Important! New mandatory data breach reporting laws may impact your company.

Australia’s laid-back attitude is one of the more attractive aspects of our culture; it is also one of the most dangerous when it comes to the very real threat of cyber security. This is evident from the fact it is currently not mandatory for Australian businesses to report data breaches of their systems to clients.

However, with the Federal Government’s proposed introduction of mandatory breach notification for Australian businesses by the end of this year, the need for affordable cyber security and penetration testing has moved from being simply a smart business decision to one legislated by our government.

“We are losing data every day that we are not even aware of,” said Ravin Prasad, CEO of Brisbane-based Cybernetic Global Intelligence (CGI). “It is amazing to me that cyber security is not seen as a critical issue in Australia, particularly when you take into account the attacks happening globally.”

The failure of the Census website to handle the volume of traffic on Census night (August 9) – initially reported to be compromised by overseas hackers before it was revealed the site had been subject to four denial of service attempts – has now placed cyber security well and truly in the spotlight.

Under the proposed government legislation, organisations with an annual turnover in excess of $3 million will be required to report any known serious data breaches within 30 days. Penalties for non-compliance include $340,000 for individuals and up to $1.7 million for organisations.

Mr Prasad said it is well past the time for Australian businesses to take cyber security seriously.

 “We have this mentality that we are so far away here in Australia that nothing will happen but Australia has become somewhat of a testing ground for cyber-attacks because of the lack of systems and mandatory reporting,” Mr Prasad said.

“It is good to see the government is responding by proposing this legislation, however, organisations should be driven more by the need to ensure their data is secure rather than the risk of government penalties.

“When we test the cyber security of Australian companies, we often find they are using outdated systems or certifications and security simply is not a priority.

“Often data security only becomes an issue for many Australian companies once they have been hacked rather than them taking a pro-active approach and having testing done routinely which is much more the case internationally.”

Mr Prasad said companies often fell into the trap of thinking their outsourced IT work – a majority of Australian companies now outsource their IT to a managed service provider – includes security when in fact it often only covers the purchase and maintenance of software and hardware. He likened this approach to installing an alarm system while leaving the front door wide open.

The draft of the proposed mandatory data breach notification scheme defined a serious breach as unauthorised access to, disclosure or loss of customer information which could result in a risk to that individual. This may include personal details, credit reporting information, tax file number and credit eligibility criteria.

The breach notification is required to include a description of the breach, the information involved and advice on how customers should respond to avoid financial loss or identity theft.

Mr Prasad said this was definitely a step in the right direction. However, he recommends a pro-active approach to data security – where cyber security specialists are engaged to check your systems.

“This would help to eliminate data breaches, reduce litigation from clients whose information has been hacked, will likely save you money which would otherwise be spent on unnecessary software and would protect organisations from having their credit ratings and customer confidence reduced if a cyber-attack did occur,” he said.

“It also means they will be compliant with the new legislation which is expected to be implemented before year’s end.”

Cybernetics Global Intelligence is a cyber-security specialist where each team member is a stakeholder in the company and has more than 15 year’s experience in data security. For more information on the services offered by Cybernetics Global Intelligence and their fees, visit the website at: https://cybernetic-gi.com/

Read Our Latest Blogs