Organisations face cyber risks from within their own workforces, a Risk and Insurance Management Society forum in Melbourne heard last week.

“There are four groups initiating cyber threats, starting with criminals looking to extort money,” Control Risks Director Asia-Pacific Carla Liedtke said. 

“The second group is national states, and there are 60 countries in the world with cyber programs.

“The third group is ‘hacktivists’, who have a cause to push, but all these can work with people within the organisation.”

Ms Liedtke says internal threats can be driven by money or sympathy for a cause.

And innocent staff unwittingly opening emails with malware links can also activate attacks.

“Today it is not a question of if you will you suffer a cyber attack, it is when. It is important to have clear, defined roles in the threat crisis team when the attack does occur.” 

Ms Liedtke says many companies simply pass threats to their IT teams, rather than having a crisis management team addressing all aspects, including reputational damage.

Norton Rose Fulbright Partner Tricia Hobson told the forum a lawyer’s role is to mitigate the risks that follow a cyber breach.

“It is important to know who you tell of a security breach,” she said. “In Australia there is no mandatory obligation to notify of breaches.

“Most cases have been dealt with in-house, but privacy laws are ramping up.” 

The US has breach reporting laws, but they are different in each state.

This would affect an Australian company with overseas customers if credit card details were stolen, Ms Hobson says.

“There would then be some reputational risk to notify the US and not Australia. Preparing the form of notification is critical because the cost can be significant.

“If the notification is limited, it can save an organisation money.”

Ms Hobson says affected organisations must monitor social media to see the extent of reputational damage.

“Australia is now the second most litigious country in the world, and a breach is a ready-made class action.

“So if the breach was a lapse, your legal team can keep that out of these lawyers’ hands.”