In the past few years, Australians have become more aware of privacy and want control over their personal information. So, when it comes to cyber security, the issue of what would happen if a cybercriminal was able to steal this information or data is a prime consideration for businesses who have to hold data about their customers and employees.
Nearly half (43%) of all data breaches reported to the Office of the Information Commissioner (OAIC) are due to cyber security, according to its latest Notifiable Data Breaches Report: January–June 2021.
So, how can data get breached by cybercriminals, what are your obligations and what can you do about it?
How can my data get breached?
According to the OAIC report, the cyber security-related data breaches resulted from:
- Phishing (30%) This is where you receive what appears to be a legitimate email or text, but it’s really just trying to get your information.
- Ransomware (24%). Experts say ransomware is one of the biggest threats to businesses today and involves cybercriminals installing malware on your devices which then allows them to lock up your files and demand a ransom in return. Often, they will sell the data they steal on the dark web even if you pay the ransom.
- Hacking (9%). This is when an unauthorised person gains access to your computer or another device. Hackers look to gain access by exploiting security weaknesses until they find a way in. Once they’re in, they can do a lot of damage, including stealing files and information.
- Brute-force attack (5%) where someone systematically tries alternatives for a password until they discover what it is.
- Malware (5%) is a general term for any type of program that gets inside your computer or device with the aim of causing disruption or damage.
The top sectors for breaches due to cyber incidents were health service providers, finance, legal, accounting and management services and insurance.
What are my obligations as a business?
As a business, there are growing implications if your data does get stolen. In a recent editorial published in Cyber Security Connect, George Moawad, country manager, ANZ at Genetec, discussed cyber resilience and privacy concerns.
“As we know, cyber threats are not decreasing. From system hacks to DDoS (distributed denial of service) attacks to the increased prevalence of ransomware attacks, criminal cyber activity is on the rise,” he said.
“To address this, governments have developed legislation that holds businesses more accountable for data privacy or cyber security breaches – and in Australia there are a number of initiatives under consideration.”
- The outcome of the review of the Privacy Act, now expected in 2022, looks at a range of amendments, including increasing penalties for breach of the Privacy Act, and introducing a direct right of action for consumers.
- Private members bill by shadow assistant minister for communication and cyber security Tim Watts (Ransomware Payments Bill 2021), which is proposing that if an entity makes a ransomware payment, they must provide the Australian Cyber Security Centre (ACSC) with details or face a penalty. (note: this will not apply to businesses with a turnover of less than $10 million).
- Most recently the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was released which seeks to expand to 11 the sectors that are now considered as critical infrastructure.
Mr Moawad also says there are “new questions about who is ultimately responsible for protecting data and privacy”.
“Gartner, the global research and advisory company, predicts that by 2025, 75% of CEOs will be personally liable for both cyber and physical security system attacks,” he says.
What can you do?
Mr Moawad says that when it comes to preventing data breaches “a pro-active approach is needed that includes a privacy-centric focus when designing a comprehensive data protection and privacy strategy”. This means embedding privacy into the design and operations of IT systems, networked infrastructure, and business practice.
Other experts recommend starting with the Australian Cyber Security Centre (ACSC) ‘Essential Eight’. This includes measures like multi-factor authentication, which calls for a two-step process for logging in – such as a password then getting a code via email or text message. And using password managers, which generate and store difficult-to-crack passwords.
Also, backing up data every day will ensure that if your files get locked by a ransomware attack, then you at least have the means to access that data.
Meanwhile, the OAIC says every business should have a data breach response plan to minimise the impacts on people.
Should I be holding that data?
Meanwhile, another expert urges businesses to think about whether they need to be holding data at all.
“In my experience, individuals and organisations continue to hold personal information when they don't really need it anymore; perhaps for fear of deleting something that they may need "one day, for something, maybe" or perhaps because they are uncertain about their retention requirements,” says Phillip Magness, Industry Professor at Deakin’s Centre for Cyber Security and Innovation.
He explains that the Australian Privacy Principles require them to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it was collected. And while this “seems simple” for an organisation, it can be complex when there are regulatory and business reasons behind keeping data.
He recommends businesses asking themselves questions about how much personal information they’re holding, where they’re holding it, how old the data is, and whether the benefit of holding it outweighs the risk of a breach.