Data security is an important consideration for businesses in an increasingly digital age.
By Elizabeth Jameson FAICD
During the 2016–17 financial year, 114 data breaches were voluntarily reported to the Office of the Australian Information Commissioner. After mandatory notification came into force in February 2018, 63 incidents were flagged in just six weeks.
Digitally dependent large enterprises claim to understand the magnitude of the cybersecurity challenge. The ASX’s voluntary cyber health check offered to the top 100 listed companies last year revealed 92 per cent of respondents had a degree of confidence about their cybersecurity, but only 29 per cent believed management could detect, respond to and manage an incident with minimal impact on the business.
Among SMEs, the situation is worse, says Terry Roberts, a former deputy head of US Naval Intelligence and now Chair/CEO of ASX-listed WhiteHawk, the security marketplace she established to help businesses find affordable and effective cybersecurity solutions.
“SMEs do not think they are a target and don’t invest in cybersecurity, even the basics. They don’t believe there is an affordable approach and won’t make that leap unless they have a contract at stake or have had [a breach],” says Roberts, speaking at an Australian Institute of Company Directors event in Australia recently.
Many local companies selling online to EU citizens or holding their personal data are now also subject to the General Data Protection Regulation. Organisations suffering a serious breach have 72 hours to notify authorities. Non-compliance can incur fines of up to four per cent of global revenues.
“It’s only been in the past five years that cybercrime and fraud has moved against all business sectors. Directors don’t have the tech experience, they don’t think of it as a business risk and they tend to turn to their technical people to solve it. It’s not a technical issue, it’s a business issue analogous to physical security.”
Roberts says companies must take a fresh look at their data and digital assets to identify what needs most protection. “Lock your windows and doors. Let’s put your jewels in a safe so at least if you have an event it won’t bring you to your knees and… [you’ll] be able to operate through it.”
Regular backup is critical, particularly to withstand a ransomware attack. However, truly sensitive data needs additional protection, using encryption to ensure data cannot be read or used. Roberts also recommends companies seek a risk rating from an independent cybersecurity agency. “If you deal with your customers via your website, you need to protect your website; if you communicate via email, it’s email security; if you have proprietary data like manufacturing data, there are simple data lockers that cost $5000 to encrypt that data. With midsize and small companies, it’s never about doing everything — that’s not affordable or practical. It’s about figuring out those dependencies you have on the internet that have a huge impact on your revenue.”
AICD is holding a number of ‘Cyber for Director’ short courses that enable participants to effectively engage in the process of identifying the evolving threats and risks to their organisation as well as maximising innovation opportunities using the lifeblood of the organisation: information. Courses are being held in Hobart and Launceston. To find our more contact AICD (03) 6242 2200, firstname.lastname@example.org or visit the website http://aicd.companydirectors.com.au