The Office of the Australian Information Commissioner recently reported there had been 964 reportable data breaches across Australia in the last 12 months. More than 60% of these breaches were the result of malicious or criminal attacks, showing the potential for reputational damage and financial loss from cybercrime and privacy breaches is real.
Further, organisations are finding it increasingly challenging to manage their cybersecurity risks while adapting to the shifting privacy landscape with recent significant changes to the Privacy Act and birth of the GDPR.
Managing privacy and cybersecurity needs a whole of business approach
Pitcher Partners recently polled more than 50 professionals from a range of sectors for their perspectives on privacy and cybersecurity. Three key themes emerged from the survey, including:
- the importance of IT security preparedness and awareness
- legal obligations for businesses
- the impact of third parties on your business’s privacy and cybersecurity.
IT security preparedness and awareness
Most survey respondents indicated that their organisation was suitably prepared for a cyberattack and had implemented initiatives to improve employee awareness about IT security and cyber risks. These initiatives have been driven by the increasing threat of a cyberattack and require executive-level support to be managed appropriately.
Legal obligations for businesses
From a legal perspective, two key themes emerged from the survey — the handling of private information and protecting against cyber threats. This is particularly important when it comes to the way third parties handle personal data. To mitigate the risk of a data breach by third parties that help deliver your goods and services, you need to ensure your business addresses this issue in your contracts and implement a data breach response plan.
The General Data Protection Regulation (GDPR) also remains top of mind for people across all sectors, highlighting the importance of ensuring your business is GDPR-compliant. This includes things such as ensuring the cookie statement on your website and your email marketing systems are GDPR-compliant.
The impact of third parties on your business’s privacy and cybersecurity
As businesses increasingly engage third parties to assist in the delivery of their goods and services, it increases a business’s exposure to privacy and cybersecurity breaches. To mitigate this risk, it is important that you risk assess third parties to determine that they have the necessary IT security practices in place to prevent and, if necessary, respond to a cyberattack. In light of the Notifiable Data Breach Scheme, caution should also be taken where third parties have indirect or direct access to customers’ personal information.
Key steps to protect your business
The key takeaways from the survey centre around cybersecurity awareness, mitigating risk and having a response strategy in place in case a breach occurs.
Key steps you can take to protect your business include:
- Consider the business impact of incidents to key business people, processes and supporting systems.
- Understand the different privacy and cybersecurity risks to your business and prioritise accordingly.
- Review and monitor cloud services regularly to proactively identify risks.
- Ensure all staff in your organisation are aware of cybersecurity risks and their prevention.
- Undertake thorough due diligence of third parties, especially if they will be handling customer data.
- Ensure your business has a Data Breach Response Plan, data protection measures and cybersecurity controls as this is a legal requirement for entities that fall under the Privacy Act.
- Commercial contracts should account for the changing technological and privacy landscape.
Privacy and cybersecurity are key business risks that need constant review and management. The imminent nature of these risks, unfortunately, means that businesses need not be asking if a breach will occur, but when. This highlights the importance of having a strategy in place to respond to data breaches and reduce reputational risk as a result.
Contact your Pitcher Partners specialist if you have any specific queries about managing and mitigating privacy and cybersecurity risks in your business.