Cyber security laws have changed recently in Australia, with emphasis placed on reporting breaches or facing hefty penalties. No matter what size your company, from micro to medium or large businesses, you need to have a plan in place in the instance of a security attack.
Following is a checklist of what SME’s need to know in order to protect their businesses from cyber attack.
Data breach legislation
- The Notifiable Data Breaches (NDB) scheme came into effect earlier this year and applies to all Australian agencies, businesses, and organisations.
- The NDB scheme outlines that every effort must be taken to secure personal information. If unauthorised access of information occurs, an enterprise has the obligation to notify individuals whose personal information has been compromised, where it is likely to result in serious harm.
- Examples of the sort of data breaches which could affect individuals’ personal information and which are notifiable under the NDB scheme include:
– A device is lost or stolen;
– A database is hacked;
– An employee has unauthorised access to personal information.
– Personal information is mistakenly disclosed to the wrong person, for example, an email is sent to the wrong person, or a ‘scammer’ solicits personal information;
- Between July and September 2018, there were 245 data breaches reported. The majority were due to malicious attacks, but 37 percent resulted from human error including phishing scams or emails sent to the wrong recipient.
- Potential data breaches should be assessed within a maximum of 30 days and action taken to notify the Office of the Australian Information Commissioner (OAIC) as well as any affected individuals.
- Depending on what sort of information was accessed, there may be other agencies enterprises will need to report the breach to also, such as the ATO, Department of Health, police or financial services providers.
- A data breach response plan is essential to enable a swift response to a breach, limit negative consequences such as harm to affected individuals and loss of reputation, and ensure that legal obligations are met, thereby avoiding large fines for non-compliance.
- Any data breach response strategy should contain details of the following steps:
– How to effectively contain the breach;
– How to assess the damage caused;
– Who to notify and with what information;
– Review security procedures, policies, procedures, and training practices, and apply a remedial action to prevent further breaches.
- A data breach response strategy should be part of a larger Disaster Recovery Plan and Business Continuity Plan.
- Importantly, any kind of response strategy should be reviewed regularly, documented clearly and staff trained to know how to access and enact it. Disaster Recovery and Data Breach Response plans should be tested regularly and updated as needed.
Cyber security tips
- Before any strategy is put in place, information should be audited. Knowing what personal information is held is integral to knowing how it should be protected.
- Keep software as recent and up-to-date as possible. Always check for new updates as these often contain security patches.
- Use passwords, multifactor authentication, and encryption as a default.
- Staff awareness is key to safety. Train all staff to recognise potential cyber attacks and what action they need to undertake to have infections quickly contained. Update training regularly. All staff should know what a data breach is and how to identify one. They should also know what procedures to follow to escalate suspected data breaches, such as alerting members of a data breach response team within the organisation, and what details to provide.
- Being fully prepared is your best defence, so employ cyber security experts to consult on your business and security measures.
If you’d like to discuss more on how your business can best protect themselves from data breaches and other cyber security threats, call EMPR Solutions on 1300 289 867 (AU), 0508 278 769 (NZ) or email us!
– Natasha Poynton