With the impending introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 this month, there is much discussion about cyber security, but are we seeing enough action? If you’re unconvinced that cyber security warrants attention – and investment - in your business in 2018, here are three compelling reasons to reconsider.
Number 1: It's of global concern
Only extreme weather events and natural disasters are viewed as greater risks, according to the World Economic Forum. Cyber attacks and data fraud or theft are the third- and fourth-highest risks (respectively) in terms of likelihood on the World Economic Forum’s 2018 Global Risk Landscape Report. In the same report, cyber attacks sits as number six in the ‘Top ten risks in terms of impact’.
Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack - which affected 300,000 computers across 150 countries - and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses.
The Global Risks Report 2018, World Economic Forum, page 6.
Number 2: Australian businesses are targets – and are generally under-prepared
The 2017 BDO and AusCERT Cyber Security Survey found that the top three cyber security incidents experienced by Australian and New Zealand organisations were ransomware (16.8%), phishing (19.7%), and malware (17.9%). Thirty percent of respondents were affected by a cyber incident of some kind between 2016-2017 – and it is important to note that these incidents were not confined to big corporations. The survey found that almost 18 per cent of small- to medium-sized businesses experienced a cyber incident in 2017. A cyber incident can come at a great financial and reputational cost to the business, yet only 37 per cent of survey respondents had cyber insurance cover.
Number 3: New legislation creates real and significant penalties for businesses
Governments are starting to make businesses accountable for protecting their data. On May 25 the EU General Data Privacy Regulation (GDPR) comes into effect. Companies in the EU will be required to demonstrate compliance, while companies doing business with, or in the EU, or marketing goods and services to EU residents, must comply with the new regulations, or risk facing heavy fines and criminal penalties. Even companies that are not located in the EU may be impacted, as their EU client companies and suppliers may require compliance as a condition of continued business.
Closer to home, and much closer on the calendar, is the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 on February 22. Despite financial penalties for non-compliance – up to $360,000 for individuals and $1.8M for organisations - the 2017 BDO and AusCERT Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme.
Australian businesses need to be acting now to have cyber security practices and processes in place, should they be required to report any actual or perceived breach to the regulator once the legislation comes into effect.