We all know that cyber-crime has been on the increase in Australia, but the introduction of the NDB (Notifiable Data Breaches) scheme in 2018 saw a rapid rise in the number of reported cases. Part of this increase is likely due to the fact that the NDB requires organisations to report all data breaches within 72 hours. It's this notification requirement however, that has highlighted the continued growth in Australian cyber-crime. As an example, over the twelve months from 1st
April 2018 to 31st
March 2019, the Office of the Australian Information Commissioner Report
reveals that there were 964 data breach notifications, an increase in 712% over the previous twelve months (when breaches were reported voluntarily). In addition, 60% of these 964 data breaches were malicious, whilst 35% were due to human error. The OAIC has stated that these results reflect the need for increased security systems and improved staff training. Of course, there may have been many data breaches that were not reported before the NDB, but these figures should give some food for thought.
Recent data breaches in Australia
reported that in February 2019, the Parliament of Australia experienced a security incident in their IT section and whilst no data was compromised, an attempt was clearly made to access high level data. In 2018, the Australian National University was consistently hacked over a period of months, but no data was stolen; in 2015, it happened to the Australian Bureau of Meteorology where malicious software was installed and sensitive documents stolen. It's important to remember that the figures quoted above are the number of data breaches, not the number of people affected by these breaches. For example, in the OAIC's most recent quarterly report
January to 31st
March 2019), it found that in one incident alone, more than 10 million Australians had their private information compromised.
How can SMEs protect their data?
Hackers can be either nationally driven or economically driven, the former motivated by national interests and the latter by financial gain. To adequately protect your business from cyber-crime, one of your first steps is to decide which type of hacker is more likely to attack your business. A company involved in regional energy production for example, might be more likely to be attacked by hackers motivated by national interests, whilst a law company might be favoured by hackers motivated by financial gain. Whilst you can try to harden your defences, you won't be able to plug every possible breach, but if you have an idea which type of hacker may target your business, you can set certain processes in place that can minimise these attacks and the resulting fallout. You should also recognise that there is no guaranteed protection against hacking, and given this truism, you need to invest in resilience. Recovering from a cyber attack can be expensive, time consuming and may have no positive outcomes, which is why SMEs are investing in cyber insurance. Talking to an insurance specialist who can guide you through your choices will ensure that you have the best protection possible for your business. General Advice Warning The information provided is to be regarded as general advice. Whilst we may have collected risk information, your personal objectives, needs or financial situations were not taken into account when preparing this information. We recommend that you consider the suitability of this general advice, in respect of your objectives, financial situation and needs before acting on it. You should obtain and consider the relevant product disclosure statement before making any decision to purchase this financial product.