With heightening geo-political tensions, backed by more and more users going online during the COVID-19 pandemic, cyber attacks against businesses have increased SIGNIFICANTLY.
In the last 12 months there have been numerous articles about a business or agency being compromised – TOLL, Anglicare and even, Parliament House to name a few.
If you look at the tech news coming from the US at this current time, the articles almost read like a joke. e.g. “Did you hear about the organisation that paid a ransom to some hackers to get their information back!”
In the words of internationally renowned security technologist, Bruce Schneier,
“Attacks don’t get worse, they only get better”
So what does this mean for you and your business? Do you head back to the ol’ paper records, address books and filing system? Take your business offline and hope for the best in this tech savvy era?
While data breaches and hacks are daunting and confronting, the above measures definitely do not form any part of our recommendations. We want you to stay online! But, PLEASE be safe! While it might be the inner Dad coming out…we mean it.
What we aim to do in this article is equip you with information about the responsibilities that your business has regarding online security.
Once you understand that you have responsibilities, and what those responsibilities are, you will be able to review your current processes to make any changes if necessary.
A review of your online security processes will help to protect your business, customers and the community around you.
Before we jump into the nitty gritty, we want to reiterate a key point that we believe to be true about online security – understanding and having appropriate online personal security measures in place will SIGNIFICANTLY help you to understand and ensure adequate online business security.
What you know and have in place for your own personal online security can also be applied to your business.
The main difference is that there can be legal requirements for businesses to have effective online security measures in place, unlike a lack of any requirement for any personal online security measures. Hopefully, a fundamental desire to keep yourself safe is enough motivation for you to get this in order.
Have a read of our previous blog to understand how your personal information can be easily given away online and the need to have good personal online security measures in place.
Alright, let’s take a little trip to the land of “the responsibilities your business has to online security”. It’s where data breaches are around every corner. Hackers are roaming the streets. Your business could be attacked at any moment. Your financials and reputation have the potential to be compromised. Your customers are relying on you, and you have obligations!!!
…look, we know it’s a terrible tourism campaign, but we’ve got to take you there. There’s too much at stake if your online security is just left unattended!
So, let’s have a closer look at the 3 responsibilities every business has to online security:
1. You have a responsibility to protect your business online.
As a business owner, you have a responsibility to take online security seriously!
If you suffer from an online security breach, the potential implications for your business can vary from mildly vexatious to catastrophic, both in the reputational and financial sense.
Apart from impacts to yourself, you should also consider what the impact could be on your staff and other stakeholders involved with your business.
To give a personal example, I was asked by a potential customer to fix up their website. It had been the victim of a cyber attack.
Unfortunately, they had not properly assessed the importance of their business’ online security. When I asked the question “Is the system backed up?”, there were no prizes for guessing what the answer was; “No”.
Fortunately they did not have any customer data stored behind the website. I’m happy to say that we successfully replaced the complete website, and it has not been compromised in the five years since.
Regrettably, the loss of the website did cause a great deal of reputational damage at the time.
Whilst it can be hard to recognise the value (particularly if you’re not in a tech field), it is worth your while dedicating effort to ensuring that your business’ online security is as robust as possible.
It is a good idea to dedicate some time to preparing your business’s online security plan and prevention methods. As the saying goes “an ounce of prevention is better than a pound of cure”.
How to protect your business online.
The Essential Eight, produced by The Australian Signals Directorate, is a list of eight key steps to minimise your business cyber security risks.
We strongly encourage you to review the Essential Eight in detail here, but to boil it down, here are the things they recommend you do:
- Application Control – Only run programs you know and trust.
- Patch Applications – Make sure that your software and programs are up to date. Regularly check for security updates.
- Configure Microsoft Office macro settings – Turn off/disable macros (i.e.scripting) in the Microsoft Office Suite.
- Consider what features you actually need your programs (including the internet) to run and disable them. Some examples of known vulnerabilities include Flash, Java, ads, unneeded settings in Microsoft Office and PDF viewers.
- Restrict administrative privileges – Only use administrative accounts for anything that needs it. E.g. do not use your administrative account to access your email.
- Make sure that your operating system (i.e. Microsoft Windows, Mac OS, Linux etc.) is up to date – Check for patches and security fixes, and apply within 48 hours.
- Use multi-factor authentication – This looks like two or more verification factors when logging in:
- Something you know – password, security questions.
- Something you have – token, One Time Password generated by an application or send via email or text.
- Something you are – fingerprint, behavioural analysis.
- Make daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
If you apply these recommendations to your business and maintain them regularly, it’s really going to save your bacon in the event of something happening.
