What are they?
Cyber security is a collection of technologies, processes and practices designed to protect networks, computer and data from attack, damage or unauthorised access. Cyber security breaches occur when secure information is released (intentionally or unintentionally) into an uncontrolled environment or when sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by unauthorised person(s).
Why should my business worry?
Cyber security breaches cost the Australian economy and individual businesses a lot of money. Data breaches are estimated to cost the Australian economy $17 billion per year and 46% of local SMEs were affected in 2015. In 2015, the average cost for a breach rose 7.6%, to $3.79 million.
Data breaches can have a substantial, negative impact upon the reputation of the organisation. A Forbes Insight report found that 46% of organisations suffered damage to their reputations as a result of a security breach. This then affects the organisations ability to attract talent, investment and supplier engagement. Large firms can and do recover, but often this recovery requires effective management and remediation strategies, both of which are costly.
Breaches not only affect the organisation, but can have significant detrimental impacts upon the individual victims. The widely publicised case of the release of 37 million customer profiles from the infidelity site, Ashely Madison, was linked to reports of two suicides and numerous bribery and extortion attempts.
Proposed legislative changes will have a significant impact upon the requirements for businesses to report breaches. Currently the 1988 Privacy Act does not stipulate that an organisation needs to report a data breach to an individual, even where the breach involved their personal information. The proposed Privacy Amendment (Notifiable Data Breaches) Bill requires an organisation to report breaches to the individuals(s) affected or deemed “at risk” and to the Australian Information Commissioner. The fines for failing to comply are significant; up to $360,000 for individuals and $1.8 million for organisations.
What should I do?
Complete a review of what data your organisation has and who within your organisation has/needs access to it. Your organisational data is an asset and therefore needs to be managed appropriately. Controlling who has access to your organisation’s data via file permissions will mitigate your exposure to risk and assist with compliance to privacy requirements. Don’t forget to include your supply chain in this review, the 2013 Target breach was attributed to a HVAC contractor. As supply chains become more integrated and interrelated, communication and cooperation with all key parties is going to be central in effectively managing cyber security risks.
Confirm that your organisation has adequate network and device security in place. Make sure that your anti-virus software is kept up to date and that your organisation has an effective program for backing up data.
Implement governance and training; regular training ensures that your staff members remain up-to-date on cyber security matters and know what to look for in terms of links and suspicious emails. Good governance monitors your organisation’s compliance with regulatory requirements. An effective approach can help to foster a culture that is both vigilant and aware of the importance of cyber security.
Develop and implement a comprehensive incident response plan. In the event of a cyber security breach the scale of the impact on your organisation can be mitigated by your incident response plan, as can the speed of your recovery.
For further information, visit the Australian Government website, www.staysmartonline.gov.au.
 2014 The Cost of Data Breach Study: Australia, Benchmakr research sponsored by IBM, Independently conducted by Ponemon Institute LLC, May 2014.