Almost on a daily basis we hear about Cyber-attacks but do any of us understand what that really means to us or our businesses?
The Australian Federal Police categorise any type of on-line security breach as Cyber Crime and it is defined as:
· Crimes committed directly against computers and computer systems
· The use of technology to commit or facilitate crimes
Every business is vulnerable to an attack and once access has been gained to a computer system the damage or interruption to a business will depend upon the information that can be obtained by those who are not authorised to access.
Computer intrusion may be as simple as hacking emails but access to emails can often provide a criminal with other sensitive information – passwords, bank account/credit card information that can used to hack.
Other forms of intrusion to computers can result in the introduction of malicious software (malware) or viruses resulting in denial of services, freezing user access. When this happens, the perpetrator will often seek payment of a ransom to remove the virus.
Pop-up advertising on internet sites can be annoying but they can often be a sign that a user has unknowingly installed adware and spyware programs.
When an intrusion results in access to customers personal information there may be an immediate requirement to report the breach to authorities as defined.
A recent change to the Australian Privacy Act requires any breach of personal data to be reported to The Office of the Australian Information Commissioner (OAIC). The Act definition of personal data is:
“information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”.
Reporting requirements do not apply to all businesses, but the starting point embraces a large proportion of Australian businesses.
Apart from Australian Government agencies, all businesses and not for profit (NFP) organisations with an annual turnover of $3 million or more, and credit reporting bodies, health service providers, and TFN recipients are among others required to report any data breach.
All businesses, whether large or small, that collect customer information have important obligations protect customers information.
Increasingly, hackers are turning their attention to small businesses. International agencies have reported that forty-three percent of hack attacks in 2015 were against small businesses. (Symantec’s 2016 Internet Security Threat Report).
When a business becomes aware of a breach it is essential that customers be informed.
A written notification should be sent to every customer.
It should provide details of the type of information that has been accessed i.e. driver’s licenses, credit card numbers, or tax file numbers etc.
It will also be necessary to provide details of intended remedial action and what actions customers can take to minimise intrusion.
The costs associated with rectifying a data breach can run into tens of thousands and business reputation damage can affect trading conditions for months if not years.
Cyber Insurance will assist with some of the financial consequences but implementation of a response plan will minimise the consequences.
It should be written and updated at least once a year and include essential contact information, IT experts, and insurance contacts.
It should also contain information about your computer network and identify potential sources such as staff working offsite and details of all service providers.
Business managers can’t afford to be complacent and say “it won’t happen to us”. All business managers need to be prepared.