With 50 million accounts affected by the Facebook breach, it is a reminder to companies that cyber threats are no longer a one-off, but the new normal.
Jo-Ann Hayes, Head of Risk and Compliance at Grant Thornton, caught up with the GRC Professional in a recent interview.
“It is a situation that’s becoming more and more important because directors run the risk of being dragged into class action suits,” she explained.
The question directors should be asking, according to Hayes, is who is across IT security risk and privacy in their organisations. If it is just the IT team, then this something that should ring alarm bells.
Both the Australian Privacy principles and, more recently, Europe’s newly-implemented General Data Breach Protection (GDPR) stress the same. Nor does Hayes believe organisations have yet realised that cyber security is not just the remit of IT.
“Privacy and regulation, like the GDPR, also falls into the realm of legal and compliance,” she explained.
However, the prevention of breaches is still being entrusted to IT professionals.
Angelene Falk, Privacy Commissioner and Information Commissioner at the Office of the Australian Information Commissioner (OAIC), said Australian businesses have regulatory requirements to meet under the Privacy Act. The Act celebrated its 30th anniversary earlier this year.
“While the risk of a data breach can’t be completely eliminated, businesses can control how they respond. The way you respond can define your business and have a major impact on consumer trust,” Falk said. “The potential impacts on reputation and consumer trust should also motivate businesses to take preventative action to ensure customer data is protected.”
She explained that since the implementation of the Notifiable Data Breach (NDB) scheme, which began earlier this year, the three key causes identified for data breaches have been ‘malicious or criminal attacks and human error’.
The first quarterly report for the NDB scheme was released in April, with 63 reports being made as a result of the scheme’s launch in the first six weeks. In addition, the OAIC received 114 data breach notifications on a volunteer basis.
At the time, the OAIC said that the scheme was in-keeping with the thoughts of the 94 per cent of Australians who participated in the 2017 Australian Community Attitudes to Privacy Survey.
“There is a strong human element to data breaches, and so it is important to understand that you can reduce the risk of data breaches through staff awareness of secure information handling practices,” Falk said.
She emphasised the need to handle consumer data in a transparent manner. It’s only when businesses continue to operate in a transparent manner that they then can expect to meet community expectations.
“The OAIC will continue to work with businesses and Australian Government agencies to provide resources on how to comply with the scheme, including the upcoming July – September 2018 Quarterly NDB Report of statistical information on notifications received by my Office. The statistical reports provide important information on the causes of data breaches that assist business and government agencies to put in place prevention strategies,” Falk said.
Stay Smart Online Week
For Stay Smart Online Week, which will run from 8 to 14 October, the OAIC aims ‘to help the community fight cybercrime’.
Recommendations from the Australian Cyber Security Centre (ACSC):
Passwords are your first line of defence: use a different and strong password on all of your accounts, and add an extra layer of security with two-factor authentication.
Phishing uses fake messages that try to trick you into giving out your personal or financial details. If you receive a suspicious message, do not click on any links or open any attachments.
Updating your software is one of the easiest ways to protect yourself online. Install software updates as soon as they become available. Better yet, set your system to auto-update.
Be wary when using public Wi-Fi. Without the right protection, cybercriminals could see your information, so don't do online banking or online shopping or send sensitive information.