Cyber-hacks, cyber terrorism, IT sabotage and data wars: the terms most often associated with ICT-related threats sound dramatic, humongous and overwhelming.
But a more prosaic information and communications technology threat (and associated cost) is presented with the recent passing of new legislation — The Privacy Amendment (Notifiable Data Breaches) Bill 2016 — which applies to businesses turning over more than $3 million a year.
Those agencies, businesses or individuals who transgress the new law face possible fines of between $360,000 and a very steep $1.8 million. There’s also the impost to longterm reputation and associated trust issues to content with. The impact to customer confidence, gossip and loyalty due to a data or privacy breach must not be underestimated.
Faced with such high punitive damages, investing five figures in an online cyber crisis simulation and cyber insurance doesn’t seem like such a bad idea. But, as consultants like me trying to advise on proactive cyber security have observed, the concept of investing against a potential data compromise often goes against the Aussie grain.
Many report that the companies they speak with are more worried about the upfront cost of protecting against a cyber attack, when they should be more concerned about the larger financial damage a cyber incident will pose to their business.
As a reputation manager looking at cases of data breach, I counsel that effective message and media management is critical, particularly now when many Aussie businesses are duty-bound to promptly self-declare under cyber compromises; failing to ‘show and tell’ that you’re doing something about cyber security is essential for demonstrating your compliance and customer care!
The Notifiable Data Breaches Bill gives Australia some of the toughest data disclosure rules in the world, so many organisations will need to get better at detecting, managing and recovering from not just external cyber attacks, but internal cyber weaknesses.
Recent IBM research suggested 46% of all of all cyber incidents in 2016 were malicious, while a less-mentioned statistic showed over a quarter were due to staff or supplier negligence.
Aussie companies need to get better to protect all their stakeholders, and to protect their own staff and their licence to operate. So anytime there’s unauthorised hacking or viewing of personal information — and there’s likely to be harm arising — organisations need to quickly notify, suggest remedies and provide support to those that are acutely affected.
The kind of organisations most at risk can include those that operate or manage large/sensitive stakeholder databases, such as:
- Accounting firms;
- Charities with more than $3 million in annual turnover;
- Any businesses with more than $3 million in annual turnover;
- Australian government agencies;
- Child care centres;
- Data centres and personal information ‘traders’ (corporate and individual);
- Not-for-profits with more than $3 million in annual turnover;
- Private schools and tertiary institutions; and
- Private health service providers, including gyms, alternative health practices, and weight loss clinics.
The fines outlined by the legislation are not of the ‘one the spot’ variety, but they do apply to entities that regularly treat the handling of customer data glibly or in unsecured ways. A cyber crisis simulation could not only help improve company processes, but show serious intent about preparing for the worst.
In addition to the new fines, cyber-compromised companies can face damaging and expensive litigation from those affected; and the media coverage of such cases can be corrosive to brand public relations. The memory of search engines is also unkind to longterm image and PR impressions.
Those companies most likely to be imperilled by the new law are encouraged to be proactive by taking the following steps:
1. Don’t ostrich
Understand that increasing business reliance on ICT infrastructure likely increases the potential risks of breach or breakdown. Heed this early heads-up, rather than sticking your IT head in the sand.
2. Consider cyber insurance
If honesty is the best policy for PR disasters, then a cyber policy is the next best thing to allow companies to quickly access the IT, legal and PR expertise needed to protect the company at the heart of the breach.
3. Review data security practices
Regular vulnerability testing and staff training are key for breach-resistant IT infrastructure. In an age of third party apps and suppliers, including outside technologies in your security sweep is a mandatory. As is regular cleaning and purging of surplus data.
4. Run crisis simulations
A variety of new interactive training portals allow companies to replicate the typical media and stakeholder pressures likely to hit in the event of crisis events. Companies can learn and practice effective process and protocols for handling management of messages and trans-media channels — within safe online workspaces — in advance of when crisis breaks.
Gerry McCusker is an issues management specialist and the founder of Engage ORM.