Protect your business from after-effects of a hack
3-Vital steps to minimise shock waves to your business post-data breach
If you’re reading this because your business or Firm has been hacked, then I feel for you. Sadly, you’re not unique. BDO’s report, ‘2018/2019 Cyber Security Survey’ states, ‘Data loss/theft of confidential information incidents rose by 78.68% in 2018 compared to 2017. Equally as alarming is the rise in data breaches experienced through third party providers and suppliers, which rose by 74.30%.’
Your business can work through this setback. By proactively addressing 3 vital steps you can help your business or Firm minimise the repercussions of a cyber-attack, and keep the respect of your clients and stakeholders.
As of 22 February 2018, all Australian organisations or agencies covered by the Privacy Act 1988 came under the NDB scheme – ‘Notifiable Data Breach’. OAIC, the government agency responsible for managing the NDB scheme states, in part, a data breach ‘…happens when personal information is accessed or disclosed without authorisation or is lost…’
If your agency or business is covered by the Privacy Act 1988, it is mandated by the NDB scheme. Three criteria define what makes lost or stolen data a ‘notifiable breach’:
- there is unauthorised access to, or disclosure of, personal information, or a loss of personal information, that an organisation or agency holds;
- this is likely to result in serious harm to one or more individuals; and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
If the NDB scheme applies to you, go to OAIC’s website to report the breach (visit step-by-step guidelines and online form). Next, start planning on the best way to inform anyone else that may be affected by the loss or theft of sensitive, personal data.
If you’re not sure if your agency or company is covered by the Privacy Act 1988 then find out today! Ignorance is not seen as an acceptable excuse for non-compliance by the Australian Government.
However, also keep in mind that the Office of the Australian Information Commissioner (OAIC) is there to help you. Aside from legal compliance, OAIC will do whatever they can to help minimise repercussions from a breach to your business. They may be able to give you invaluable tips on the best way to communicate a breach to affected parties.
In notifying affected parties, whilst it’s natural to feel embarrassed, remember that you’re giving them the best means to take proactive action to protect themselves – knowledge. By making them aware, you are helping them to minimise what harm will come to them from the loss – which is the purpose of the NDB Scheme! And you prove that the interests of your clients/stakeholders are vitally important to you. Instead of making an unpleasant event worse, open and honest communications can enhance the relationship you have with affected parties.
What about older, unreported data breaches? If you have previously lost data since February 2018 and haven’t yet reported it – do it now!
Step #2: improve your data and system security
Find out how data was lost or stolen. By identifying the ‘gateway’ that allowed your data to be breached, you identify how to close or block the weak link in your cybersecurity. This could be anything from a lack of IT tools or skills in your business, to human error.
Identifying the weak link allows you to prioritise the right remedial actions, quickly. And it gives you something positive to report to anyone else that was affected by the breach. It’s a great way to demonstrate how highly you value them, and the ongoing security of your systems and people.
Step #3: Never pay a ransom
Anyone who steals, or encrypts your files, and then demands money to release your data is not honourable. It’s not surprising, then, to hear that paying a ransom guarantees nothing. You might get your data back, you might not. However, regardless of what happens, by paying a ransom you (unintentionally) perpetuate cybercrime. For those two reasons, itro recommends you never pay a ransom demand.
The landscape of cybersecurity has changed and continues to change. But you don’t need to feel overwhelmed! The Australian Government is committed to providing advice to help businesses stay safe online. See ACSC’s ‘Essential Steps to protect your business’ (Australian Cyber Security Centre).
Everyone in your agency, Practice or business needs to be committed to protecting your data! Cybersecurity is a team effort because simple things are often the biggest ‘gateways’ for malicious attacks on your business and data, such as:
- Poor password policies, or none!
- Lack of knowledge/training across your team on how to identify and avoid malicious attacks or links.
- Lack of device management: security updates, or unsupported operating systems.
Improve your data and system security
If you don’t already have ACSC’s 8 essential cyber strategies in place, you need to act! If you don’t have the internal skills or confidence in your current IT personnel to implement these strategies, that’s a good reason to investigate looping in an IT partner who can have the skills and experience to keep your data and systems safe.
Where do you start?
If data has been stolen, find out how. If you’re concerned about the security of your IT systems, use ACSC’s 8 baseline steps to determine the existence/strength of your cybersecurity strategies.
This will help you identify any weak links and prioritise the most important remedial actions to take. If you realise the problem is linked to a lack of IT tools or skills within your business, the quickest and cheapest way to remedy that is to partner with an outsourced IT provider.
Whilst it’s an easy process to employ someone with enough skills to manage basic, day-to-day IT needs within a small business, trying to build a team that has the necessary skills to manage all aspects of IT and cybersecurity is difficult, takes time and is undeniably costly!
The easiest way to mitigate wage and training expenses of building your own IT team is to partner with an outsourced MSP. An MSP gives your business or Firm a wide range of engineers with different skillsets to handle matters as they arise, within a set monthly fee.
Depending on which IT Provider and Plan you choose, the monthly cost of a good, all-inclusive Plan will cover all IT costs to your business other than unique projects and new purchases.
- itro Advanced – designed to reduce unforeseen costs.
- itro Ultimate – designed to remove unforeseen costs.
- itro Self-Serve – designed for inhouse IT Managers with limited tools and team resources.
itro has been managing IT for businesses and Firms for over two decades. We do not lock our clients into Fixed Contracts as we want our clients to stay with us because they love the service we give, not because they are contractually trapped.
Being cyber safe isn’t an impossible task, nor should it be ridiculously expensive!
Simple things such as password policies and training will make a big difference to your team’s focus on working safely online. Implement ASCS’s 8 essential cyber strategies, and partner with an MSP that will complement your team and proactively manage operational efficiencies and security of your data and systems. And please, give itro a call on 1800 10 3000 today to find out how we can help you work through a data breach and manage your IT.