[This article appeared originally at Business First Magazine]
Is your company ready for the introduction of proposed legislation which will make it mandatory to report serious, known data breaches within 30 days?
If you believe your organisation is fully secure, you need look no further than recent attacks on a number of Queensland councils, including one which defrauded Brisbane City Council out of $450,000, not to mention the purported four denial of service attacks which resulted in the decision to close down the Australian Census website on August 9.
Ravin Prasad, CEO of Brisbane-based Cybernetic Global Intelligence, said many organisations were under the misguided understanding their outsourced IT work done by managed service providers, covered cyber security and penetration testing when in fact, many do not.
“This misunderstanding, which is very common among companies which do not specialise in IT and so need to outsource the work, leaves many companies unnecessarily vulnerable,” Mr Prasad said.
“A lot of managed service providers do a great job of ensuring your company has the right IT and ensuring it is well maintained, but cyber security is a separate industry in itself utilising a different set of specialised skills.
“Without the right cyber security and penetration testing of your organisation’s IT systems, you are risking the unauthorised release of your client’s information, your company’s intellectual property and possibly being non-compliant with the new legislation which is expected to be enforced by the end of this year,” Mr Prasad continued.
“It is absolutely necessary that companies check if cyber security is included in their contract with their IT provider. If it is not, they really do need to source a company which specialises in cyber security to do the work for them. The additional cost is less than you would expect.”
Mr Prasad, who has worked in the cyber security industry for 10 years, said when testing the data security for new or prospective clients, Cybernetic Global Intelligence regularly discovered state-of-the-art IT systems were compromised because of the failure to introduce some basic cyber security measures allowing their systems to be easily hacked.
If the Australian Government’s proposed mandatory data breach notification legislation is passed, companies with an annual turnover above $3 million will be required to report serious data breaches to clients and the Privacy Commission. Non-compliance can result in fines of up to $1.7 million for organisations.
The breach notification legislation defines a serious breach as unauthorised access, disclosure or loss of customer information which may cause harm to that individual. This includes personal details, credit information and tax file numbers.
“When you think about the increase of ransomware attacks on business – where your company is locked out of accessing data by a hacker and is often forced to pay a ransom to retrieve it – investment in cyber security very often pays for itself,” Mr Prasad from Cybernetic Global Intelligence said.
“It is also important to realise that once your system has been compromised by ransomware, hackers have also often installed melwares which allows them to monitor all traffic within the business.
“The Australian Cyber Security Centre (ACSC), in its 2015 Cyber Security Survey on Major Australian Business found there had been a significant surge in the number of ransomware incidents with 72% of respondents reporting such an attack in 2015, compared to just 17% in 2013.
“It is reasonable to assume hacktivism and cyber-attacks will continue to rise as we become increasingly reliant on technology,” Mr Prasad continued.
“Specialised cyber security is the best insurance policy you can take out on your IT systems. It is infinitely better to be proactive rather than to wait for an attack and rue the consequences.” BFM