How to avoid failing new data breach reporting scheme

data privacy, cyber threats, best practices
Secured Mobile Device. Tablet Computer with Security Concept on the Screen. Closed Padlock Concept. Mobile Technology Security.

Australia’s Notifiable Data Breach (NDB) scheme is in full swing. Now, if your business experiences a data breach that is likely to result in serious harm, you must disclose it to authorities and impacted individuals. This is a huge shift from previous standards, which stated that a company must take ‘reasonable measures’ to protect personal and sensitive information.

For small businesses, a serious data breach could be devastating. Not only are there hefty fines in place (up to AU$360,000 for individuals and AU$1.8 million for organisations), the reputational risk could make or break smaller businesses. When considering the price of potential brand damage associated with a data breach, the fines pale into insignificance.

The new data breach reporting requirements are likely to be daunting for small businesses with limited budget for cybersecurity resources. I’m hearing daily that many organisations still do not have adequate protections in place. But this is out of naivety rather than intent. Now is the time to take a good, hard look at your own cybersecurity protocols.

The surprising sources of data breaches

It often comes as a surprise to businesses that breaches aren’t limited to malicious activity. There are many other ways that data breaches can occur, from stolen or lost laptops, to human error to employees sharing information externally without permission.

Managing these situations and implementing basic cybersecurity protocols are important first steps.

Other ways data breaches may occur include:

  • Lost or stolen laptops, tablets, smartphones.
  • Removable hard drives or USBs containing privileged information being passed on to other users without proper clearance.
  • Hacked cloud or local databases that contain personal and private information.
  • Employees sharing privileged information outside of an organisation without the proper authority.

Addressing a cybersecurity skills gap

Conversations around the shortage of skilled cybersecurity experts in Australia have become increasingly urgent as the mandatory reporting scheme rolls out. A recent Government report estimated an additional 11,000 cybersecurity specialists would be required to meet demand in Australia in the next decade.

It’s likely that businesses will feel the impact of this cybersecurity skills and education gap over the coming months. But practicing basic cyber hygiene should be something small businesses are already prioritising, particularly those who handle personal information.

The good news is that there are several, non-labour intensive, steps that small businesses can (and should be) taking to make sure they’re taking preventative action.

What small businesses should do to prepare

The Australian Signals Directorate (ASD) has published a cybersecurity baseline known as the “Strategies to Mitigate Cyber Security Incidents”, aka the “Essential Eight,” a prioritised list of initiatives to enhance computer security. The Essential Eight are the most fundamental elements of this list, ensuring good security habits are used throughout the organisation.

The guidelines are best used as a baseline, to sense check the current security protocols, then adapted to the specific needs of the business. Following each of these steps is a good starting point to creating a secure environment for your organisation.

Bede Hackney, ANZ Country Manager, Tenable