We're a Baker Tilly network member
Learn more
Security is no longer an IT issue, it’s a business risk
Article

Security is no longer an IT issue, it’s a business risk

The Office of the Australian Information Commissioner recently reported there had been 964 reportable data breaches across Australia in the last 12 months. More than 60% of these breaches were the result of malicious or criminal attacks, showing the potential for reputational damage and financial loss from cybercrime and privacy breaches is real.

Further, organisations are finding it increasingly challenging to manage their cybersecurity risks while adapting to the shifting privacy landscape with recent significant changes to the Privacy Act and birth of the GDPR.

Managing privacy and cybersecurity needs a whole of business approach

Pitcher Partners recently polled more than 50 professionals from a range of sectors for their perspectives on privacy and cybersecurity. Three key themes emerged from the survey, including:

  • the importance of IT security preparedness and awareness
  • legal obligations for businesses
  • the impact of third parties on your business’s privacy and cybersecurity.

IT security preparedness and awareness

Most survey respondents indicated that their organisation was suitably prepared for a cyberattack and had implemented initiatives to improve employee awareness about IT security and cyber risks. These initiatives have been driven by the increasing threat of a cyberattack and require executive-level support to be managed appropriately.

Legal obligations for businesses

From a legal perspective, two key themes emerged from the survey ­— the handling of private information and protecting against cyber threats. This is particularly important when it comes to the way third parties handle personal data. To mitigate the risk of a data breach by third parties that help deliver your goods and services, you need to ensure your business addresses this issue in your contracts and implement a data breach response plan.

The General Data Protection Regulation (GDPR) also remains top of mind for people across all sectors, highlighting the importance of ensuring your business is GDPR-compliant. This includes things such as ensuring the cookie statement on your website and your email marketing systems are GDPR-compliant.

The impact of third parties on your business’s privacy and cybersecurity

As businesses increasingly engage third parties to assist in the delivery of their goods and services, it increases a business’s exposure to privacy and cybersecurity breaches. To mitigate this risk, it is important that you risk assess third parties to determine that they have the necessary IT security practices in place to prevent and, if necessary, respond to a cyberattack. In light of the Notifiable Data Breach Scheme, caution should also be taken where third parties have indirect or direct access to customers’ personal information.

Key steps to protect your business

The key takeaways from the survey centre around cybersecurity awareness, mitigating risk and having a response strategy in place in case a breach occurs.

Key steps you can take to protect your business include:

  • Consider the business impact of incidents to key business people, processes and supporting systems.
  • Understand the different privacy and cybersecurity risks to your business and prioritise accordingly.
  • Review and monitor cloud services regularly to proactively identify risks.
  • Ensure all staff in your organisation are aware of cybersecurity risks and their prevention.
  • Undertake thorough due diligence of third parties, especially if they will be handling customer data.
  • Ensure your business has a Data Breach Response Plan, data protection measures and cybersecurity controls as this is a legal requirement for entities that fall under the Privacy Act.
  • Commercial contracts should account for the changing technological and privacy landscape.
  • Review your privacy policy every 12 months.

Privacy and cybersecurity are key business risks that need constant review and management. The imminent nature of these risks, unfortunately, means that businesses need not be asking if a breach will occur, but when. This highlights the importance of having a strategy in place to respond to data breaches and reduce reputational risk as a result.

Contact your Pitcher Partners specialist if you have any specific queries about managing and mitigating privacy and cybersecurity risks in your business.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.
Pitcher Partners insights Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us via [email protected] or 03 8610 5477.
CPN Enquiry
Business Radar report
Student careers 2021-22
Find an expert
Search by industry