What are the potential consequences of a data breach?
1. Statutory fines and penalties
February 2018 will see the Australian Government enact the Notifiable Data Breaches (NDB) scheme. Once introduced, all organisations affected by a serious data breach are required to notify the Office of the Australian Information Commission (OAIC), and all individuals whose information may have been compromised.
Businesses and business directors that fail to adhere to new guidelines set out by the NDB scheme could face severe financial penalties: up to $360,000 for individuals, and $1.8 million for organisations.
2. Loss of trust and reputation
Brand reputation is one of the most valuable assets of any business.
Should your business experience a data breach where personal and / or the financial details of customers are leaked, the fallout could be disastrous for your brand and bottom line. It could take months if not years to regain the trust of customers.
3. Third party legal action (e.g. customers)
Third parties who experience damages as a result of a cyber attack, have the right to take legal action against you in order to seek compensation for their losses.
Changes to the Privacy Act in March 2014, saw companies become accountable for the security of third party data, e.g. your customers. As a result of this legislation, a breach of privacy or information theft, can see third parties seek compensation for emotional distress and future harm. Organisations may also be required to provide ongoing credit monitoring services to affected parties, at their own expense.
How can you protect your business against the fallout of a cyber attack?
Cybercriminals are continually finding new ways to circumvent IT security. Fortunately, there are a number of effective risk management strategies which can significantly reduce the risk, helping you protect your organisation against the fallout of a cyber attack.
a) Be proactive when it comes to data security
Below are some important preventative measures your company can take towards securing your data, (Computer Emergency Response Team (CERT), 2017).
- Install up-to-date software patches and use supported versions of software
This can prevent malware from exploiting known security issues.
- Develop a daily data backup strategy for your critical information
This ensures your organisation can still access information in the event of a cyber incident. An offline backup can also reduce the impact of a ransomware attack.
- Ensure no systems use default passwords
Companies should apply unique passwords to all systems, including website memberships so they cannot be easily guessed.
- Ensure you have reputable firewall, anti-virus and anti-spyware programs installed
A robust security platform helps to defend against malicious or unauthorised network traffic.
- Ensure staff have non-Administrator access
Administrator level accounts are a prime target for cybercriminals. Ensure your staff are using non-Administrator profiles for day-to-day activities to reduce the risk of compromising your network.
A sound IT security strategy can lessen the likelihood of a breach, but also demonstrate to stakeholders that your organisation takes information security very seriously. Additionally, your vigilance may help lessen the severity of legal outcomes should your organisation experience a breach, and third parties commence legal action.
b) Purchase a Cyber Liability Insurance policy
With the average cost of a data breach costing organisations around AUD$2.64 million (source: Ponemon Institute 2016 Cost of Data Breach Study: Australia), Cyber Liability insurance is an essential risk management measure to provide financial protection for your bottom line, and reputation.
Cyber Liability Insurance can offer a broad range of financial protection:
- Fines & penalties - Financial compensation to recoup costs that result from a security breach – including regulatory fines - which can amount to $1.8 million.
- Third party liability - Compensation for clients and customers who suffer financially or emotionally as a result of stolen data.
- Legal and forensic investigation expenses - Extends to include expenses for legal representation and costs that incorporate forensic and legal counsel.
- Reputational repair - Covers for the cost of professional consultants to assist in repairing damage to your company’s brand and reputation.
- Network interruption - Cover for net income that would have been earned, and continuing normal operating expenses incurred including payroll as a result of a security failure.
A Cyber Liability policy can provide cover and help maintain the trust among your key stakeholders, assisting with the survival of your organisation in the aftermath of a cyber security crisis.
Note: Standard Business Insurance policies do not extend to include non-physical threats such as cyber incidents.
c) Ensure the proper destruction of digital storage devices
It is important that any digital storage devices and hard drives are properly wiped and destroyed. A 2014 study by the National Association for Information Destruction (NAID) discovered an alarming quantity of confidential personal information stored on the hard drives of recycled computers. If made public, the release of this information would constitute a severe data breach.
The NAID encourages all businesses to be careful when selecting a recycling service for digital devices, and stresses the importance of ensuring data destruction is carried out by a company possessing the appropriate technical expertise.
d) Develop a Cyber Crisis Management Plan
All organisations should have a Cyber Crisis Management plan that clearly outlines immediate steps to take should a cyber incident impact your business. A clear plan can assist to ensure breaches are swiftly dealt with, and can help to reduce the severity of the fallout following an incident.
The plan should include key external support agencies who can assist in managing the crisis:- IT consulting partners, your insurance broker and/or insurer, and cyber security agencies where you are required to report the incident e.g. Australian Cyber Security Centre (ACSC) and the Australian Computer Emergency Response Team (AusCERT).
A proactive response can help minimise reputational damage and enable you to quickly rebuild trust among key stakeholders. In the event of a data breach, companies must remember to:
- Remain transparent
- Provide full disclosure to clients and regulators regarding the extent of the data breach
Withholding information, or intentionally playing down a serious situation, could have severe legal repercussions and damage your reputation.
e) Instil IT awareness in your employees
An IT Awareness Program can help educate employees on cybercrime, and most importantly, remind them of the part they play in keeping company data secure.
As hacking techniques become more sophisticated, it is increasingly difficult to distinguish between legitimate emails and phishing scams. Regular training on helping your workforce can recognise fraudulent emails and scams can play a key role in preventing malicious, damaging attacks on your IT systems and data.
Thanks to Whitbread Insurance for providing this article.
If you need any assistance with your cyber security or you don't know where to start please call us on 1300 4 787 389 or email us at firstname.lastname@example.org.
About the Author
Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.