Australian businesses that fail to protect their customers’ personal data could face fines of A$10 million or more. Yet such penalties may pale in comparison to the true cost to a business of a major data breach. Downtime for the business, the loss of customers and brand damage can take a toll much greater than any fines incurred.
So why don’t more executives and directors show leadership in implementing a best practice approach to cyber security?
ASI Solutions head of services Daniel Johns warns that, too often, those signing off on cyber security expenditure think of it as a ‘luxury’ rather than a necessity –a mindset that is completely outdated.
“A decade ago it might have been enough to have anti-virus software and a firewall in place and check on it once a year… but that’s just not going to cut it today,” Johns says. “The exponential growth in the number of malicious actors and the sophistication of malicious code means real-time monitoring and defence is essential.”
“The exponential growth in the number of malicious actors means real-time monitoring and defence is essential.”
Johns warns that small-to-medium sized enterprises (SMEs) are particularly vulnerable to cyber crime.
“Criminals realise that SMEs are less likely than larger businesses to take a comprehensive managed solution approach to cyber security, and this means they have weak spots that can be exploited,” he says.
A ‘managed solution’ approach is different from the more old-fashioned ’set and forget’ approach to cyber security in that it includes ongoing monitoring and maintenance to deal with the constantly evolving threat landscape.
Changes to Australia’s Privacy Act could see local organisations face stiff penalties if found guilty of serious or repeated breaches, whether intentionally or as a result of inadequate cyber security. Parliament is considering fines of up to A$10 million, or three times the value of any benefit obtained through the misuse of information, or 10% of a company’s annual domestic turnover. These rules apply to all organisations with an annual turnover of A$3 million or more.
Prevention better than a cure
Picture: Daniel Johns, ASI Solutions head of services.
Johns warns that a common trap for budget-conscious SMEs is selecting the ‘cheapest’ cyber security option without giving appropriate consideration to the value of the assets they need to protect.
He recalls the unfortunate experience of one business that decided to go with another supplier who gave them a cheaper, less comprehensive proposal for support services. A few months later, that customer’s systems were breached and they called on ASI Solutions to come in and help them recover from the breach and mop up the mess.
It was seven days before they got email up and running again, and it took over a month to access historical data. Even then, a large percentage of their historical data was lost forever.
The conservative estimate of the cost of the attack to the business was about A$12 million – a crippling amount for an employer of 35 staff.
Johns suggests all SMEs conduct a business impact assessment to ensure they understand what the likely impact of a cyber-attack would be. This includes understanding how long your business can afford to be offline, what the cost would be of repairing lost or damaged data sources, and the likely impact on customer revenue and future confidence.
“A comprehensive managed security services solution might seem expensive at first glance, but be sure to stop and think about the actual cost to your business of not being protected,” he says.
Find out more:
The first step to mitigating risk is identifying what risk exists.
ASI Solutions offers a range of IT Risk Assessments that we can customise for your particular organisation and environment. To find out more on how your organisation can build IT resilience and mitigate risk against being a cyber target, submit your enquiry at http://info.asi.com.au/ASI_Inquiry.htmlor call us on 1300 368 010.