The Australian Government released its Australian Cyber Security Strategy (“Strategy”) on 21 April 2016. In our last cyber security blog (2/3), we provided our analysis on the Strategy. It is clear that the Strategy places an emphasis on the cooperation of the private sector being central to effectively dealing with cyber threats. In our first blog of this series (1/3), we identified Telstra’s inaugural Cyber Security Report in 2014 found that 41% of organisations it surveyed had been the victim of a significant security breach in the past three years. Cyber security issues are widely perceived as too technical to be tackled by boards or management and are swiftly delegated to the IT department. Cyber security breaches are inevitable and take a huge toll on businesses. As such they need to be viewed as central to the operation of your business and board responsibility, not peripheral. In order to reflect the seriousness of cyber security breaches, it is recommended that businesses appoint a senior adviser who will engage with company executives and the CEO on issues of information and data security and strategy. While many companies have already set up this structure, what is often lacking is a clear channel of communication between the Chief Information Officer and the CEO. This is shown to be crucial to the success of this position. What valuable data does your business have? What kind of threats are you facing? What can you do now to prevent or mitigate these threats? It is crucial that businesses can address these questions so proactive measures can be put in place against security breaches, for instance a data management and security policy. Studies show time and again that reactive approaches are ineffective when it comes to tackling cyber security issues. Instead of waiting for a breach to occur before taking action, it is essential that companies rigorously plan so that not all decisions have to be made on the spur of the moment. This means asking the difficult questions ahead of time. In the event a breach does occur, it is crucial that an appropriate data security breach procedure is in place to appropriately respond to the breach. A data security breach procedure should not only deal with the breach as a one-time occurrence, measures should also be put in place to investigate how a future breach of a similar nature can be prevented. The reason these questions fail to be answered comes back again to lack of expertise. It is worth considering bringing in an outside expert consultant to assist you in evaluating your company’s specific vulnerabilities. We also recommend the consideration of cyber security expertise in the hiring process – both employees and board recruitment, so that your business is peppered with people who understand the importance of cyber security and can implement strategy designed by the CIO. Australia companies are currently under no obligations to disclose data breaches. Nevertheless, the Office of the Information Commissioner encourages businesses to voluntarily disclose. An exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 does contain an obligation on businesses to disclose data breaches which concern personal information if there is a ‘real risk of harm to any of the individuals’. It is yet to be seen whether this will be enacted. [1] Telstra Corporation Limited, Telstra Cyber Security Report 2014, pg 30.
Put Cyber security on the Board’s Agenda
Assess Your Vulnerabilities and Formulate an Aggressive Approach
Know Your Responsibilities: Disclosure
Our experts can help you establish cyber security, compliance and data breach strategies tailored to your business. Contact us to speak to one of our lawyers.
Cyber Security Blog #3 – Cyber Security: The Essentials for Business
[1] These attacks, which target sensitive and confidential information of a business, result in serious costs ranging from loss of reputation and customer confidence in your business to a large amount of time and administrative costs spent on rectifying the breach. Given the ever increasing frequency of malicious cyber activity, it is evident that the current approach businesses are taking towards cyber security is lacking and needs to be improved. So what can your business do?