Mandatory data breach law comes into force THIS Thursday - are you ready?
It took some time to get through parliament, but Australia's Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect on Thursday the 22nd of February – almost every significant sized Australian business must comply with this new law.
The Notifiable Data Breaches scheme mandates that Australian government agencies and organisations with obligations to secure personal information under the Privacy Act 1988 notify individuals affected by data breaches that are likely to result in serious harm.
Despite this, Canon Australia's Business Readiness Index on Security has uncovered some quite unsettling statistics.
3 in 5 businesses that will be affected by the new legislation are completely unaware of it and what it means for them, while a whopping 4 in 5 small businesses are unaware of the new laws.
Canon says this is particularly concerning given failure to comply puts private organisations with a turnover of more than $3 million at risk of crippling fines of up to $2.1 million.
"Third-party suppliers present a cyber security blind spot for many businesses. A business' security posture doesn't solely depend on its own efforts. Internally, a business could be a fortress, but the walls could come crashing down if a supplier's security measures aren't as robust – this should be number one on every boardroom's agenda at the moment," says Canon director of business services Gavin Gomes.
"Small businesses, for example, are seen as the engines of Australia's economy. The fact that 1 in 2 are only 'slightly' or 'not at all' concerned about potential upcoming breaches is in itself a red flag. In the short run, this makes them the ideal back door entry for cyber criminals angling for prized data and revenue from larger enterprises. Longer term, the implications can include missed opportunities worth millions – be it lost contracts or irreversible reputational damage.
It's a common belief that humans represent the weakest link in the security chain. However, Canon's study found that the majority of Australian businesses see technology or IT infrastructure as their their biggest risk. 44 percent of the risk was attributed to hardware - software meant to prevent data breaches, while 30 percent of the risk was believed to be from people and 26 percent from policies and processes.
Concerns about IT infrastructure are steepest among small businesses with less than 20 employees, where 53 percent feel the risk is attributed to technology, with just 25 percent pinned on people and 22 percent on policies and processes.
Furthermore, only 34 percent of small businesses reported having security training in place and 36 percent having an IT/cybersecurity policy.
Harbour IT (a Canon Group Company) general manager of managed IT and security services Sop Chen says when it comes to overall security, ignorance is no longer bliss.
"According to the Index, it reportedly takes nearly a month (24.7 days) on average for a security breach to even be detected – whether it's seemingly innocuous spam, or insidious ransomware. Our experience tells us that in fact it is much longer than this, giving cyber criminals enough time to know your business better than your IT department," Chen says.
"Australian businesses are citing technology as their biggest downfall, but the question is if they're setting themselves up for success. Only 2 in 5 businesses have implemented six or more of the Australian Signals Directorate's Essential Eight (ASD8) – developed by the Australian government as the best practical strategies designed to help mitigate cyber security incidents. Also, just 3 in 5 have been assessed for security risk management.
Chen asserts there needs to be much more urgency accorded to being safe rather than sorry, and businesses need to better appreciate how their actions may affect the wider industry.
There is no shortage of risks keeping IT managers awake at night as attack surfaces continue to grow following the adoption of emerging technologies like cloud services and IoT.
However, Canon reports in saying that, just over half of IT managers are very or extremely concerned about protecting company data (52 percent) and customer data (51 percent), numbers that Canon says are far too low.
45 percent rank ransomware as a high concern and despite many recent data breaches resulting from phishing activity, only 39 percent of businesses classify it as a pressing concern.
The study revealed that while 84 percent of businesses are aware of printing-related security threats, only four in 10 businesses have their printers secured.
"Technology, globalisation and evolving demographics are changing the world we work in at a rapid pace. Innovation and disruption are becoming increasingly important for businesses of all sizes and across all industries," says Gomes.
"To survive and thrive in today's challenging environment, we believe that Australian businesses need to be innovative, agile, and trusted. The first, simple step for businesses is to take a good look at their current practices and be mindful of how leaders and employees are managing valuable information. It's no longer just up to IT Managers to take this responsibility.
Canon's Information Security study was conducted by GfK Australia and gathered insights from over 400 key business decision makers on how prepared they are when it comes to their information security practices.
More information about the Notifiable Data Breaches scheme and what you need to do to prepare can be found here.