The importance of digital transformation in ensuring resilience

The case of Optus

Optus, one of Australia’s largest telecoms, revealed that the personal data of about 10 million customers had been stolen during a breachⁱ. The information stolen was most sensitive, including names, birthdates, home addresses, contacts, passport identifiers, and driver’s license numbers. 

Former customers had data stolen, as well, putting an estimated 2.8 million people at significant risk of identity theft and fraudⁱⁱ. 

However, this wasn’t the everyday data breach – even of a large brand.

The weekend of the hack, an anonymous user emerged, publishing data samples from the hack and demanding USD 1 million. 

Soon, another 10,000 customer records were released. 

The user then suddenly apologized for the “mistake”, deleting the data sets which had been previously posted.

The data sets were out in the public domain, though, copied and distributed by others. 

In fact, a local teen, not suspected to be the original hacker, was eventually charged over an alleged SMS scam, in which he used information obtained from the Optus data breach to demand AUD 2,000 payments from affected customers. 

These comings and goings only served to further Optus’ reputational damage. The alleged, original user, for one, contradicted the company’s assertion that the hack had been a sophisticated attack, claiming that the data had been easily pulled from an accessible software interface.

That claim was corroborated by Australian Cyber Security Minister, Clare O’Neil. In an interview, she replied that the hack hadn’t been sophisticated at all, chiding Optus for “[having] left the window open for data of this nature to be stolen”ⁱⁱⁱ. 

What’s worse, it soon became known that customer Medicare details had been stolen, and Optus hadn’t yet disclosed the fact. Indeed, almost 37,000 Medicare cards had been affected in the breach. 

Optus isn’t the only organization that hasn’t prepared for complex disruption

Besides reputational damage and the prospect of falling behind competitors, Optus now faces possible class-action suits from victims. 

What’s more, Australia, often called out for relatively lax data privacy and cybersecurity laws, is likely to strengthen that regime.

For one, the Government is already proposing amendments to the country’s Telecommunications Regulations 2021 Act, to allow the temporary sharing of some personal data to facilitate better coordination between providers, financial services institutions, and government agencies to mitigate the impact of a data breach on customers^iv. 

Of course, the incident also begs the more global question of whether at-risk organization are making the necessary improvements to their resilience capabilities to mitigate the effects of complex disruptions.

Not just the Optus case but also many others like it suggest the answer is no. 

The data tell a mixed story. Gone are the days of no plans and preparations are behind us. 

Resilience surveys, such as that published by BCI in 2022^v, bespeak increased adoption of resilience practices. When polled, over three quarters of organizations reported either having or developing an operational resilience program. 

But far from keeping pace with the deteriorating risk climate, the preparations many of these companies have in place remain inadequate. 

In turn, resilience practitioners are sounding the alarm, worried that staffers don’t have the requisite knowledge or resources to lead the necessary transition to a more strategic, customer-centric resilience approach^vi. 

One reason why is that significant risk is being ignored.

In the case of the Optus breach, for instance, media sources contend that crisis simulations at Optus focused on the network outage scenario to the detriment of the data breach scenario^vii. That’s even though Optus’ own fillings called out cyber security as a significant risk, too, with a major data breach likely to trigger customer backlash, litigation, and fines.

Similarly, the state of Victoria recently performed an audit of its agencies’ business continuity preparations before COVID^viii, calling out a similar lack of proactive resilience preparations. That was even though state-wide risk plans had themselves listed a pandemic as a risk “likely” to occur with “severe” consequences.

Nevertheless, departmental business continuity plans (BCPs) failed to address the large-scale, complex disruption scenario. Nor did business impact analyses (BIAs) fill in the gaps. According to the Audit, departmental BIAs didn’t fully assess the impact that such a disruption might have on services, failing to consider the minimum resource requirements, including the internal and external suppliers that their services need to run. 

Strategies to maintain resilience amidst long-term disruption

This failure to prepare for large-scale, complex disruptions is becoming a signal challenge to ensuring resilience. Again and again, organizations pay lip service to the risks posed by complex disruption but fail to plan adequately.

How to avoid getting caught flat footed? One step is to make a plan to act proactively. And to this end, firms should look to companies who’ve done things right as models of resilience best practice.

One such company is Toyota. In the aftermath of the 2011 Fukushima disaster that crippled its production and supply chains, the automaker updated its BCP, requiring suppliers to stock anywhere between two and six months’ worth of chipsix. This left the automaker better prepared for the post-pandemic chip crisis than its competitors. 

Pursuing such a proactive resilience strategy is possible for all organizations, though.

How to go about? 

It’ll take a mindset shift away from preparing exclusively for short-term disruption to getting serious about foreseeable, complex disruptions, especially those likely to last for long durations. 

