The fallout from the #datafails – is your business cyber secure?


At times like this, most of us think that if the big guys can be vulnerable, then most certainly so can we. And that’s potentially an issue, because we shouldn’t just be thinking about cyber security when things go wrong, we should be thinking about it routinely.

By Jim Vass

Protecting your business and your customers


Most of us have been following the Medibank, Woolworths and Optus data leak stories, not just because we may have been adversely affected, but because the concept of a cyber-attack or data breach for small business is pretty nerve-wracking.

Both Optus and Woolworths have been heavily criticised in the wake of the breaches, which have affected millions of Australians, for not doing enough to assist customers to navigate their way through the fallout.

For Medibank, the disaster has played out in a very different way, with the company being threatened with extortion, eventually backed into a corner with no choice but to run the risk of those who claimed responsibility for the attack to leak the data, which according to reports, they eventually did.

There’s also been a very interesting debate going on about where the real responsibility for resolving the issue lies, with the onus currently being placed significantly on customers to change passwords, ‘be vigilant’ and improve their personal online security.

Under the Notifiable Data Breaches (NDB) scheme, which came into force in early 2018, companies only have an obligation to notify customers, and make recommendations about the steps affected customers should take in response.

Be alert for legislative reform and other changes


The NDB scheme was not necessarily ever intended to be punitive, but rather to set up alert and support systems for businesses who have suffered data breaches, and to encourage businesses to be vigilant when it comes to data security.

But, what each of these instances have also highlighted is the fact that businesses cannot take a reactionary approach – we must all be much more proactive in protecting data, and systems.

Understandably – customers who have been affected still feel angry, frustrated, confused and concerned about the potential for identity theft – their trust has been completely broken.

For Medibank customers the devastation of having personal health and financial information leaked to the dark web or the public domain  is difficult to fathom. They are somewhat powerless at this point in time.

What will inevitably happen now, in the wake of various inquiries by the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) … as well as criminal  investigations by the Australian Federal Police (AFP) is recommendation for reform, creating further levels of compliance.

The Federal Government too, is considering reviewing the Privacy Act.

These are good things that will hopefully lead to better protections for consumers – but any such reforms could potentially be costly for small businesses – even those which already have robust data security and data management policies and procedures in place.

The threat of cyber attack is very real and of course most of us are using cloud storage now and accept that there is a level of risk to doing so.

Your responsibilities


The key here for small business is to ensure that regular security checks are undertaken, such as:

  • audits to ensure that old data is cleared out
  • technical upgrades
  • seeking specialist IT advice to ensure best practice around data security
  • communication with customers regarding your privacy policy and their rights to the personal and / or sensitive information you hold
  • brainstorming and research to see if there’s a better way of doing what you’re doing, or a better system
  • encouraging customers to take out individual identity theft protection which covers them across most online activity.

Sure, all of this sounds like a no-brainer, I know.

But hands up if you actually perform these activities on a consistent basis?

The thing is, in today’s fast-paced technological environment, you can’t apply ‘one and done’ to your tech systems, so you need to make:

A) – time to get this stuff done … and

B) – have available funds to get stuff done.

What next?


It’s early days. A couple of law firms are considering the possibility of a class action against Optus which could potentially see it paying out millions of dollars in compensation, along with millions of dollars in fines if it is found to have breached any laws.

Potential financial repercussions aside, there is also reputational damage. And it’s important to remember that a small business in the same situation would absolutely crumble.

We’re happy to help you work through your strategic planning around tech system upgrades, technology audits and security checks and balances to make sure you’ve got sensible timing and of course, the necessary funds budgeted.

These types of IT projects don’t come cheap because you do need specialist IT expertise, but they must be considered a cost of doing business in today’s digital environment.

It’s important right now, to make sure that you know what you need and that you’ve got enough in the budget for the right kind of IT support.

It also might be wise to incrementally increase the budget, just in case law reform does require significant changes to compliance – so you don’t get caught out.