From tomorrow, small businesses will be required to report all instances of personal data breaches to affected stakeholders and government authorities, with experts reminding business owners this is the perfect time to review their cyber security measures.
On Thursday, amendments to the Privacy Act will come into effect, requiring businesses to disclose any breach that involves personal customer data. The legislation applies to business with an annual turnover of $3 million or more, or for smaller businesses that operate by holding personal information, such as credit reporting agencies.
Companies will have 30 days to report data breaches to the affected individuals and the Office of the Australian Information Commissioner (OAIC).
In a statement, information commissioner Timothy Pilgrim said the Notifiable Data Breaches (NDB) scheme enshrines an expectation from individuals to be informed if they’re at risk of serious harm.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management.”
If the new regulations are not followed, companies could be hit with fines of up to $1.8 million and individuals could be fined up to $360,000.
Bede Hackney, ANZ country manager of cybersecurity company Tenable, says there has been an assumption in the past that because data breaches were never coming to light, they were never happening. However, he says this assumption could change in the coming months.
“What’s changing now is we have to report and when we report, there’s going to be an investigation into whether we’ve taken reasonable steps [to inform the affected individuals].”
The OAIC has released resources on how businesses can mitigate harm after a data breach.
Businesses need to implement basic “cyber hygiene”
Hackney believes businesses, big and small, still aren’t covering the basics when it comes to cybersecurity.
He says implementing cyber security steps aren’t “super sexy” and businesses may be overwhelmed with the number of measures they need to enforce.
For businesses looking to review their cybersecurity policies, Hackney refers to the Top Four security guidelines published by the Australian Signals Directorate (ASD) as a good place to start. These measures aren’t meant to be difficult to implement, and yet they could significantly decrease the likelihood of a successful hack taking place, he says.
“I find more broadly it’s interesting that the Top Four framework really covers the lowest hanging fruit, and when you talk about bad actors that breach the organisation, they’re really looking for the easiest access point,” Hackney says.
The ASD said 85% of breaches it responded to in 2011 could have been avoided if it implemented the Top Four measures.
The Top Four list includes recommendations around: patching systems and updating software, restricting administrative privileges, white listing applications, and creating an in-depth security system.
“If you look at the vast majority of hacks, these breaches are leveraging vulnerabilities that have been known in the industry for months. Simple cyber hygiene like patching and credentials management would have prevented a lot of these headline grabbing hacks,” Hackney says.
Once those bases are covered, Hackney also stresses every appliance or piece of hardware connected to a business network environment can be vulnerable to a breach. This includes lesser considered objects like smart-fridges or air conditioners.
Once a business has the “Top Four guidelines” covered, they can move on the to ASD’s list of “Essential Eight” cyber security strategies.