An expanded version of this article has been published in the January edition of the LexisNexis Privacy Law Bulletin (newsletter) 2018 Vol 14 No 9 & 10. More information about the Bulletin can be found on the LexisNexis website.
Recent events have shown just how dangerous it can be for businesses in today’s online cyber risk environment. It doesn’t seem to matter how big you are either:
“Australians could be caught up in an enormous hack of sensitive personal financial data that has left nearly half the American population at risk of identity fraud after Equifax confirms the personal data of 143 million people has been hacked” ABC News
“Deloitte hit by cyber-attack revealing clients’ secret emails” The Guardian
One could be forgiven for thinking about closing up shop, moving to the bush and going “off grid”. As appealing as rural life may be, it is probably more sensible to take some simple risk management steps before making such a momentous decision.
14 Cyber Risk Management Steps
Not in any particular order, here are some measures you may wish to consider:
- Review policies and procedures, with a particular focus on IT (all elements outlined below ought to be embraced within this framework).
- Check on processes, do you have adequate backups and what is your disaster recovery plan? Do you even have one?
- Train staff on how to spot threats and deal with them, at work and at home (if they work flexibly or BYOD).
- Employees can often be the weakest link, they should not share passwords or log-in details.
- Employees should be encouraged to report all breaches and potential breaches of security.
- Employees should be aware of external security risks, such as public Wi-Fi “hotspots”.
- Insist on good password protocols or consider password managers.
- Consider two-factor authentication.
- In any event, limit access to data, consider the “need to know” rule.
- Hardware should be adequately protected, whether in the server room, on the desk or in the briefcase or pocket, and consider data encryption/remote tracking and remote wipe on portable devices.
- Ex-employees’ access should be restricted as soon as they leave and all business related hardware returned immediately.
- Crisis management protocol (do you have one and is it well understood by all players).
- Think about what you might say to employees, clients and the market if you were unlucky enough to have a data breach or hacking event, don’t wait until after it’s happened.
- Limit media appearances until you are across all issues – do it once and do it right and make sure anyone affected by your breach can take action to protect themselves.
The online environment is only going to get more complex for businesses. Mandatory data breach notification laws take effect in Australia from 23 February 2018, and thereafter the Office of the Australian Information Commissioner and any potentially affected individuals will have to be informed of an “eligible data breach”. In addition, the European Union’s General Data Protection Regulation comes into effect from April 2018 and if your business collects or processes the personal data of EU residents, this law will apply to you.
We recommend you get professional IT help and that you ensure you have adequate cyber insurance cover in place by contacting a reputable broker.
The information published in this paper is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.