Credit: ID 134650275 © kkssr | Dreamstime.com
Data breaches have become a dime a dozen in the digital era and Australian businesses which fall victim join a rollcall of well-known companies that have been targeted successfully by hackers and cyber-criminals.
There were 215 breaches reported to the Office of the Australian Information Commissioner (OAIC), Australia’s privacy watchdog, in the first quarter of 2019, according to the Notifiable Data Breaches Quarterly Statistics Report.
Malicious or criminal attack accounted for 61 per cent of reports, and human error the vast majority of the remainder.
Australia’s data protection legislation gives local companies 30 days to notify the OAIC and affected customers of significant data breaches – but other privacy regimes to which Australian businesses can also be subject demand a considerably faster response.
The European Union’s GDPR data protection and privacy regulations require organisations to disclose breaches within 72 hours or risk eye-watering fines – up to 20 million Euros or four per cent of global turnover for large entities.
The rules don’t just cover companies domiciled on the Continent; they can be applied to any organisation which collects and stores the data of EU citizens, regardless of its geographic location.
Other countries, most notably the US and Singapore, are considering following suit, in response to ongoing public concern about the issue of personal privacy in the digital era.
Hope for the best, prepare for the worst
In 2019’s punitive privacy landscape, being ill prepared to respond to a data breach is asking for trouble, financially and reputationally. So, how can businesses ready themselves to react swiftly and effectively – and within the prescribed timeframes – should they find their cyber-defences have been ineffective?
Here are four questions every Australian enterprise must be able to answer within days, if the worst occurs.
What’s the extent of the incident?
Announcing bad news is never pleasant but, if it’s necessary to do so, doing it once and well is preferable to eking it out in stages. Ascertaining the extent of the issue – and making a full and frank disclosure – should be the number one priority for the individual or team charged with investigating cyber compromises and data breaches.
What’s the nature of the compromise?
Once the alarm has been raised, it’s a race against the clock for businesses which learn, or suspect, their cyber-defences have been breached. It’s not sufficient to simply advise the relevant regulators that trouble has struck. Rather, organisations must be ready to provide specific, technical details about exactly what has happened and the systems which have been compromised.
Who has been affected?
Equally as important as the obligation to report an incident to privacy bodies, is the requirement to inform the individuals whose particulars, contact details, bank account numbers, or sensitive health data may have fallen into unknown and possibly unscrupulous hands. Doing so in a timely and transparent manner can help mitigate the customer anger and mistrust which frequently follow a major incident.
Have we seen off the attackers?
Meeting their compliance obligations after an attack should be the aim for all Australian businesses which value their reputations – but their efforts are likely to be futile if the perpetrators are still on the (virtual) premises.
Enterprises stand a better chance of seeing them off – and ensuring they don’t come back a second time – if they make forensic investigation of the incident an essential element of their response plan.
Research suggests that for many businesses it’s currently an optional extra. A report from Enterprise Management Associates in early 2019 found less than a quarter of organisations investigated all critical security incidents following their initial detection.
Time to act
Cyber-security incidents are no longer merely a technical misfortune or operational irritant. Stringent privacy regimes, at home and abroad, are forcing Australian enterprises to consider whether their protection measures are sufficient and to prepare robust response plans, should cyber-attackers succeed in slipping through the high-tech cordon. Those that fail to do so risk financial and reputational fall-out they may be ill-placed to afford.