Data breach notification laws a step closer to reality – is your business cyber-ready?
WHO SHOULD READ THIS
- Any business with an online profile or those which collect personal data.
THINGS YOU NEED TO KNOW
- For most organisations, being targeted by a cyber-attack is a matter of ‘when’, not ‘if’, and costs Australia more than $1 billion annually.
WHAT YOU NEED TO DO
- Consider how cyber-ready your business is and ensure you have the necessary protection should your business become a victim of a cyber-attack. Find out how Allegiant IRS’s cyber-security insurance policy can protect your business.
Cyber-security is one of the most pressing issues for businesses of all sizes. Protecting your networks and data is more complex and important than ever before. We now operate in a time of ubiquitous ecommerce, widespread adoption of cloud-based and other distributed storage solutions, and more and more devices are connected to networks with the continuing growth in mobile workforces and devices that communicate with other devices (the ‘internet of things’).
Cyber-breaches garner huge media attention and are ever-present. Just two recent reminders are Australia’s recent online Census site crash, and DropBox admitting that 68 million of their user accounts may have been compromised.
Time to fess up?
And that is just the ones we find about it. So many go unreported. Or did. Australian businesses may soon have to report whenever they suffer a serious cyber-attack. The Government just finished a round of public consultation at the end of August on its proposed mandatory data breach notification laws. These have been talked about for quite some time, but now there appears to be broad support across the political divide for this legislation.
Once it becomes law, companies will have to report all serious data breaches, or face a fine of up to $1.7m. (Of course, if you have not taken reasonable steps to secure your data, by reporting the data breach you may also be owning up to breaching other obligations under privacy law which will have their own consequences.)
In addition to the always present and real risk of being victim of a cyber-attack, there will therefore be the added layer of reputational, legal and financial risk that comes from having to report on any compromises to your data. So, now is a good time for businesses of all sizes to reconsider their cyber-readiness.
Cyber-attacks, the risk is real
For most organisations, being targeted by a cyber-attack is a matter of ‘when’, not ‘if’. It is notoriously difficult to obtain accurate figures (because so many attacks go unreported), but the Australian Cyber Security Centre estimates that cyber attacks increased 20% between 2013-2014, and 37% the year before that. The cost to Australian business last year was at least $1 billion.1
There are so many different ways you can be attacked, with new ones always emerging, which is what makes it so hard to prepare and prevent cyber-attacks. Common attacks include denial of service attacks designed to interrupt a site’s normal functioning (often at times of peak usage, designed for maximum inconvenience), phishing attacks designed to exploit human vulnerabilities to access valuable information, and sophisticated perimeter intrusion attacks designed to access systems despite the existence of firewalls, often embedding monitoring software that allows ongoing access to a network or system. We see new techniques and threats on an almost-daily basis.
The motives of the attacks and who is behind them also vary, from social activism, to criminal theft (ransom) and large-scale state or corporate espionage. The common thread, though, is that data is the target – personal, sensitive and financial information of customers and staff, a business’s own financial and corporate records, trade secrets and other intellectual property.
Given the nature of the information involved, it is not difficult to see the reputational, legal and economic impacts of a cyber attack.
What you can do?
While it is near-impossible to guarantee that your organisation will not be affected by a cyber-attack, there are ways you can attempt to prevent and/or deal with those attacks.
Some of the most effective means to prevent or deal with cyber-attacks we have seen implemented include the following:
- Administrator accounts: restrict administrative privileges only to staff and contractors that need them. User accounts with administrative privileges are commonly targeted by hackers (in particular with phishing attacks), because administrators have a high level of access to the organisation’s systems and networks.
- Whitelisting: application and website whitelisting can make it harder for hackers to compromise your systems and can help you protect your systems by preventing unauthorised applications from running on your systems and preventing your employees from accessing unauthorised or unsafe websites.
- BYOD and mobile device protections: implementing effective and adequate BYO device and remote working arrangements is highly effective. Functions such as autosave features and anti-virus programs on personal computers or laptops may sometimes automatically back-up and store company information in an unencrypted format on domestic private clouds, often without the user’s knowledge. Sensitive company emails, notes and photos on your employees’ smartphones and personal computers or laptops may be automatically uploaded on the another company’s servers without your knowledge, and may therefore be vulnerable to security breaches. Implementing policies to address these features and others is a key step.
- Training: Humans remain the weakest link in many networks. Training your employees on cyber-threats is crucial, and should include:
- how to spot and report phishing emails;
- the kind of information they should never give to anyone except specific people within your company (e.g. login and password details);
- what group within your company is likely to ask them for specific kind of information (e.g. your HR department is unlikely to ask an employee for information about the company’s intellectual property);
- not to use USB devices they did not acquire from a trusted source on your systems. Most USB devices (including keyboards, mouse devices, and other USB gadgets – often given out at conferences) can be compromised through their firmware and are a common source of cyber-attacks.
- Test and Plan: red-teaming is the new trend to deliberately test your own systems for vulnerabilities, which you can then use to prepare a comprehensive response plan that you can implement as soon as any cyber-attack or data breach is detected.
- Backup: back-up your data and test your systems’ cyber-security regularly to ensure the effect of any breach is minimised.
- Know where your data is: if your suppliers, customers or contractors receive your confidential information, make it your business to know how they store it, secure it and protect it. If you use third party storage services, make sure you understand what commitments they are making to secure and protect your information. Do you have any rights against them if your data is compromised or lost?
- Report: know who to call: CERT Australia (www.cert.gov.au) is the national computer emergency response team and the single point of contact in Government for cyber security issues affecting major Australian businesses. CERT is part of the Australian Attorney-General’s Department. Once mandatory breach reporting legislation comes into effect, you will also need to notify the Office of the Australian Information Commissioner.
What we can do
We regularly assist clients to prepare for and mitigate the impact of cyber attacks. We can provide advice on the regulatory landscape, draft policies and procedures, ensure your contractual frameworks with suppliers and customers are robust, and help implement your plans if a data breach does occur. We also have an innovative insurance business, Allegiant IRS, which was responsible for introducing one of Australia’s first dedicated cyber-security insurance policies.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.