In accordance with the newly introduced federal guidelines, the responsibility for a company facing a ransomware attack is now placed squarely on the shoulders of its CTO or CEO. Legal repercussions may be initiated against the targeted business if it fails to take adequate measures to protect its customer data from cybercriminals.
However, the recent incident at Optus Australia appears to be challenging this standard practice, as the company’s CEO, Kelly Bayer, is poised to encounter a challenging period in the upcoming weeks. Yesterday’s national network outage is expected to cast a shadow over her career.
It is undeniable that the network breakdown has severely eroded customers’ trust in the Optus brand. Nevertheless, it’s important to recognize that this is a national issue, and attributing blame solely to one individual or team may not be entirely fair.
Over the past few hours, social media has been ablaze with criticism, with many insisting that the CEO should bear the brunt of the blame, citing the company’s apparent failure to safeguard its infrastructure from cyberattacks effectively.
Notably, the company’s technology leadership has clarified that the outage resulted from a software flaw, not a state-sponsored attack, as was the case in a previous incident in which a Russian GRU was implicated. Optus is diligently working on recovering from this recent incident and has made significant progress in restoring its infrastructure.
However, in a twist of events, some Telegram members, seemingly acting as paid advocates, are calling for a change in senior-level management. They believe that the attack could have been prevented or that the telecom provider failed to implement adequate security measures, even after learning from the significant breach that occurred during the Optus Cyber Attack in 2022, exposing the data of over 9.8 million Australians due to an API vulnerability.
From a technical standpoint, Optus was well-prepared to fend off sophisticated cyberattacks and was proactive at every stage. Nevertheless, as is the case in the world of cybersecurity, even the best-laid plans can falter for various reasons, and this incident is no exception.
The Australian Securities Exchange has requested an explanation from Singapore Telecom, a major stakeholder in Optus, regarding the situation. However, they have opted to keep the investigation and analysis of the Optus 2023 cyberattack away from the public eye.
The question arises: Is it fair to place blame on a CTO or CEO when their company’s information technology network is struck by a sophisticated cyberattack or when a software glitch disrupts operations for hours or even days?
