Data protection is a key issue for organisations around the world. With the rapid increase in remote working arrangements in response to the Covid-19 pandemic, and the increased sophistication of malicious parties, no business is immune from cyber security attacks and data breaches.
- In 2020, 1,051 businesses in Australia notified the Office of the Australian Information Commissioner (“OAIC”) that they had suffered a data breach.
- The average cost to a business per data breach worldwide was estimated to be AU $3.35 million.
- The reputational damage from the impact of a data breach and the loss of trust by your customers can be detrimental to the survival of your business in a competitive market.
- It has never been more critical to ensure your business is protected from cyber security attacks.
Data Protection Measures
Despite the prevalence of such incidents, there are several steps your business can take now to help reduce the likelihood of falling victim to a cyber security attack.
1. You can’t secure what you don’t know you have: any effective data breach prevention strategy needs to start with an understanding of what information your business collects, stores and processes. A privacy assessment can help you understand your business’s legal responsibilities in respect of the information that it holds and how well it complies with its privacy obligations. If your privacy practices aren’t up to scratch, it’s better to fix them before it’s too late.
2. Secure the assets: there are many ways to prevent a data breach using technology. This includes:
- encrypting sensitive information, rendering it useless to any potential hacker;
- securing email domains by implementing authentication protocols;
- incorporating phishing incident response tools to identify suspicious looking emails; and
- using a VPN connection for protected networks while working remotely.
If you are unsure whether your information is secure, have a third party carry out a security audit and risk assessment to help you identify any weak points in your systems, so that you can best protect yourself from cyber-attacks.
3. Prepare and prevent: the action you take during the first few hours after a data breach occurs are the most crucial, therefore it is important that your business has an Incident Response Plan (‘IRP’) to assist the business in making the right decisions quickly and to minimise the impact of a data breach. Among other things, an IRP should include:
- an explanation of what a ‘data breach’ is and examples of the common types of data breaches that may occur within the business and how to identify them;
- a step-by-step plan for containing the breach, assessing the risks and considering your legal obligations to notify the affected individuals;
- a clear communication strategy for dealing with internal and external parties who may need to be notified regarding the breach; and
- details of relevant staff to contact in the event of a data breach and a description of their roles and responsibilities.
4. Testing 123: an IRP should not be locked away in your bottom draw, only to be dusted off if and when a data breach occurs. Members of your response team should continually test the IRP by undertaking hypothetical data breach simulations to ensure that it is effective and meets the needs of the business over time.
5. Knowledge is power: 38% of data breaches that were notified to the OAIC during the July-December 2020 period were reported as being the result of human error. Therefore, it is important that your business has up-to-date privacy and security policies, and that your staff members are appropriately trained so that they know how to identify and respond to cyber security threats.
The Australian Cyber Security Centre recommends clearly documenting and training employees in cyber security systems, plans and practices. Written policies and mandatory online training videos are important, but we suggest going even further and getting the staff together for an interactive afternoon where they are put through several data breach and cyber-attack drills that vary in degrees of difficulty. This will allow staff to be alert on data breach attempts and learn techniques to protect information when communicating.
6. Cover your assets: given the frequency at which data breaches are now occurring and the considerable damage – both financially and reputationally – that flows to a business from a major data breach, it is becoming increasingly important to have cyber insurance in place. The type and level of insurance will depend on your company, including size, financial position and risk profile.
Unfortunately, despite your best efforts, data breaches can still occur. Our next article in this series will discuss how to effectively respond after a data breach has occurred.