Why data protection is more important than ever – especially for SMEs

Friday, 29 June 2018


    Is your board of directors prepared for cyber security risks? Here's why data protection is especially important for SMEs.

    During the 2016–17 financial year, 114 data breaches were voluntarily reported to the Office of the Australian Information Commissioner. After mandatory notification came into force in February 2018, 63 incidents were flagged in just six weeks.

    In May, Family Planning NSW was a target of ransomware: cyber-criminals hijacked computer systems, refusing to release the data unless a ransom was paid. The records of 8000 individuals were targeted. Health records are prized by cybercriminals — often as a precursor to identity theft — but it’s small and medium enterprises that are deemed most at risk.

    Digitally dependent large enterprises claim to understand the magnitude of the cybersecurity challenge. The ASX’s voluntary cyber health check offered to the top 100 listed companies last year revealed 92 per cent of respondents had a degree of confidence about their cybersecurity, but only 29 per cent believed management could detect, respond to and manage an incident with minimal impact on the business.

    SMEs do not think they are a target and don’t invest in cybersecurity, even the basics. ...It’s not a technical issue, it’s a business issue.

    Among SMEs, the situation is worse, says Terry Roberts, a former deputy head of US Naval Intelligence and now chair/CEO of ASX-listed WhiteHawk, the security marketplace she established to help businesses find affordable and effective cybersecurity solutions.

    “SMEs do not think they are a target and don’t invest in cybersecurity, even the basics. They don’t believe there is an affordable approach and won’t make that leap unless they have a contract at stake or have had [a breach],” says Roberts, speaking at an AICD event in Australia recently.

    Many local companies selling online to EU citizens or holding their personal data are now also subject to the General Data Protection Regulation. Organisations suffering a serious breach have 72 hours to notify authorities. Non-compliance can incur fines of up to four per cent of global revenues.

    Cybersecurity is a critical issue for all enterprises according to Condoleezza Rice, a former US secretary of state and now a professor of political science at Stanford University. Speaking at Citrix Synergy in the US recently, Rice said companies must appoint directors skilled in cybersecurity, just as a board might appoint a finance or government relations specialist.

    “I agree with her 100 per cent,” says Roberts. “It’s only been in the past five years that cybercrime and fraud has moved against all business sectors. Directors don’t have the tech experience, they don’t think of it as a business risk and they tend to turn to their technical people to solve it. It’s not a technical issue, it’s a business issue analogous to physical security.”

    Roberts says companies must take a fresh look at their data and digital assets to identify what needs most protection. “Lock your windows and doors. Let’s put your jewels in a safe so at least if you have an event it won’t bring you to your knees and... [you’ll] be able to operate through it.”

    Regular backup is critical, particularly to withstand a ransomware attack. However, truly sensitive data needs additional protection, using encryption to ensure data cannot be read or used. Roberts also recommends companies seek a risk rating from an independent cybersecurity agency. “Immediately, it will show [if] you had a breach or your SSL certificates are out of date. Look at what impacts your revenue and reputation the most,” she says.

    “If you deal with your customers via your website, you need to protect your website; if you communicate via email, it’s email security; if you have proprietary data like manufacturing data, there are simple data lockers that cost $5000 to encrypt that data. With midsize and small companies, it’s never about doing everything — that’s not affordable or practical. It’s about figuring out those dependencies you have on the internet that have a huge impact on your revenue.”

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.