In brief - All businesses are vulnerable to attacks by cybercriminals
The risk of a business experiencing a data breach continues to rise, as do the costs to businesses which experience such breaches. Cybercriminals can target even small and low-profile businesses, so SMEs should actively take steps to reduce the risks.
What is a data breach?
The term "data breach" refers to an incident in which an organisation's data is exposed to unauthorised observers. This can occur when hackers obtain access by exploiting weaknesses in a computer system, or employees copy data and make it available to others, or storage devices containing data are inadvertently lost.
While the effects of most breaches are dwarfed by Edward Snowden's notorious leak of roughly 1.7 million classified documents, typical cybersecurity breaches still pose a substantial risk to businesses.
Data breaches are expensive
According to Ponemon Institute's 2014 Cost of Data Breach Study: Australia
, the average cost of a data breach in 2014 was $2.8 million. The most significant costs of a breach include investigation costs, forensic costs and legal costs (roughly 30% of costs) and lost customer business, including business interruption, loss of customer goodwill and reputational loss (roughly 25% of costs).
Cybercriminals target everyone
You may think that the small size and low profile of your business makes it unattractive to hackers. This is misguided. Recent years have seen the widespread distribution of programs which allow cybercriminals to scan large numbers of potential target computers and identify vulnerable machines for further exploitation. It is critical that businesses take appropriate steps to secure all internet-facing computer systems. Relative anonymity is not a defence.
Retailers: your POS is probably vulnerable
Another recent survey, Verizon's 2014 Data Breach Investigation Report
, indicates that roughly 31% of all reported security breaches from 2011 to 2013 were attacks on point-of-sale (POS) terminals. Of these attacks, roughly 87% compromised the terminal and began extracting data in a matter of minutes. The majority of POS intrusions (85%) are not discovered for weeks and almost all breaches are discovered by external parties (99%).
POS terminals are an attractive target because they are often remotely accessible, weakly protected and can provide an intruder with access to unencrypted payment card data. Recent research estimates that Australian retailers have roughly a 21% chance of experiencing a data breach within the next 24 months.
The risks posed by a disgruntled employee with unrestricted access to your computer systems are considerable. Businesses with significant digitised intellectual property are especially vulnerable. It is prudent to give staff members as little access as they require to do their job. This means giving some thought to establishing appropriate levels of access for different classes of employees.
The Australian Privacy Principles
(APPs) came into force on 12 March 2014. If your business has an annual turnover of over $3 million, there is a good chance that the APPs apply to you. If you hold "personal information", which is defined broadly, the APPs require you to take steps which are reasonable in all the circumstances to protect the personal information held from misuse, interference, loss and unauthorised access and disclosure.
According to the Ponemon report, the cost of lost business associated with cybersecurity breaches has increased over the last five years, from an average of $660,000 in 2010 to an average of $850,000 in 2014. This is linked to an increase in the number of customers taking their business elsewhere in the wake of a security breach.
Both these trends are likely to continue as customers become increasingly privacy-conscious and technically literate. Common sense suggests that SMEs with significant online operations are especially dependent on consumer trust. A reputation for excellence in security may confer a competitive advantage.
Cloud computing services
Cloud computing services require the purchaser of the service to place a great deal of trust in the vendor or service provider. The involvement of a cloud service provider introduces a number of additional risks, including the risk of business interruption due to server or network failure and the risk of unauthorised access to data by unauthorised third parties or the vendor's other customers or staff.
Bring your own device policies
Businesses should be aware that "bring your own device" (BYOD) policies increase their cybersecurity exposure. Note that a smartphone which interfaces in any way with your business's computer systems is a "device". While BYOD may save on hardware costs, the policy and the technology which supports it must be implemented well.
Surveys suggest that an employee's device is more likely to be lost than stolen for its data. Even so, the employees' devices constitute another gateway through which malicious parties might seek to attack a network.
Businesses should carefully consider how to secure the device, the device's operating system and other software, the connection between the device and the corporate network and any data which remains on the device after disconnection from the network.
What should businesses do to reduce cybersecurity risks?
It is abundantly clear that no network security system is impenetrable and no firewall is unbreachable. Accordingly, it is important to consider ways of reducing the risk of a cybersecurity breach and mitigating any harm a breach causes.
Many businesses could benefit from:
- assessing what systems and information they need to secure
- assessing what threats pose the greatest risks to those systems and information
- reviewing their current security systems, including physical security, logical security, staff training and policies
- considering whether the use of multiple redundant security strategies can provide better security, and if so, implementing these
- implementing appropriate encryption to protect sensitive information
- ensuring that software and operating systems are kept up to date, especially with any security-related patches
- assessing what notification requirements may apply (i.e. do you need to notify a regulator?)
- ensuring that there is an up-to-date incident response plan for cybersecurity breaches
- identifying appropriately qualified security consultants who can advise on current practices and can assist in management of a breach
- developing a cybersecurity incident response team, including representatives from key corporate groups such as human resources, legal and customer services; the incident response team should have broad authority and be available around the clock
- undertaking a privacy health check for the purpose of compliance with the Privacy Act
- undertaking an insurance health check to assess whether existing policies provide adequate cover and assessing whether a specialist cybersecurity policy is required to fill in gaps in coverage
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2020.