Security is no longer an IT issue, it’s a business risk

By Eric Eekhof - November 10, 2019

The Office of the Australian Information Commissioner recently reported there had been 964 reportable data breaches across Australia in the last 12 months. More than 60% of these breaches were the result of malicious or criminal attacks, showing the potential for reputational damage and financial loss from cybercrime and privacy breaches is real. Further, organisations are finding it increasingly challenging to manage their cybersecurity risks while adapting to the shifting privacy landscape with recent significant changes to the Privacy Act and birth of the GDPR.

Managing privacy and cybersecurity needs a whole of business approach

Pitcher Partners recently polled more than 50 professionals from a range of sectors for their perspectives on privacy and cybersecurity. Three key themes emerged from the survey, including:

  • the importance of IT security preparedness and awareness
  • legal obligations for businesses
  • the impact of third parties on your business’s privacy and cybersecurity.

IT security preparedness and awareness

Most survey respondents indicated that their organisation was suitably prepared for a cyberattack and had implemented initiatives to improve employee awareness about IT security and cyber risks. These initiatives have been driven by the increasing threat of a cyberattack and require executive-level support to be managed appropriately.

Legal obligations for businesses

From a legal perspective, two key themes emerged from the survey ­— the handling of private information and protecting against cyber threats. This is particularly important when it comes to the way third parties handle personal data. To mitigate the risk of a data breach by third parties that help deliver your goods and services, you need to ensure your business addresses this issue in your contracts and implement a data breach response plan.

The General Data Protection Regulation (GDPR) also remains top of mind for people across all sectors, highlighting the importance of ensuring your business is GDPR-compliant. This includes things such as ensuring the cookie statement on your website and your email marketing systems are GDPR-compliant.

The impact of third parties on your business’s privacy and cybersecurity

As businesses increasingly engage third parties to assist in the delivery of their goods and services, it increases a business’s exposure to privacy and cybersecurity breaches. To mitigate this risk, it is important that you risk assess third parties to determine that they have the necessary IT security practices in place to prevent and, if necessary, respond to a cyberattack. In light of the Notifiable Data Breach Scheme, caution should also be taken where third parties have indirect or direct access to customers’ personal information.

Key steps to protect your business

The key takeaways from the survey centre around cybersecurity awareness, mitigating risk and having a response strategy in place in case a breach occurs.

Key steps you can take to protect your business include:

  • Consider the business impact of incidents to key business people, processes and supporting systems.
  • Understand the different privacy and cybersecurity risks to your business and prioritise accordingly.
  • Review and monitor cloud services regularly to proactively identify risks.
  • Ensure all staff in your organisation are aware of cybersecurity risks and their prevention.
  • Undertake thorough due diligence of third parties, especially if they will be handling customer data.
  • Ensure your business has a Data Breach Response Plan, data protection measures and cybersecurity controls as this is a legal requirement for entities that fall under the Privacy Act.
  • Commercial contracts should account for the changing technological and privacy landscape.
  • Review your privacy policy every 12 months.

Privacy and cybersecurity are key business risks that need constant review and management. The imminent nature of these risks, unfortunately, means that businesses need not be asking if a breach will occur, but when. This highlights the importance of having a strategy in place to respond to data breaches and reduce reputational risk as a result.

Contact your Pitcher Partners specialist if you have any specific queries about managing and mitigating privacy and cybersecurity risks in your business.

Contact our experts

Other articles


Top of Page


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Ben Brazier

Ben Brazier's picture


Managing Principal

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner AT THE TOP | Congratulations to Jason Fallscheer, Client Director of our Melbourne firm, who has been named in the…