Changes to cyber security privacy legislation, has surprising impact on Australian and New Zealand businesses

06 June 2018

BDO and AusCERT’s latest Cyber Security Survey has shown that attitudes and adoption have both shifted in favour of cyber security best practice. However, the survey’s results also highlight that organisations are not as prepared for the Data Breach Notification legislation as they think they are.

For the second consecutive year, BDO and AusCERT have released the findings of their 2017/2018 Cyber Security Survey to identify current trends, issues and threats facing businesses in Australia and New Zealand. The goal of the survey is to deliver insights to help businesses build and maintain their cyber resilience over the long term.

In Australia, the Privacy Amendment (Notifiable Data Breaches) Act 2017 became effective in February this year. Despite financial penalties for non-compliance – up to $360,000 for individuals and $1.8M for organisations – this year’s Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme.

The top three cyber security incidents which impacted Australian and New Zealand organisations were phishing (19.3%), malware (17.0) and ransomware (17.8%). Thirty per cent of respondents were affected by a cyber incident of some kind – and these incidents were not confined to large corporations. The survey found that almost 18% of small- to medium-sized businesses were impacted by a cyber incident, yet only 37% of survey respondents had cyber insurance cover.

Survey respondents’ view of expected cyber incidents in the coming year, compared to what was experienced in the previous year, shows a greatly increased expectation of unauthorised access and data loss/ theft of confidential information, alongside an optimistic view that ransomware, phishing and malware will reduce.

Speaking about the results, BDO National Leader for Cyber Security, Leon Fouche, said “In many ways this year’s results are surprising. On the one hand cyber security awareness is much higher but equally we have businesses who might be overly confident of their preparedness to respond to incidents. For example, only 56% of organisations have a cyber incident response plan in place which is a slight increase from the 48% from last year.”

“Despite the view from survey respondents, phishing, ransomware and malware remain a concern. We believe that ransomware and phishing will continue to be a concern due to the financial implications this will have on organisations. We also expect to see an increase in public reported data breaches which will impact the reputation of those organisations who suffered from data breaches.”

Compared to last year’s survey, the results showed a year-on-year increase in adoption of cyber security standards, however board awareness and investment is still an issue.

“The level of government and public scrutiny brings cyber security to the attention of organisation boards and executives. It can no longer be regarded as simply an IT activity – cyber security now needs to firmly reside as an embedded part of organisational risk strategy,” Mr Fouche said.