2. Your business has a responsibility to protect your customers online
As we can see from our previous article “How Your Personal Information Can Be Given Away Online”, your business will likely hold a lot of data about your customer base.
Should you suffer from a cyber attack or data breach, the ramifications for your customers and, in turn, business could be devastating.
Your reputation is at stake and in the hands of what you have in place to protect your customers. They’re putting a lot of trust in you to ensure that they are kept safe.
The continuous threat of information being compromised is taken seriously and the Australian Government has laws in place to ensure the protection of personal information.
The Australian Privacy Act 1988 requires businesses to actively keep their consumer’s information safe.
If you want to understand the Privacy Act and how it applies to you, The Office of the Australian Information Commissioner has created The Australian Privacy Principles (APP).
Yes, the document is extensive, but it is definitely an essential read to assess your requirements.
Businesses that do not fall under the legal requirements of the Privacy Act are small businesses that have a turnover of $3 million a year or less.
However, there are exceptions to these businesses and these include:
- Health Service providers,
- Credit reporting bodies,
- Organisations that trade in personal information,
- Employee associations registered under the Fair Work Act (FWA), and
- Organisations that opt-in to the Australian Privacy Principles.
While your business may not be legally liable under the Privacy Act, we want to encourage you to cover your back anyway.
How to protect your customers online.
- Read the APP’s:
APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
APP 3 — Collection of solicited personal information
APP 4 — Dealing with unsolicited personal information
APP 5 — Notification of the collection of personal information
APP 6 — Use or disclosure of personal information
APP 7 — Direct marketing
APP 8 — Cross-border disclosure of personal information
APP 9 — Adoption, use or disclosure of government related identifiers
APP 10 — Quality of personal information
APP 11 — Security of personal information
APP 12 — Access to personal information
APP 13 — Correction of personal information
This checklist will help you identify how you meet your privacy obligations, improve your current privacy management processes, identify potential areas of risk, and how to reduce these risks.
- Read and understand The Notifiable Data Breach (NDB) Scheme.
If your business has an obligation under the Privacy Act, this scheme applies to you. You are required to identify the breach, assess it, notify your consumers, and provide a statement.
Even if you’re not obligated to follow the NDB process, it would be excellent practice to adhere to them regardless. And, interestingly even if your business does not have mandatory reporting obligations, the majority of people believe that they should be notified if there has been a data breach of their information (as per the ACAPS 2017 report).
- Make the necessary changes based on what you learned by doing the above 3 actions.
- Sit back and watch those hackers get turned around empty handed while you’re sipping your “well-done beverage”.
3. Your business has a responsibility to protect the communities they are involved with online
You might be wondering what we mean by communities here. Communities extend further than your customers. They can be the customers of your customers, or anyone that you or your customers have information stored for.
While you may be legally obligated to protect your customers online, you need to consider the wider community that you are responsible for too.
Let’s suppose, hypothetically, that someone breaks into your system. If they were then to go on and steal your access credentials (username, password etc.) to a local government payment system, or federal government system, then you have also given them a backdoor into another system.
I often think about the community that I am responsible for. My clients are really varied in industries as I create a web presence based on that need, not for my client’s business purpose.
If someone were to break into my system, they would have access, not only to my client’s information, but to my clients’ customer information and, in some cases, payment systems.
A breach to my data gives a hacker a field day! They can steal information, impersonate me or my clients, scam their extended community…the options for them are endless, and it’s destructive.
Have a think about some of the community organisations your business deals with – churches, sporting clubs, etc. Imagine the potential damage a hacker could do to that organisation if your password was leaked.
There really is no other time than now to seriously review your online security measures.
If you’re still at a loss as to where to start, go to The Essential Eight, produced by The Australian Signals Directorate.
The information available to Australian business owners from the Australian Government is extensive and useful!
It is your responsibility to get informed and be safe.
Are you a victim of cybercrime?
If you have been the victim of cybercrime, you can report this to the Australian Cyber Security Centre via their online reporting portal.
How we can help you with online security.
We have a range of security measures and reporting that we undertake for our clients and for us.
We monitor security channels on the internet to ensure we are up to date with the latest advice to be as pro-active as possible. Along with our monitoring, we deploy a range of services to assist us in doing this.
If you would like to know more about your responsibilities and improving your online business security, we can assist in several areas.
Reach out today so we can have a conversation helping you to keep your business and your customers safe online.
Get help here with your Business Security
Get in touch today and mention this article!
Coming up on the blog…
Our next blog will look more closely at password security – we’ll help you say goodbye to passwords like ‘123abc’, QWERTY, and say hello to excellent password security!