An HP study has found almost half of Australian SMEs with an annual turnover of $3 million+ do not consider themselves to be prepared for the Australia’s new data breach notification laws. Just 51 per cent of respondents said they had developed, or were in the process of developing, an IT security policy to ensure their compliance.
The HP Australia IT Security Study, conducted by ACA research in November 2017, surveyed 528 SMEs with between 10 and 99 employees across the services, production, retail and hospitality, health and education, and distribution industries. A key objective of the research was to uncover SMEs’ approach to IT security, including policies, procedures and risk management, as well as exploring their preparedness for the new data breach notification laws.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed by both houses of Parliament in February 2017, establishing a Notifiable Data Breaches scheme, which comes into effect on 22 February 2018. The scheme requires organisations covered by the Australian Privacy Act 1988 to inform the Australian Information Commissioner and members of the public if it believes or is aware that its data has been compromised.
Throughout 2017, Australian businesses were urged to put a spotlight on cyber security and to step up their capabilities, by proactively putting a data breach response plan in place and assessing and improving the current state of their IT security.
The research found 57 per cent of SMEs admitted to not undertaking any sort of IT security risk assessment in the last 12 months, despite a series of high-profile data breaches in that time.
“The consequences of a data breach can be severe; from financial to brand and reputation damage,” said Paul Gracey, Director, Printing Systems, HP South Pacific.
“Organisations should implement a process to monitor, detect and report data breaches, but prevention – and reducing the frequency and severity of breaches – is equally important.”
“Endpoint security – at the device level – is critical to that mix. Organisations tend to rely solely on third-party software security to protect their devices when, in reality, stronger and better business security must be integrated into the device itself,” said Gracey.
“With hackers able to bypass traditional network perimeter security and antivirus programs, it’s time we scrutinise a hardware’s security as closely, if not more, than our external security solutions.”
While many IT departments apply rigorous security standards to PCs, tablets and other connected devices, they often overlook the printer. The HP Australia IT Security Study found that of the 43 per cent of SMEs that had undertaken a risk assessment, just 29 per cent included printers in their analysis – compared to 78 per cent for servers and 76 per cent for PCs.
“Security threats are evolving every day. Due to reduced effectiveness of firewall protection, every device on an organisation’s network is at risk, and unfortunately printing and imaging devices are often overlooked and left exposed,” said Gracey.
With 63 per cent of respondents stating their employees work remotely on a regular basis, and the same percentage allowing employees to access company data from personal devices, SMEs are becoming increasingly concerned about the risks associated with the lack of control over these devices.
Over half of the respondents also flagged “employee carelessness” as a significant security threat to their business, with concerns over not just the behaviour of staff when outside the office, but external threats such as visual hacking. Despite this, less than half (44 per cent) of respondents have an IT security policy in place for employees that bring a personal device to work, and only 37 per cent restrict the data that can be accessed from that device.
The increasingly complex landscape makes securing devices, data and identities essential to preserving the trust and confidence people have in technology and the companies they choose to connect with.