It’s no wonder that most businesses keep quiet about cyber security breaches. Why would they report a hack when they have so much to lose? But with the introduction of the Notifiable Data Breaches scheme, businesses now have no choice but to report cyber breaches.
Understanding the scope of the problem
The Notifiable Data Breaches scheme requires businesses captured by the Privacy Act 1988 (Cth) to inform people when their personal information has been compromised due to a data breach and serious harm is likely to result. The long-anticipated scheme aligns Australia with other countries, which have had notification requirements in place for years.
For Dan Weis, Penetration Tester and Security Specialist at leading technology and security solutions company Kiandra IT, the new laws are long overdue.
“The security industry has been pushing for mandatory notification for a long time and we’re one of the last countries in the world to implement this type of legislation,” Mr Weis said. “The new laws won’t change the cyber security landscape in the short-term, and attacks will
continue to increase in sophistication. But what they will do is provide a degree of visibility that we’ve never had before.
“We have reports from major security vendors on the number and severity of Australian data breaches each year, but it’s only a small percentage of the actual breaches that occur. The reality is that most businesses don’t report breaches because they’re scared of reputational fallout. A good example of this is when Uber suffered a massive data breach in 2016 and then paid hackers to keep it quiet.”
Visibility will lead to awareness
With increased visibility will come a shift in mindset about the need to address cyber security.
“Because there’s been no mandatory reporting, people aren’t aware of the full extent of what’s happening,” Lyn Nicholson, General Counsel at Holding Redlich, said.
“This has contributed to the ‘it’s never going to happen to me’ attitude that’s so pervasive. But, in reality, there are two types of businesses: Those that know they’ve been breached and those that don’t know it yet.
“With the obligation to notify breaches comes a higher potential for reputational risk, which will effectively force businesses – including real estate agencies – to focus on cyber security. Complacency has to be a thing of the past,” the data and privacy specialist said.
With the new mandatory data breach notification laws effectively forcing businesses to focus their attention on cyber security, Ms Nicholson said the importance of being prepared will take on a new significance.
“Agencies should undertake an information mapping exercise, so they are familiar with the extent of their potential exposure,” Ms Nicholson said. “This will help identify potential risk scenarios and inform any investment in measures and processes to reduce risk.
“Education is also an essential piece of the puzzle. Survey after survey reveals that one of the biggest causes of data breaches are lost or stolen unencrypted mobile devices. Agencies need to understand how their staff are dealing with data and what potential there is for it to be compromised. Problems arise from unintended consequences, so staff education is key.
“Agencies should also have a documented incident response plan in place and have a crisis team ready to roll in the event of a breach.”
Ms Nicholson said the more prepared an agency is for a cyber security breach, the better they can respond.
“Businesses need to critically examine their existing information security framework, work out how to improve it and then take action.
“Some will undoubtedly say: ‘I don’t have the budget for it’. But my response is: ‘Do you have the budget not to do it?’ The time and money a business invests preparing for the possibility of a cyber attack will repay itself many times over in the event an incident actually occurs and the fallout needs to be managed.”