October is Cyber Security Awareness Month and, with recent data breach outbreaks where many organisations are scrambling to protect customers’ data, Akyra reached out to Emma Croston, our expert in digital innovation and technology.
Emma is a leading digital strategist with a broad depth of digital expertise, having most recently founded, built and exited (via acquisition) a highly successful health tech start-up.
Her thoughts on how management can protect themselves and the customer / employee data held by every business.
Emma says her inbox is full of emails from organisations asking her to update details and verify credentials; with no mention of reassuring communications to notify the details are safe.
This has me questioning why it has taken so long for companies to take control of the reins of their responsibilities concerning data protection and cybersecurity.
It reminds me of the fable of the wolf and the Kid; the risks and misadventures are well known when it comes to having a reactive stance regarding securing information technology assets.
The Kid had spoken a long time ago, so we were already on notice. Australian organisations were the targets of a significant number of attacks during 2020/2021 with more than 67,500 reports filed; a reported increase of 500% since the start of the COVID-19 pandemic. Back then, the Australian government warned organisations to be vigilant.
During that time, I worked with a client who had a significant breach, who also had several government clients.
So… what did we do? We engaged global cyber experts who described the increased attacks on Australian businesses as unprecedented.
Crude statistics reveal businesses in Australia have a 30% probability of suffering a data breach and, according to ASCS (Australia Cyber Security Centre), an average of 164 reports of cybercrimes are lodged every day. Given all the forewarning, it is punishing to acknowledge the recent occurrences in important industry sectors that exposed fundamental shortcomings.
At the apex of the 4th industrial revolution, it is the obligation of every organisation to protect its customers’ data; however, doing so is becoming more complex as the number of systems and integrations grows.
Fortunately, systems must also abide by specific rules in different jurisdictions depending on location and the intrinsic nature of their operations and data. Nevertheless, some of the most significant risks to a business fall on their user diligence and approach to cybersecurity. In that realm, let’s explore what you can do today to protect your business.
Educating your people on the importance of protecting the companies’ data is imperative. A significant lessening degree of exposure comes from people’s awareness. Set an email policy and train your workforce to identify questionable emails and confirm the details of the sending/recipient offline.
We have all heard the stories of real estate deposits going to fake bank accounts. This can only occur when somebody has clicked a link or sent information to a fraudulent email. You can implement protection software; however, education and common sense are cardinal in your protection efforts.
Don’t trust a system because someone else uses it or it has a good reputation. Be sure to do due diligence and find out where and how the data is protected (at rest and in transit).
A good starting point is to check the certification and system compliance with the industry and country of operation. You can also ask for details of their security certifications (ISMS – ISO 27001, SOC 2, etc.) and compliance (GDPR, PCI, etc.).
You should see every device as a door to your business; if it doesn’t have a security screen, people can walk in.
The assumed level of trust when it comes to devices and endpoints frightens me. I think people assume if it can be sold in a consumer market, protection is out of the box. However, I must inform you that this is not the case.
A vast area of vulnerability at the moment is mobile applications. We all hit the download button and accept the terms hoping Apple or Google are protecting us. Well, they aren’t.
Mobile applications can be an easy way in to collect data you have unknowingly accepted to give provider permission to access. Everything digital-enabled is a risk.
You need to have a policy around how personal and company devices are managed, which includes protocols for installing applications that have been assessed by a cybersecurity expert.
It’s important for you to take the time to conduct a cyber health check. The Australian Government have several resources available to assist businesses. You can start here with this assessment tool. https://www.cyber.gov.au/acsc/small-and-medium-businesses/cyber-security-assessment-tool.
If your system architecture is complex or you are handling sensitive data, I suggest engaging in system penetration testing. In a nutshell, this allows third parties to hack into your company and find vulnerabilities. Be warned though. This is a confronting process. You will be amazed how powerful that printer next to you becomes when it is connected.
Data Breach Plan
Sadly, we are living in a world where breaches are going to happen so every organisation needs to be prepared for them.
Having a data breach plan is a requirement for organisations to meet their obligations under the Privacy Act. The Australian Government sets out clear guidelines for how it expects customers to manage and respond to data breaches. Companies are legally required to notify the government of breaches of a certain size in accordance with the Privacy Act.
The plan should outline how you as a business plan to prevent, identify, contain, assess, respond, manage, communicate, and review a data breach.
You will need to clearly define the roles and responsibility of your employees, leadership, and board. Every member of your team should understand and adhere do the data breach plan.
You are also required to identify the third-party stakeholders who are likely to be impacted by the breach and any third parties who will be required to respond and assist in containing the breach.
Within your data breach plan, you should also outline how you would respond to a ransomware attack/request. It is important to have a policy in place, so if it does happen, you know exactly what to do. I suggest with any ransomware attack, you engage a third party to act on your behalf and verify the request is a highly valuable course of action.
Please also be aware that data breaches are not just software related. They can also include the failure to correctly dispose of paper records or the loss/theft of devices with sensitive data.
You can find out more about data breaches here https://www.oaic.gov.au/
Although all of this may seem overwhelming and confronting, having a plan and considered approach will help you navigate the process should such an unfortunate event occur.
Prevention is always better than the cure and there are a number of simple steps that you can start with to help prevent such events.
NEED MORE INFORMATION?
If you would like any assistance with your data breach plan, feel free to reach out to Akyra who will put you in contact with our guest blogger, Emma Croston. Please contact Akyra on 07 3204 8830 or book a free 30-minute consultation for an obligation-free conversation.
Disclaimer – Reliance on Content
The material distributed is general information only. The information supplied is not intended to be legal or other professional advice, nor should it be relied upon as such. You should seek legal or professional advice in relation to your specific situation.