Fears businesses too slow to respond to data breach reforms

RISKY: There are fears small businesses are leaving themselves wide open to fines for their handling of data breaches and hacks, with many still unfamiliar with new laws.
RISKY: There are fears small businesses are leaving themselves wide open to fines for their handling of data breaches and hacks, with many still unfamiliar with new laws.

There are fears many businesses are not prepared more than two weeks after the introduction of new laws helping track the data breaches putting privacy and profits at risk.

Since February 22 many businesses have needed to report “unauthorised entities” accessing information that could cause others serious harm.

They needed to report breaches to both the individual affected and government authorities. Failing to do so could result in fines of hundreds of thousands or even millions of dollars. 

Australian small business and family enterprise ombudsman Kate Carnell said she was receiving the same reaction when she spoke about the changes at many events.

“I’m still getting blank stares from a large percentages of small business owners in the room,” she said.

The changes cover a range of small businesses working in the financial sector as well as any that stored health information. Ms Carnell said that included chiropractors, gyms and even childcare facilities.

“It’s a challenging piece of legislation for small businesses, really,” she said.

That is because the legislation casts a wide net, including breaches caused by accidental disclosures through to a hackers’ cyber attacks.

What’s more, the definition of what caused serious harm was wide, Ms Carnell said, including physical, psychological, emotional, financial or reputational harm.

“It could be anything. And therein lies the problem for small businesses. It’s very hard to determine what ‘serious harm’ really means,” she said.

Ms Carnell urged small businesses to prepare for and understand understand what to do, especially in instances where it was not necessarily if there had been a data breach.

Sometimes it is obvious – like ransomware or the system shutting down. But sometimes a business might uncover unexplained software in the system and need to report it because it could have been a breach, Ms Carnell said.

Cyber attacks on the rise

The new laws come amid broader concerns in the technology industry that businesses are exposing themselves to risks as they move more of their operations online.

Maxsum Consulting’s managing director Joe Ciancio cited recent data suggesting one in four Australian businesses has been hacked in the last 12 months.

“It’s becoming more and more of a problem,” he said.

Alarmingly, Mr Ciancio’s experiences consulting have led him to believe a majority of businesses have not properly prepared.

“Most businesses haven’t heard of the new requirements and even if they have, they don’t have a documented, tested, solution-focused process in place to handle it,” he said.

Among the most common forms of cyber attacks were phishing attacks, when emails purporting to be from companies contained links that downloaded malicious software.

Many of those kinds of attacks could be countered with technology. Others were more complex.

One of Maxsum’s clients lost $400,000 after hackers compromised the email system of a third party.

“The hackers were able to read the emails between our client and the other organisation. By doing that they knew our client’s CEO was going to be on holidays,” Mr Ciancio said.

As the boss enjoyed a break the hackers began sending emails to the chief financial officer, requesting money be shifted into different accounts.

“If you looked at the emails quickly it looked totally legitimate. The hackers were using language in their fake emails about how much they were enjoying some time off,” Mr Ciancio said.

“It was a real social engineering-type attack.”

Mr Ciancio said in those types of cases there was almost nothing that could be done from a technological point of view to stop attacks.

“It totally comes down to user education and training,” he said.

Reputations on line

Into this mix, businesses can be uncomfortable with the notion of publicly discussing cyber attacks, even when they have no reason to believe data has been breached.

A regional Victorian worker said his organisation’s website had recently crashed after a bot – an automated piece of software scanning hundreds of thousands of websites searching for vulnerabilities – attacked a separate company’s hosting platform. 

The organisation’s IT crew rebooted the website and the worker said the only impact was some lost work.

Still, he did not want to publicly name the organisation, saying it might damage the brand and mislead people about the security of information sent via the website.

Mr Ciancio often came across these types of sentiments himself when privately discussing data breaches with businesses.

He said the risks of data breaches and hacks to businesses were not simply about the potential loss of sensitive data, lost time or financial damage.

“Part of the reason this legislation exists now is that in the past people have not wanted to make it publicly known they’ve been hacked. There’s a loss of reputation associated with it.”

Preparation is key

Everyone contacted for this story stressed the importance of understanding the risks and having the technology, training and procedures in place to mitigate the dangers of a data breach.

It was also vital people put plans in place to notify the authorities and individuals involved.

Mr Ciancio said a recent Masxum Consulting event at Ulumbarra Theatre attracted 60 people from a range of different types of businesses.

“They want to get their awareness up. So this is a very hot topic at the moment and it’s something all businesses need to be aware of,” he said.

Mrs Carnell said information on which types of businesses are covered under the new laws as well as identifying and reporting breaches could be found on the Office of the Australian Information Commissioner website.

Businesses could also read the ombudsman's cyber security best practice guide.