Canberra’s small and medium-sized business owners will soon need to review their cyber security policies and procedures. Photo: File.
Canberra’s small and medium-sized business owners are being urged to start planning how they will tighten up their data and cyber security practices ahead of changes to the Federal Government’s privacy laws.
Impending amendments to the Privacy Act 1988 would require all businesses to bolster their cyber security resilience and take steps to secure any personal information or data they hold in an effort to protect their customers and staff from data breaches.
Currently, businesses with an annual turnover of $3 million or less are exempt from the act and have no obligation to keep personal information secure or to notify affected people if there is a data breach.
However, with businesses of all sizes facing a growing risk of cybercrime and ransomware attacks, the government looks set to remove the exemption.
Privacy and security specialist and Partner – Cyber Security & Privacy Risk Services RSM Australia, Ashwin Pal said, while the changes would be a “huge burden” on many small businesses, he urged owners to start thinking about investing money, time and expertise into understanding and strengthening their cyber security systems.
“Once these changes are introduced, all businesses will have to comply with all of the principles of the privacy act, no matter what their turnover is,” Mr Pal said.
“We’ve seen the spectacular failures of Optus, Medibank and Latitude who kept personal data that they shouldn’t have been keeping and, in reality, this kind of attack can happen to any business of any size.
“So basically, all business owners will have to understand exactly what data they have and how to keep that information secure, which is going to be a huge burden on people who, at the moment, probably don’t even think about things like that.”
The government’s proposal to slash the $3 million exemption will impact around 99.8 per cent of Australian businesses – from coffee shop owners to farmers – that are currently immune to the privacy laws.
Last financial year, small businesses experienced an average loss of $46,000, while cybercrimes cost medium businesses an average of $97,200, and large businesses an average of $71,600.
With the average cost per cybercrime reported to the Australian Cyber Security Centre (ACSC) increasing by 14 per cent last year, compared to the previous financial year, Mr Pal said the impact on the country’s economy was “massive”.
“Small to medium businesses need to start putting these measures in place. It’s going to take time and it’s going to take money, so it’s important to start thinking about doing it now,” he said.
“Business owners need to look at what data they’re holding and carry out a risk analysis to work out where the gaps are, who can potentially steal their data and create a plan to fill those gaps.
“They need to ensure they have up-to-date technology solutions, put some cyber security policies in place and educate their staff around how to safely keep the personal data they collect from their customers.”
Mr Pal said most security hacks stemmed from the internet, with cyber criminals breaking into business networks or sending something malicious through a website or email. He said data breaches against small businesses and their customers were increasing in complexity, scale and impact.
“All businesses need to make sure they have strong controls on their internet entry points, such as web and email filtering and firewalls,” he said.
“A lot of ransomware can lock up a system until money is paid, but a lot of businesses can’t afford to pay, so their business is effectively stopped by these criminals.
“The scary bit is, 60 per cent of all small to medium-sized businesses don’t last more than six months after a cyber attack. Most run on the smell of an oily rag, so it doesn’t take much for them to go under.”
The new laws would also impact small business owners, such as food producers, who could have their supply contracts terminated by large businesses if they could not ensure they had adequate security measures in place.
“Big businesses, like Woolies, don’t want to risk cyber criminals gaining entry ‘through the back door’ of a farming business that’s connected to their computer system,” Mr Pal explained.
He said “pretty much the majority of Australians aged over 18” had lost their personal data due to the Optus, Medibank and Latitude breaches and future attacks, on businesses of any size, could be avoided under the proposed changes.
“Our data is walking out the door. It’s a leaking sieve and we’ve got to address that,” Mr Pal said.
He said it was time for the “archaic” privacy act, which was legislated in 1988, to be overhauled because cybercrime was a “huge safety issue that needs to be addressed now”.
“It’s like when people were driving cars around in the 1950s with no safety measures in place and people were dying on our roads,” he explained.
“It’s time for those seatbelts and airbags to be put in place.”
Consultation regarding the proposed changes to the privacy act has been carried out and the recommended changes are before parliament and, in the meantime, Mr Pal said all businesses should seek independent advice or take a look at the ACSC website for more information about employing appropriate data security practices.
He said the changes were in line with the Federal Government’s aim to strengthen Australia’s privacy laws, to ensure small businesses were less attractive targets for cyber criminals.
Mr Pal will speak at RSM’s cyber security event designed specifically for small to medium businesses to be held on Wednesday 27 March from noon – 2 pm at QT Canberra.
RSM Australia’s Cyber Security & Resilience team can help small and medium businesses assess their cyber risks, understand their security obligations and improve their technology to protect their data and the personal data of their clients.
Original Article published by Katrina Condie on Riotact.
