Cyberattacks are becoming a regular occurrence for Hunter and Central Coast businesses. No business is immune.
What attacks is your business at risk of?
Cybercrime includes where computers or other information communications technologies are an integral part of an offence (such as online fraud) or crimes directed at computers or other technologies (such as hacking).
According to the Australian Criminal Intelligence Commission (ACIC) cybercrime is costing the Australian economy up to one billion dollars annually in direct costs alone.
Australia is an attractive target for serious and organised crime syndicates due to its relative wealth and high use of technology such as social media, online banking and government services.
The costs of a cyberattack
There are not one but three types of costs you may incur if your business experiences a cyberattack.
Economic costs
The four economic costs are;
- theft of corporate information
- theft of financial information or money
- disruption to trading
- loss of a business or contract.
Reputational damage
Reputational damage or damage to brand can occur in several ways.
- Loss of customers
- Loss of sales
- Reduction in profits.
A Forbes Insight report found that forty-six per cent of organisations had suffered damage to their reputations and brand value as a result of a cyberattack and nineteen per cent of organisations suffered reputation and brand damage as a result of a third-party security breach.
Legal costs
There are also several legal consequences or costs arising from cyberattacks.
- Penalties for negligence
- Legal action from impacted parties
- Trading sanctions until a business rectifies the cause of the breach.
Penalties for notifiable data breaches used to be calculated based on the size of the organisation and the amount of data that was confirmed stolen.
Now, the Office of Australian Information Commissioner (OAIC) tends to base fines on the level of negligence by the business that led to the breach.
Three ways to minimise the impact of cyberattacks on businesses
- Policy
A cybersecurity policy helps protect your organisation and demonstrates a level of diligence in the protection of your systems and data.
As a business owner or business leader you have an obligation to ensure every staff member has read your cyber policies, really understands what they mean and, signs off to confirm that. Review your policies regularly (every one to two years) and ensure staff are aware of any changes.
- Awareness Training
Staff awareness training demonstrates diligence in ensuring staff are properly educated and shows your business takes cyber security seriously.
In the past six months, seventy-five per cent of data breaches that I have personally been involved in investigating could have been avoided had staff been made aware the signs.
It is also important that staff know what legal obligations they have when handling your clients’ and customers’ personally identifiable information.
Both your organisation and your employees will be held accountable by the OAIC in a data breach situation. It is your responsibility to provide staff with the proper training and tools in a similar fashion to Work, Health and Safety.
- Breach Response Plan
A Data Breach Response Plan can go a long way to reducing the impact of a cyberattack on your customers’ perception.
If your business is breached the last thing you want to be doing is figuring out how you’re going to address the situation. Having a proper plan will help your organisation to:
- quickly mobilise the right resources (who in your organisation knows what to do?)
- promptly and clearly communicate with customers and staff
- identify if a notifiable data breach has occurred and respond to the OAIC in a timely manner (thirty days)
- prepare the necessary information of an audit is required.
The six Ps are key to protecting your business from costly cyberattacks – proper prior planning prevents poor performance.
This is an edited version of Glendin’s presentation at the Diamond IT second annual Newcastle and Hunter Cybersecurity Forum.