Keeping quiet in the wake of a cyber security breach is now a thing of the past, after laws mandating notification came into force last year. Here’s a reminder of what you need to know about the scheme.
It’s an unfortunate fact that far too many real estate agencies take a “she’ll be right” attitude when it comes to cyber security. Smaller agencies, in particular, tend to believe “no one’s going to bother to hack us because we’re too small”. But it’s not true.
Small businesses like real estate agencies as well as the strata industry are easy targets. Hackers often don’t bother with the bigger end of town where there are dedicated cyber security resources in place. Why would they when they can more easily attack a smaller business with weaker defenses? While larger businesses are potentially more lucrative targets, they’re better protected. Smaller businesses tend to be more exposed.
Take a moment to think about the sheer bulk of personal information held by your real estate agency. Databases and CRMs are a veritable treasure trove of details that hackers can potentially exploit for their own advantage. It’s not hard to imagine the potential fallout a cyber breach might have on your agency, including the damage it would wreak on your reputation if your clients’ personal details were compromised.
It’s no wonder that most businesses keep quiet about cyber security breaches. Why would they report a hack when they have so much to lose? Following the introduction of the Notifiable Data Breaches scheme, businesses now have no choice but to report cyber breaches.
Understanding the scope of the problem
The Notifiable Data Breaches scheme requires businesses captured by the Privacy Act 1988 (Cth) to inform people when their personal information has been compromised due to a data breach and serious harm is likely to result. The long-anticipated scheme aligns Australia with other countries, which have had notification requirements in place for years.
For Dan Weis, Penetration Tester and Security Specialist at leading technology and security solutions company Kiandra IT, the new laws are long overdue.
“The security industry has been pushing for mandatory notification for a long time and we’re one of the last countries in the world to implement this type of legislation,” Mr Weis said. “The new laws won’t change the cyber security landscape in the short-term, and attacks will continue to increase in sophistication. What they will do is provide a degree of visibility that we’ve never had before.
“We have reports from major security vendors on the number and severity of Australian data breaches each year, but it’s only a small percentage of the actual breaches that occur. The reality is that most businesses don’t report breaches because they’re scared of reputational fallout. A good example of this is when Uber suffered a massive data breach in 2016 and then paid hackers to keep it quiet.”
Visibility will lead to awareness
With increased visibility will come a shift in mindset about the need to address cyber security.
“Because there’s been no mandatory reporting, people aren’t aware of the full extent of what’s happening,” Lyn Nicholson, General Counsel at Holding Redlich, said.
“This has contributed to the ‘it’s never going to happen to me’ attitude that’s so pervasive. In reality, there are two types of businesses: Those that know they’ve been breached and those that don’t know it yet.
“With the obligation to notify breaches comes a higher potential for reputational risk, which will effectively force businesses – including real estate agencies – to focus on cyber security. Complacency has to be a thing of the past,” the data and privacy specialist said.
With the new mandatory data breach notification laws effectively forcing businesses to focus their attention on cyber security, Ms Nicholson said the importance of being prepared will take on a new significance.
“Agencies should undertake an information mapping exercise, so they are familiar with the extent of their potential exposure,” Ms Nicholson said. “This will help identify potential risk scenarios and inform any investment in measures and processes to reduce risk.
“Education is also an essential piece of the puzzle. Survey after survey reveals that one of the biggest causes of data breaches are lost or stolen unencrypted mobile devices. Agencies need to understand how their staff are dealing with data and what potential there is for it to be compromised. Problems arise from unintended consequences, so staff education is key.
“Agencies should also have a documented incident response plan in place and have a crisis team ready to roll in the event of a breach.”
Ms Nicholson said the more prepared an agency is for a cyber security breach, the better they can respond.
“Businesses need to critically examine their existing information security framework, work out how to improve it and then take action.
“Some will undoubtedly say: ‘I don’t have the budget for it’. My response is: ‘Do you have the budget not to do it?’ The time and money a business invests preparing for the possibility of a cyber attack will repay itself many times over in the event an incident actually occurs and the fallout needs to be managed.”