The costly business of ignoring cyber security
Australian companies will take ownership of security breaches with the Notifiable Data Breach (NDB) Scheme. The NDB became law on 22 February and means businesses with an annual turnover of more than $3M are now required to report breaches. The NDB provides a potential platform for government and industry to work together and protect the security of individuals and intellectual property.
Lani Refiti, Director at cyber security consulting firm Price Waterhouse Coopers (PWC), talks about the NDB and potential issues for industry and government. Lani specifically works on the cyber security consulting team, “We talk to larger customers about protecting their business, staff and customers from attacks.”
Every survey, research article and academic article reports a growth in breaches and attacks. The main reason is because business is done online and more businesses are becoming interconnected. Lani says, “Cyber criminals look for the juiciest target and committing attacks online is much easier with less chance of being caught.”
The Privacy Commissioner has always encouraged businesses to be pro-active and report their breaches. “However, only a handful of businesses have done that,” says Lani. Now with the NDB in place you have to report it.
Security needs action
Regulation in isolation isn’t the answer to improving security, Lani believes, “Regulation on top of security awareness and insuring executives and board directors are well informed—by using a broader wholistic approach is good.”
Reporting breaches isn’t new. The UK and the US have had a similar NDB policy for nearly a decade. Lani says in Australia, “The NDB is a good start. There are a lot of criticisms about the bill itself in terms of ambiguity of the language, fines not really being that much of a deterrent. Those things are true. However it is better than what we’ve had, which is nothing.”
The security specialist says, “You start off with something and you fine-tune it.” Lani hopes in the future, “The government doesn’t surprise the industry by saying: ‘Here is an NDB update’. We hope there is enough consultation and feedback to allow them to strengthen future policy.”
The cost of ignorance
With cyber security, businesses need to be aware of consequences if they are found negligent. “The first is your legal obligations under the bill. The fines are up to $1.8M so if you don’t have the relevant protections in place, or cyber insurance, (depending on your business) a serious breach could mean the end of your business.”
Another serious pitfall of a security breach is brand damage. Lani says reputation is a high priority aspect for any organisation particularly if it’s a small to medium business. “It’s a competitive market space”. For example, if you were negligent with your security, that may have a high impact on your business.
There’s a good chance you might go out of business as you face law suits and customers go to your competitors.
A lot of people miss that fact. “You have the legal fines and regulations, there is brand damage, but you’ve also got the cost in investigating a breach if one occurs.”
Businesses have 30 days to investigate when a breach occurs. “There will need to be an investigation or an interim response exercise to find out what happened, how it happened, what records were breached and then go through the process of notifying the people affected. Now that in itself is a costly exercise,” advises Lani. “Most small to medium sized businesses won’t have an information security officer, let alone someone who runs IT.”
By comparison, a large government department, large industry or bank will have a well-funded security team. They will on average employ anywhere between 10-20+ people with different security roles. Some with the specific role of response or security operations who are tasked with protecting the organisation from direct attacks.
Resilience comes with size
Large organisations have resilience in terms of the size of the organisation to withstand a breach. The common one referred to is the USA Target breach in 2013, “That’s usually used as the gold standard in terms of one of these cases”. Target was breached and lost millions of credit card records. Target estimated it cost them south of $200M in terms of loss of earnings and costs in took to remediate in terms of fines they had to pay. But Target is a multibillion dollar retailer, so they have the size and the resiliency to weather these kinds of things.
“If you look at their financials now they’ve recovered, their share price is higher than what it was, their sales are back to what they were. This is a multibillion dollar business though.”
If you’re a small $10M–$20M business the question is how well can you withstand a breach given the brand damage, or given the fines you may incur.
Lani recommends businesses investigate the current state of their security program and the “efficacy of its security controls”. For peace of mind, effectively assess security using an experienced on-site team, or hire a third party to assess it. Once any weaknesses have been identified create an improvement strategy for stronger security protocols.
The supply chain risk scenario
Lani says the supply chain risk is a common concern for larger businesses. An example is when a larger organisation employs sub-contractors (earning under $3M and therefore not obligated to report a security breach).
If the sub-contractor were to have a breach they should report it as being the responsible party. Two things could happen in this scenario. A: the sub-contractor could lose their contract immediately or, B: they could get caught up in the brand damage because they would be named at the larger organisation’s disclosure.
In order to mitigate the risk of contractors or subcontractors being breached the parent company should enforce recommendations. For example:
- adhering to technologies being in place which relate to strict safety protocols
- enforcing minimum management requirements on suppliers as part of the terms of contract.
Terry Group Consulting (TGC) will be highlighting different perspectives of experts within the field of cyber security. We thank Lani Refiti, long-time security professional, entrepreneur and business technologist for his interview.
Next week, Malcolm Burrows, Legal Practice Director at Dundas Lawyers will offer a legal perspective.