Following from this shift, companies can take the following common-sense organizational resilience arrangements:

• Tackle complex scenarios (whether large data breaches, pandemics, thorny reputational crises, or others) as standalone threats, i.e., by developing dedicated scenario plans for each.
• Treat the resulting plans as living documents, i.e., testing plans regularly (at least every two years or after a major organizational change) to ensure they will be effective in a disruption and that staff knows how to use them.
• Ensure all business continuity and/or resilience plans adhere to international best-practice, to be focused, concise, specific, and easy to use.
• Highlight organization-wide priorities and strategies in plans, adjusting as those priorities and strategies shift.
• Write clear activation criteria into plans, so practitioners don’t lose critical time when disruptions happen.
• Ensure plans always reflect the current operating environment.
• Cover prioritized services in plans, addressing the need for additional or surge resources where relevant.

The importance of digital transformation in ensuring resilience

There’s more, such as capitalizing on opportunities to accelerate digital transformation to adopt more efficient processes. Indeed, the pandemic itself has already made organizations rethink how they work, leading oftentimes to the quick roll out of new technology-related processes and projects. 

Organizations should use the momentum to streamline processes by adopting new (digital) technology, to ensure efficiency in performing resilience tasks. 

How, exactly? Well, findings suggest that preparations weren’t fully made for global, long-term disruptions of more than a few weeks. 

Pragmatic business continuity management software, here, can help organizations easily create impact assessments for multiple types of impacts for each prioritized activity within a BIA, including the impact of disruptions over multiple time periods, not just shorter-term disruptions.

And to ensure entities consider all minimum resource requirements and suppliers whose services those entities rely on, the same platforms can help highlight if prioritized activities have key staff dependencies, as well as 

1. the business-as-usual head count required, 
2. the number of staff required for the minimum business continuity objective,
3. whether the staff dependency is a single point of failure, 
4. in addition to recording staff members who are essential to complete the activity

What’s more, with pragmatic business continuity software, organizations can create and manage their own lists of dependencies, including internal and external suppliers, making it easy to add these to prioritized activities, as well as recording if there are any dependencies on other prioritized activities. 

Further capabilities to address complex disruption:

• Applies industry standards drawn from the latest versions of ISO 22301, ISO 2231, and ISO 22317.
• Provides efficacy ratings and testing statuses to better glean how effective recovery strategies will be. Recovery strategies will also follow an automated approval process, to ensure they are reviewed, approved, and always tested.
• Collects and aggregates data to highlight critical activities, processes, assets, and resources lacking recovery strategies, or untested recovery strategies.
• Conducts simultaneous exercises across multiple business units to practice and battle-test teams, response plans, and communications.
• Records after-action reviews, lessons learned, and improvement activities for evaluation.
• Automatically reschedules BIAs, so organizations don’t run the risk of forgetting to review.
• Creates post-incident reports for executives in just a few clicks and provides stakeholders access to their own dashboards highlighting key information in an easy to digest format.
• Enables organizations to review their post-incident report templates to include a section outlining prioritized services, recovery time objectives, and if services are disrupted, how long

Finally, organizations have gotten the message that critical threats are no joke. But they haven’t yet implemented the measures needed to ensure stability during a crisis, to avoid losing stakeholder trust.

That will take companies looking towards more holistic, long-term strategies for maintaining resilience. Supplemented with the right technology to effect much-needed digital transformations, these resilience management strategies will help break down siloes, pivoting companies towards sustainable, integrative risk practices.

Sources

i. Tory Shepherd, The Guardian:

ii. The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle. Available at https://www.theguardian.com/business/2022/oct/01/optus-data-hack-australians-scramble-to-change passports-and-driver-licences-after-telco-data-debacle.

iii. Ibid.

iv. Belinda Palmada, news.com.au: ‘It wasn’t’: Cyber Security Minister Clare O’Neil slaps down Optus’s claim that it suffered ‘sophisticated’ attack. Available at https://www.news.com.au/technology/online/security/it-wasnt-cyber-security minister-clare-oneil-slaps-down-optuss-claim-that-itsuffered-sophisticated-attack/news-story/0736d362a220e12dfa7b435495b2a017.

v. Eillen Yu, ZDNET: Australia moots changes to privacy laws after Optus data breach. Available at https://www.zdnet.com/article/australia-mootschanges-to-privacy-laws-after-optus-data-breach/.

vi. BCI: BCI Operational Resilience Report 2022. Available at https://www.thebci.org/resource/bci-operational-resilience-report-2022.html.

vii. Ibid.

viii. Tim Burrowes, Unmade: Optus writes a new chapter in the crisis handbook. Available at https://www.unmade.media/p/optus-writes-a-new-chapter-in-the.

ix. Business Continuity During COVID-19 Audit. Available at https://www.audit.vic.gov.au/report/business-continuity-during-covid-19.

x. Norihiko Shirouzu, Reuters: How Toyota thrives when the chips are down. Available at https://www.reuters.com/article/us-japan-fukushimaanniversary-toyota-in-idUSKBN2B1005.