When is a hack a data breach? When do you need to report it?
When is a hack a data breach? And, if your business loses or has data stolen, what’s the best way to minimise ‘aftershocks’ of a cyber-attack?
Really, who cares? If your business is covered by the Privacy Act 1988 – you should!
As of 22 February 2018, all Australian organisations or agencies covered by the Privacy Act 1988 came under the NDB scheme – ‘Notifiable Data Breach’. OAIC, the government agency responsible for managing the NDB scheme states, in part, a data breach ‘…happens when personal information is accessed or disclosed without authorisation or is lost…’
However, a business may think that there’s wiggle room in that definition. One could reason that if only two parties know about a hack – the business and its attacker – then keeping a matter quiet is the best way to handle it, with the added benefit of minimising embarrassment. But something’s just happened which changes everything!
If your data gets stolen, but your team/business can work around it, do you need to report it?
Post-hack, businesses often undertake one of three actions:
- Workaround the issue (say nothing and hope no one notices, rebuild operations);
- Pay for specialised professionals to try and recover locked data (expensive, unknown outcome);
- Pay the ransom (never, ever… please!);
- Report the hack.
Wait, didn’t I say three options? Why list four?
Some businesses, misunderstanding their legal responsibilities and inevitable ‘shock waves’ that follow a hack, focus their efforts internally. It’s kind of understandable that, in a time of crises and frustration, it’s easier for a business to choose to downplay the scale of a hack, try and work around the issue, minimise external involvement and questions (embarrassment), and pray the matter resolves itself quickly. Especially if an attack was facilitated by poor decision making.
This is why the first three actions are often initiated post-attack, but reporting gets overlooked.
Let’s face it, if your business has been hacked you’re in enough pain already without inviting some external (OAIC) or related party (vendor/clients) to add their voice and demands to the mix. But after a hack your business will need to deal with the two biggest shock waves of a cyber-attack:
- financial loss; and
- loss of reputation.
How your business chooses to view and handle, loss of personal data will impact how successfully it rides through an event.
Two issues intrinsic to hacks that hurt us
- Legal obligations
- Commitment to profit
If your agency or business is covered by the Privacy Act 1988, it is mandated by the NDB scheme. Three criteria define what makes lost or stolen data a ‘notifiable breach’:
- there is unauthorised access to, or disclosure of, personal information, or a loss of personal information, that an organisation or agency holds;
- this is likely to result in serious harm to one or more individuals; and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
What could make a business decide their stolen data does not need to be reported? Perhaps a business reasons their information is only valuable to them, therefore something that can be managed internally. Or the expectation that the theft and ransom demands will remain a private matter between the business and its hacker. If it can be kept quiet, ‘no harm, no foul’.
But hoping that nothing more than inconvenience will result from a data breach is not practical. Especially now, as hackers have changed the game and are now publicly exposing their victims!
Commitment to profit
Hackers are going public with victim names AND what data was stolen from their victims.
In December cybercriminals behind a ransomware strain called ‘Maze’ launched their own website listing company names of their victims who have declined to pay a ransom. It announced, ‘Represented here companies don’t wish to cooperate with us and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!’
“Oh, that’s America”, you may say. But cyber-attacks aren’t defined or limited by geography or industry. All that is required to initiate an attack are devices with online connectivity – emails, Internet access – and a moment of distraction or unsuspecting click on a malicious link (URL) by an employee.
By escalating their methods to extract money through public humiliation, hackers are showing their commitment to making a profit! And whether or not it’s a deliberate act to leverage off international privacy laws, by publishing victim names and stolen data hackers have heightened the risk to companies that fail in their legal obligation to report notifiable breaches.
Malicious hacker mentality and legal obligations are combining in a nasty way. If your business fails to report a data breach as soon as it is discovered, you are increasing the risk of destroying your business through loss of reputation should the matter be made public by external parties.
Think of a company you’ve read about that got caught out failing in their responsibility to report a data breach or were slow to notify their stakeholders. How comfortable would you feel about doing business with them? How confident are you that such a business has your best interests at heart? Or that their systems are up to keeping your personal information safe? Once customer trust is broken, it’s very difficult to reestablish.
WHAT IS RANSOMWARE?
Ransomware is a malicious program (malware) that attempts to infect a device and hold it hostage using encryption or other means until the victim pays a ransom in exchange for access to their own files or device.
Protect your business from after-effects of a hack
3-Vital steps to minimise shock waves to your business post-data breach
Step #1: If data’s missing, report it!
Go to OAIC’s website and report the breach (visit step-by-step guidelines and online form) and start planning on the best way to inform anyone else that may be affected by the loss or theft of sensitive, personal data, such as clients, vendors, etc.
If you’re not sure if your agency or company is covered by the Privacy Act 1988 then find out today! Ignorance is not seen as an acceptable excuse for non-compliance by the Australian Government.
However, also keep in mind that the Office of the Australian Information Commissioner (OAIC) is there to help you. Aside from legal compliance, OAIC will do whatever they can to help minimise repercussions from a breach to your business. They may be able to give you invaluable tips on the best way to communicate a breach to affected parties.
In notifying affected parties, whilst it’s natural to feel embarrassed, remember that you’re giving them the best means to take proactive action to protect themselves – knowledge. By making them aware, you are helping them to minimise what harm will come to them from the loss – which is the purpose of the NDB Scheme! And you prove that the interests of your clients/stakeholders is vitally important to you. Instead of making an unpleasant event worse, open and honest communications can enhance the relationship you have with affected parties.
