Posts tagged 2023
DP World cyber-attack
DP World cyber-attack

Photo: DP World

Late Friday 10 November, Australia’s largest port operator, DP World, suffered a serious cyber-attack. To minimise the impact of the attack, it shut down its connection to the internet, causing considerable disruption to port operations. It is gradually restoring operations, but could suffer additional pain due to industrial action.

“Even if DP World recovers from the cyberattack to full operations shortly, GuardianAustralia understands customers remain frustrated at the prospect of delays due to protected industrial action from dock workers in coming days.”

News item, Cyber Security, Supply ChainPatricia ScheltusNovember, 2023
APRA getting serious on cyber
APRA getting serious on cyber

CRN reports that APRA is losing patience with regulated entities:

"Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans," APRA Chair Lonsdale said.

"With the potential for serious impact to millions of Australians, our patience has run out."

Don’t forget that APRA not only focuses on regulated entities such as banks, insurers and superannuation companies, but also on the suppliers of material services to these entities.

In July, APRA also announced the new standard “CPS 230 Operational Risk Management”.

Chair John Lonsdale said “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”

The key to becoming CPS 230 compliant is to start now! There is a lot to do and July 2025 will come around very quickly.

News item, Cyber Security, Regulatory CompliancePatricia ScheltusNovember, 2023
Lessons learnt from the Optus outage
Lessons learnt from the Optus outage

We reckon that there are two big lessons for all of us that have resulted from the Optus outage.

Lesson 1 - Our dependence on functioning telephony and data networks

The breadth of the impact has been enormous and our dependence on all things digital will increase over time. The use of multi-factor authentication to verify your identity using your mobile phone made the outage even more impactful. Here are useful ideas we have collected in the last few days which will help reduce the impact of the next outage:

  • Paul Budde’s recommendation that we should be able to roam on the network we normally do not use (pretend you’re overseas during the outage of your BAU provider).

  • Great Vox article on ensuring you can survive if you lose access to your mobile.

Lesson 2 – Good crisis communications is critical

The importance of clear and effective crisis communications is essential to maintaining your good reputation. Even though Optus last year was subject to a major cyber-attack that impacted many customers, it has not improved its ability to communicate. Madonna King neatly sums up the essentials of good crisis communications management:

  • Communicate quickly and stay on the front foot.

  • Be clear and don’t sell.

  • Be sincere.

  • Be mindful of the impact on your stakeholders.

Incredibly, telcos are currently not part of the Federal Government’s Security of Critical Infrastructure Act (SoCI) !

Another interesting AFR article comparing the treatment of Optus and DP world in the press.

Crisis Communications, News itemPatricia ScheltusNovember, 2023