In a recent survey conduct by a multinational professional services firm based in Australia, it has been determined that many Australian organisations are not prepared to meet the increased threat of cyber-attacks.
In a report titled, ‘Perspectives on Cyber Risk 2017’ (‘the Cyber Report’) it was reported that 18 per cent of respondents said that their organisations were subject to more than five cyber incidents in the previous 12 months. This figure was up from 8 per cent from the previous year. The Cyber Report also says that by 2021, the world will see annual losses of more than $6 trillion from cyber risks.
An insidious type of cyber-attack comes in the form of what is called ‘ransomware”, where instead of trying to outright “steal” data from organisations, the scammers instead take information and data “hostage” and then demand a fee for its safe return – cyber-kidnapping, effectively.
The Cyber Report also said that 42 per cent of respondents said they do not have a data breach response plan, in terms of immediate action to take in the event of a cyber breach. This is despite the fact the Cyber Report also shows that there was an increased uptake of cyber insurance, at least foreshadowing a willingness to manage cyber risks. Insuring against risk is one thing – and unarguably very important – but that does not mean turning a blind eye or becoming complacent in what can be a hostile online environment.
Cyber-attacks can be extremely costly, in more ways than one. Paul Kallenbach, a technology partner at the firm who commissioned the Cyber Report, said “Cyber attacks can entirely shut down businesses, causing significant (and sometimes irreparable) damage to corporate and government reputations, relationships and systems. They can adversely impact other businesses in the supply chain, compromise the privacy of millions of individuals, and threaten economic wellbeing and national security.”
Businesses need to take a pro-active and immediate approach in educating their staff about the risks of cyber-attacks, the various forms operating – which evolve and disseminate rapidly – and what can be done to alleviate the risks in terms of strict policy and procedure about email and online use. It’s about being aware of “what’s out there” in terms of scams, educating staff and taking immediate action to reduce the risks. Should an attack be successful, businesses need to respond immediately, in terms of recovery of data and systems.
Re-consideration of this issue is timely, because in February 2017 the Privacy Amendment (Notifiable data breaches) Bill 2016 passed the Senate, which amends the Privacy Act 1988 (Cth) to include mandatory reporting of data breaches. The changes will require organisations subject to the Act to notify the Australian Information Commissioner and any individuals affected by a data breach that is likely to cause serious harm.