The impact of the NDB scheme on small businesses

hackers, cyber risks, cyber criminals, trade secrets, data breaches

2018 so far has been a significant year for businesses when it comes to cybersecurity. In an attempt to enhance data privacy, regulations are being introduced across the globe, including Australia’s Notifiable Data Breach (NDB) scheme, which came into effect in February.

The NDB scheme requires businesses to notify individuals if their personal information is involved in a data breach. The notification needs to include recommendations about the steps individuals should take in response to the breach and also must be shared with the Australian Information Commission.

Following its introduction, never before has there been such a spotlight on small businesses and how they handle their data and information.

According to research from Webroot, 96 per cent of Australian IT decision makers agree there will be fewer data breaches as a direct result of stronger data protection policies. Despite this, almost a quarter (22 per cent) of Australian respondents are not confident their organisations could comply with these rules – requiring them to disclose all personal data collected on individuals within one month of request.

On top of this, 43 per cent have only trained – or are in the process of training – IT staff regarding NDB compliance, so there’s clearly more work to do when it comes to ensuring small businesses are prepared.

It’s certainly not new news that the cyber threat landscape is becoming more complex every day and hackers are constantly finding new ways to take advantage of the myriad of data created by businesses. Despite businesses feeling unprepared following the new laws and the more complex cybersecurity environment, there are key ways to ensure your business complies.

Here are my top five pieces of advice for small business owners to ensure they’re prepared and compliant:

1. Know your data – Know what personal data your organisation has, where it’s stored, and in what systems. Regularly schedule audits and allocate resources for this work.

2. Delete – Make sure any data you do not need is deleted securely. There are legal requirements for maintaining certain types of data, but when data retention is not required, disposing of it helps reduce risk.

3. Communicate – With any process change, effective communication is essential. Proper internal communications with employees and external communications with suppliers will help make them aware of changes and give them time to amend their own processes. Regular security awareness training is also a vital method of ensuring the team internally are able to identify security threats.

4. Assess – When auditing personal data processes in relation to the NDB scheme, consider if a privacy impact assessment is required.

5. Comply – If there is a security breach within your organisation, follow the rules outlined by the NDB scheme. Under these regulations, it’s essential to be transparent and inform affected individuals within the specified timeline.

Whilst Australian businesses may have been off to a slower start when it comes to NDB compliance, there are many practical steps small businesses can take to ensure they’re prepared and compliant, if ever the time comes.

Dan Slattery, Senior Information Security Analyst, Webroot