What about older, unreported data breaches? If you have previously lost data since February 2018 and haven’t yet reported it – do it now!
Step #2: improve your data and system security
Find out how data was lost or stolen. By identifying the ‘gateway’ that allowed your data to be breached, you identify how to close or block the weak link in your cybersecurity. This could be anything from a lack of IT tools or skills in your business, to human error.
Identifying your weak link allows you to prioritise the right remedial actions, quickly. And it gives you something positive to report to anyone else that was affected by the breach. It’s a great way to demonstrate how highly you value them, and the ongoing security of your systems and people.
Step #3: Never pay a ransom
Anyone who steals, or encrypts your files, and then demands money to release your data is not honourable. It’s not surprising, then, to hear that paying a ransom guarantees nothing. You might get your data back, you might not. However, regardless of what happens, by paying a ransom you (unintentionally) perpetuate cybercrime. For those two reasons, itro recommends you never pay a ransom demand.
8-Essential steps to protect your business from cyberattacks
Everyone in your agency, Practice or business needs to be committed to protecting your data! From business owner to senior management, to Partner, to your newest employee. Cybersecurity is a team effort because simple things are often the biggest ‘gateways’ for malicious attacks on your business and data, such as:
- Poor password policies, or none!
- Lack of knowledge/training across your team on how to identify and avoid malicious attacks or links.
- Lack of device management: security updates, or unsupported operating systems.
The landscape of cybersecurity has changed and continues to change. But you don’t need to feel overwhelmed! The Australian Government is committed to providing advice to help businesses stay safe online. See ACSC’s ‘Essential Steps to protect your business’ (Australian Cyber Security Centre).
The ACSC recommends eight essential steps as a baseline for businesses and Firms to protect themselves from cybersecurity incidents (refer ‘Essential Eight Explained’). These eight strategies cover three key aspects of IT:
- Protection from malware (also referred to as Ransomware) being delivered or activated by;
- blocking access to non-approved applications/programs
- malicious macros designed to exploit the Microsoft Office macro environment (Secure your systems against malicious macros)
- keeping computers updated with the latest application patches;
- limiting or blocking dangerous web browser applications (eg, Flash, ads, Java script. Refer to ACSC’s Guidelines for System Hardening).
- Limit risk and extent of cyber-attacks;
- Restrict and regularly review administrative privileges (limit who can access what);
- MFA (multifactor authentication) for remote access of your network;
- Keeping computers updated with the latest security OS patches.
- Easy recovery of lost or stolen data and systems
- Daily backup of information and systems that are imperative to your business’s operations, security and reputation.
If you don’t have these eight cyber strategies in place, you need to act! If you don’t have the internal skills or confidence in your current IT personnel to implement these strategies, it’s a good time to investigate a new IT partner who can have the skills and experience to keep your data and systems safe.
Benefits of outsourcing to an MSP
The obvious benefit from partnering with an MSP (Managed Service Provider) is that you get a team of IT engineers whose whole purpose is to maximise the efficiency and security of your devices and systems. They actually love working with IT.
Unlike your team, they don’t need to split their time and attention between keeping up to date with IT and running your business. As they focus on keeping your IT secure and operational, your team is freed up to focus on what they need to do to keep your business profitable.
Outsourcing IT also frees your business from incidental costs of maintaining your own team (wages, training, etc). In fact, outsourcing is an invaluable aid to help work through one of the biggest IT challenges that faces a successful, expanding business… if, when and how to transition to your own fully-independent internal IT team.
It’s generally an easy process to employ someone with enough skills to manage basic, day-to-day IT needs within a small business. However, trying to build a team that has the necessary skills to manage all aspects of IT and cybersecurity is difficult and undeniably costly!
The smartest way to mitigate wage and training expenses is to partner with an outsourced MSP. An MSP gives your business or Firm a wide range of engineers with different skillsets to handle matters as they arise, on request.
Depending on which IT Provider and Plan you choose, the monthly cost of a good, all-inclusive Plan will cover all IT costs to your business other than unique projects and new purchases.
- itro Advanced – designed to reduce unforeseen costs.
- itro Ultimate – designed to remove unforeseen costs.
- itro Self-Serve – designed for inhouse IT Managers with limited tools and team resources.
itro’s team will work with you to ensure you have all 8 essential cybersecurity strategies recommended as baseline protection by the Australian Government. And once we ensure all potential cyber ‘gateways’ into your business have been secured, our team will ensure your devices and systems always remain updated for maximum protection and operational efficiency.
If you’d like to know more, but not yet ready for a conversation, please check out our website to see how we can look after your essential 8 strategies:
Protection from malware
Limit risk and extent of cyber-attacks
Easy recovery of lost or stolen data and systems
itro has been managing IT for businesses and Firms for over two decades. We do not lock our clients into Fixed Contracts as we want our clients to stay with us because they love the service we give, not because they are contractually trapped.
We have noticed a growing trend amongst IT providers to lock-in businesses with 12, 24 or 36–month contracts for Managed IT Services that incorporate outrageous legal fees, caveats and hidden costs for any requests deemed to fall outside the contractual definition of ‘support’.
Being cyber safe isn’t an impossible task, nor should it be ridiculously expensive!
Simple things such as password policies and training will make a big difference to your team’s focus on working safely online. Implement ASCS’s 8 essential cyber strategies, and partner with an MSP that will complement your team and proactively manage operational efficiencies and security of your data and systems. And please, give itro a call on 1800 10 3000 or email [email protected] today to find out how we can help you manage your IT.