Do you use a computer in your business?
September 26, 2017
This is how easy it happens and a real life example. It seemed like just another ordinary day for a small retailer. Little did they know that the simple click of an email link was about to threaten the entire business. One of the company’s employees received an email with a link to a seemingly benign catalogue. One click and the company’s system was infected with a virus that affected accounting software, customer account files, including credit card numbers, customer names and addresses among other information. The accounting software and customer files did not live on the employee’s computer, it lived on the company’s network drive, so the virus was able to encrypt all 15,000 accounting and customer files.
A ransom demand soon followed, demanding $50,000 in exchange for a decryption key. It was discovered that the company’s backup systems had not been working for months, and with the virus proving impossible to remove without the loss of crucial company data, the company had no choice but to pay up. But the decryption key didn’t work. Business came to a standstill. The owner could not afford to pay to rebuild the network systems. Six months later the company closed its doors, strangled by lack of sales and cashflow.
The fast paced and constantly evolving nature of data breaches, and other cyber incidents, means that there is a real need for legislation to exist to protect consumers. The Australian Cyber Security Centre was aware of 15,000 cyberattacks affecting businesses in Australia from June 2015 to June 2016 and ACORN (Australian Cybercrime Online Reporting Network) reported $1 Billion in losses from small business and individuals during this time. At present Australian small businesses are reporting cybersecurity breaches at nearly twice the rate of their counterparts in the USA and that is before mandatory reporting commences.
After 2 years of debate, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed on 13 February 2017 and is expected to come into effect within the year. It has a true teeth to deal with individuals and organisations that fail to report data breaches, with fines as high as $360,000 for individuals and $1.8 million for organisations. The principal purpose of the Bill is to encourage the holders of Personal Information to adequately secure or alternatively, appropriately dispose of this data and mandatory reporting of all Privacy Breaches will need to occur.
This legislation applies to a wide range of organisations that are governed by the Privacy Act. Even if your business is small, but you handle Personal Information (e.g. you hold individual’s names, addresses, telephone numbers, date of birth, signatures, bank details etc) you will be caught by this legislation. It also extends to large corporations with turnover greater than $3 Million including government agencies, businesses and notfor profit organisations.
Once the legislation is in effect, not only will you need to react to the cyberattack itself, but also deal with the backlash from customers who are required to be informed of the breach.
Prevention continues to be better than a cure, with all businesses encouraged to seek appropriate advice from security professionals on how best to protect their businesses. However, even the most robust systems are prone to attack.
If the worst does happen, the insurance industry has also evolved to be able to cover many of the losses that may be incurred in the event of a Breach. Insurance Companies have set up expert IT Teams to swing into action and help get your business back on track.
Practical Steps that Businesses should consider to minimise the likelihood of an attack include:
- Keep your operating systems updated and regularly patched.
- Have a firewall plus software that opposes virus, spyware and phishing attacks.
- Keep your browsers updated at all times with the latest version of the software.
- Keep all system software updated.
- Encrypt your wireless network.
- Restrict software and set up administrative rights so that nothing can be installed on company computers without authorization.
- Use filtering that controls access to data.
- Block access to restricted sites with Internet filters to prevent employees and hackers from uploading data to storage clouds.
- Remove or disable USB ports so that malicious data can’t be downloaded.
- Implement strict password policies.
- Encrypt entire drives, folders and files
Some Important Facts about the Legislation: What is a Data Breach?
A data breach is defined as a situation where:
there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or
such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Relevant data can include data such as personal information, credit information and tax file numbers.
A real risk of “serious harm” can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation.
What’s Changed?
Compulsory regulatory notification
In the event of a data breach, the organisation has a duty of notification to the Office of the Australian Information Commissioner (OAIC) and the affected individuals of an eligible data breach “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.”
The amount of data may be as little as one record.
Notification is deemed compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to public interest.