It was the year 2000. Just as the world was getting over the panic of the Y2K bug and dredging out their reserves of canned food from their basements, a new, lesser-known cyber threat was emerging in Australia.
The concept of “cyber risk” was first flagged as a national security issue in a 2000 Australian Defence White Paper, yet if you spoke to the average business owner about “risk” at the time, the notion of a cyber-attack would have seemed remote, if not sci-fi.
Cut to a quarter of a century later, and cyber risk in business has taken centre stage. Made infamous through a litany of high-profile data breaches, the threat once ascribed as either a national security or big business problem is now so commonplace, the Government has foreshadowed changing our laws to require all businesses to comply with privacy regulations.
So what can small businesses expect in 2024? With cybercrime costing Australian small businesses an average of $46,000 each year, we can’t afford to ignore cyber risk. So how can you strategically secure your business against the threat of a cyber-attack?
Changes are coming
It’s safe to say the world has changed a lot since Australia’s Privacy Act was introduced in the 1980s. But until recently, our privacy laws have largely been aimed at large corporations dealing with personal data and included a specific carve-out for small businesses (that is, a business with an annual turnover of $3 million or less).
The changes endorsed by the Government in the Attorney-General’s Department 2023 Privacy Act Review Report however, suggest some big changes that do-away with the small business exemption and capture SMEs in a whole new legal landscape.
At a high level, the expected changes include:
• Stricter reporting times for eligible data breaches – from 30 days to 72 hours.
• Allowing individuals to request erasure of their data.
• Introducing a statutory tort for serious invasions of privacy.
• A requirement that any collection, use and disclosure of personal information be fair and reasonable in the circumstances.
While these reforms are aimed at protecting individual’s data, the high-profile data-breaches of Optus and Medibank are stark reminders that cyber risk can also lead to financial loss, business disruption, and damage to reputation.
To any business feeling casual about cyber security – it’s time to get serious.
Getting on the front foot: what your business can do
1. Take stock of your data holdings
We know that data is a prized commodity. But is holding onto it worth the risk?
Consider the following:
• Undertake an audit of what you collect and store
• Check your document retention requirements – are you holding onto the Ghosts of Clients or Customers Past, for example, files beyond 7 years?
• Review your processes – how does your business collect, store, use and share personal information?
• Are there any holes in this process that could leave your business vulnerable to hackers?
• What personal information do you absolutely need to conduct business, and what are the nice-to-haves?
• Reduce your collection and storage of data where possible, and destroy it when no longer needed to reduce the risk of it falling into the hands of third parties.
2. Review (or create) your privacy policy
A privacy policy is a publicly available statement of how your business handles its clients or customers’ personal information.
If your business generates over $3 million in annual turnover or engages in certain activities including handling health information or trading personal information, you should already have one.
If you’re a small business weighing up whether it’s worth your investment – the answer is – yes. Not only do they promote trust by telling your clients what you plan to do with their information, they help set the roadmap for your organisation to conduct itself when collecting, using, storing and sharing personal information.
If you’re not sure if your privacy policy is up to scratch or where to start, seek legal advice.
3. Invest in cyber security
Cyber security is the antidote to cyber risk and can take on several forms, including:
• Regularly updating software
• Turning on multi-factor authentication
• Keeping devices locked and physically secure – particularly with employees working remotely
• Strengthening password requirements (Goodbye, “Hello123”)
• Restricting access of information to only staff who require it for their role
• Investing in cyber security detection systems and anti-malware programs
• Backing up information to recover it in the event of an attack
Many of these controls are simple and inexpensive measures for small businesses to improve security. For more information, see the Small Business Cyber Security Guide or consult an IT professional.
4. The cost of human error
It’s been found that 95% of cyber security events in Australia are caused by human error. An impressive statistic – and for all the wrong reasons.
It follows then, that the businesses who score top marks in cyber security school are those that train their staff in good cyber practices – including senior leaders.
Make your employees your first line of defence by educating them on:
• How to spot scams, phishing attacks and malicious software
• Common security threats such as compromised emails and ransomware
• Positive security habits, including locking computer screens, not storing passwords and how to secure your information
• What procedures to follow if a cyber event does occur
Strategically investing in these measures can go a long way in protecting your business and clients from the threat (and embarrassment) of an attack. Remember that cybercrime is costing Australian small businesses an average of $46,000 each year, so we can’t afford to ignore cyber risk.