With corporate giants Facebook and Uber in hot water over privacy breaches, how can SMEs with fewer resources make sure they don’t run foul of Australia’s costly new data breach laws?
Fast-growing companies and successful SMEs could be the hardest hit when it comes to new data breach laws, according to cyber security expert Sorin Toma.
Mr Toma, who heads up cyber advisory firm Xpotentia and is the University of NSW’s principal adviser on cyber security, says thousands of small businesses have failed to keep pace with growing security demands.
The expansion of online business and resulting changes to workplace practices, including online data storage, integrated cloud accounting software, and multiple connected devices in the workplace has created a perfect storm of heightened risk for SMEs.
At the same time, hackers are growing more sophisticated, with identity theft and ransomware attacks more prevalent.
Mr Toma says this leaves many SMEs exposed under the government’s new Notifiable Data Breach scheme, which requires businesses with a turnover of more than $3 million to report data breaches to both the individual affected and the Office of the Australian Information Commissioner (OAIC). Failure to do so can result in fines of up to $1.7 million.
“Our research has found that businesses are not prepared for the new regulations, or indeed, the new wave of highly-skilled cyber criminals operating within the Australian market,” Mr Toma says.
Businesses in the danger zone are those just above the $3 million turnover threshold that do not have the resources to employ dedicated cyber security staff.
“They are the ones that are going to get hit the hardest because they just don’t have the tools; they don’t have the expertise and they don’t have the people to deal with this.
“A lot of the time, a small business might not know a breach has happened. It could send you bankrupt,” he warns.
And while the reputational cost of reporting data breaches to clients could be damaging, failure to report could equally result in crippling fines.
“Data breaches are surprisingly common, with a Telstra survey finding 59 per cent of Australian companies detected breaches on a monthly basis1 in 2016,” he said. This figure in itself makes me wonder whether the government has allocated sufficient resources to process and assess a wave of data breach reports.”
After the Notifiable Data Breach scheme came into effect on February 22, more than 30 reports were made to the OAIC in the first three weeks, with the regulator tasked with assessing all reports to decide whether further action is needed.
Mr Toma says grey areas in the scheme may also cause confusion, with legislation stating data breaches likely to result in “serious harm” must be reported. “This places the onus on SME owners to make an assessment they may not feel qualified to make”, he says.
Ransomware attacks, for instance, may not necessarily be reportable because data may simply have been locked but not copied.
Mr Toma says he does not expect there will not be any prosecutions under the new scheme until it has had time to bed down.
“I expect it will be tested somehow, but probably not for a year or so,” he said.
Right now, it is imperative SMEs implement best-practice cybersecurity measures.
Four basic cyber security steps Mr Toma advises SME owners to undertake immediately are:
Know where your key data is held
Look at where you store sensitive data – client details and financial information. Using cloud-based systems is not necessarily risky, but businesses must be aware where companies handling their data are based and what security provisions are in place.
“I’ll give you an example,” he says. “I got called in by a small business. They were worried that the off-shore manufacturers might steal their secrets or IP.” When he examined their processes, Mr Toma found they were using an online data storage company headquartered in Shanghai. “Without their knowledge, all their data was being held off-shore already.” He says business should be aware some companies may try to make it appear they are based in Australia or the US when they are not.
Secure it
Look at what controls you can put in place around sensitive client information. “So if it’s on
the cloud, it’s not such a bad thing because you can go to the cloud providers and you can purchase extra security and it’s just a matter of cost,” Mr Toma says. Paying for additional security could save you in the long run.
Consolidate and secure your base network
How many devices are connected to your business network? How is the network and each device secured? Mr Toma warns that the base network is the most common entry point for hackers chasing more valuable data. Once criminals breach your network, it can be relatively easy to find passwords to access sensitive cloud data, he says. Invest in a good antivirus package and network firewall.
Run regular system security checks
Cyber security is never a ‘set and forget’ issue. For SMEs without experts on staff, hiring a contractor is advisable. Mr Toma says businesses should begin with a full audit of systems and practices, followed by regular system scans every few months.
Notifiable Data Breach scheme
- Applies to businesses with turnover above $3m, or that trade in personal information.
- Effective from 22 February 2018.
- Stipulates data breaches that may cause “serious harm” must be reported to the individual(s) concerned and the Office of the Australian Privacy Commissioner.
- A data breach may include the loss or theft of a device containing personal information; hackers (or unauthorised personnel) accessing personal information; or when personal details are mistakenly provided to the wrong person.
More information is available at the Office of the Australian Information Commissioner
1 Telstra Cyber Security Report 2017 – managing risk in a digital world, https://www.telstra.com.au/content/dam/tcom/business-enterprise/campaigns/pdf/cyber-security-whitepaper.pdf
