13 April 20212021, April, CV Supply Chain

Giant ship blocking Suez canal partially refloated | The Guardian

One of the largest container ships in the world has been partially refloated after it ran aground in the Suez canal, causing a huge jam of vessels at either end of the vital international trade artery.

News item, Supply ChainPatricia Scheltus26 March 20212021, March

The Security Leadership Series | TrustedImpact and AISA

The very rapid adoption of cloud is exposing organisations to increased risks as they generally exercise an overabundance of trust and a scarcity of caution.

Read this very informative paper by TrustedImpact and AISA on how you can better manage your information that is held by your cloud provider.

Keep reading

News item, Emerging RisksPatricia Scheltus16 March 20212021, March

Texas Cold Crisis: Insurance Options for Severe Weather Disruption | Risk Management Monitor

On February 15, a massive and unseasonal storm with frigid temperatures spiked the demand for power and outpaced the supply, severing power to 26 million Texans. Unpredictable weather patterns present risks for business owners, but also create an opportunity to improve their risk mitigation strategies to address future uncertainties.

Power outages are not caused by storms alone. Heat waves, hurricanes and wildfires can also create power outages—and outages are more common than business leaders may think. S&C’s 2018 Commercial and Industrial Power Reliability Report found that one in four businesses experience at least one power outage per month.

Keep reading

News itemPatricia Scheltus5 March 2021March, 2021

Alan Kohler: Australia’s solar tsunami to trigger coal collapse | The New Daily

With marginal generation costs of zero for solar and near zero for wind, coal generators will soon start losing money overall, as daytime prices in particular collapse. In fact, the wholesale price is sometimes negative during the day.

News itemPatricia Scheltus26 February 20212021

Australia Takes Massive Financial Hit From Climate Change | Climate Council

“No developed country has more to lose from climate change-fuelled extreme weather, or more to gain as the world transforms to a zero-carbon economy, than Australia does,” said Professor Will Steffen.

News itemPatricia Scheltus8 February 20212021, February

Newsletter February 2021

Re-assess your risks in 2021

The Trump presidency and more recently the COVID-19 pandemic has intensified competition between the US and China. It is likely that both countries will seek superiority in the digital realm and restructure their supply chains.

According to the Global Risks Report 2021, Middle powers like Australia are likely to be squeezed. We are already suffering from China’s decisions to limit imports of a number of important commodities. Hopefully, we will not be put in a position where we have to pick a side.

We all hope that the Biden presidency can quickly repair the damage caused by the impact of the pandemic on the US. One of the salient lessons from the pandemic is the fragility of our supply chains and the prevalence of critical products being supplied from countries far from Australia – often a single source.

Use your 2020 experience to re-asses the resilience of your supply chains. If you have staff monitoring your modern slavery obligations, they may be able to assist.

The WEF Global Risks Report 2021 also identifies the ever increasing threat posed by hackers. The sophistication, number and funding of hackers (both criminals and nation states) continues unabated.

It is difficult for organisations to decide the extent of resources they should devote to this risk. The good news is that (like washing hands and wearing a mask) basic hygiene greatly reduces the risk from being the victim of a successful attack. The Australian Cyber Security Centre has an excellent guide to assist you implement these basic hygiene actions.

Is it time to review your cyber security approach in light of the ACSC guide?

The third and most prevalent risk identified was climate change. In the top seven global risks – climate change risks occupy four positions for impact and four for likelihood.

The seven hottest years on record globally all occurred in the past seven years.

Although most of us will remember 2020 as the year of COVID, the impact of climate change on Australia was exceptional – starting with the bushfires that engulfed SE Australia.

Australia is particularly exposed to climate change. On January 4th 2020, Penrith was the hottest place on Earth at 48.9˚C!

These physical risks, caused by extreme heat, storms and floods will increasingly impact the operations of Australian business.

If your organisation has widely distributed operations, has large critical assets, is heavily dependent on a reliable power supply or has long supply chains, we strongly advise that you re-visit your Risk Register in light of the warnings from the Global Risks Report and locally from the Climate Council

The Biden presidency has wasted no time in aggressively re-setting the strategy the US intends to employ to tackle climate change. In addition, the UK and the EU have already warned trading partners that they will use carbon tariffs to punish countries that they deem are not acting on climate change. This is a large risk for any Australian company that exports to the UK, EU or the US.

As a result, the Australian Government may need to implement policies that impact the operations of Australian companies.

Please consider these transition risks in light of your business operations. The Australian Government may move quickly in light of pressure from its trading partners. Policy action by the government may have a substantial impact on some of these risks.

Please also remember that throughout the pandemic, critical decisions were made by Governments. The primary obligation of your Crisis Management Teams was to comply with the instructions issued by the various Health Department and Chief Medical Officers.

If your business suffers a major hack, a fire to the building or sells a product that makes your customer sick, there will be no Government to give instructions on how you should manage the crisis. Furthermore, your competitors and customers may actively seek to profit from your misfortune.

Please contact Continuity Matters if we can help you re-assess your resilience, develop a business resilience program or validate your plans by conducting an exercise.

Contact us

Newsletter, News itemPatricia Scheltus1 February 20212021, February

Avoiding a ‘social recession’: A conversation with Vivek Murthy | McKinsey & Company

"Long before the pandemic hit, I was deeply concerned about loneliness. In the age of COVID-19, I’m worried that loneliness could deepen further, that we could see the physical distancing that we’re asked to observe translate into social distancing as we feel more and more disconnected from the people we need in our lives."

News itemPatricia Scheltus7 December 20202020, December

General James Mattis on leading in a crisis and thriving in the next normal | McKinsey & Company

"Good feedback loops and data displays are critical. You have to start with data. If you can only quantify 10 percent of the problem right now, then start there. As more data comes in, you replace assumptions with knowledge. Then you need to apply your judgment.One of the most important things is keeping someone at your side who will challenge you to balance the quantitative and non quantitative inputs to your assessments, who will watch for gaps in your assessments."

News item, Crisis CommunicationsPatricia Scheltus7 December 20202020, December