After a long path through Parliament, Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 has come into effect today, and almost every significant sized Australian business must comply with this new law.
From 22 February 2018, amendments to the Privacy Act will make it obligatory for organisations covered by the Australian Privacy Act (this includes all Australian government agencies, and businesses and not-for-profit organisations with an annual turnover of $3million or more), to notify certain breaches.
But a Canon Australia’s Business Readiness Index on Security has found that Australian businesses with unsecured data could continue to put fellow organisations at risk.
The research revealed that there is a concerning lack of awareness of the new laws, with less than half of businesses (41%) affected aware of the incoming legislation.
With small businesses being the least concerned about data security, they are also less likely to be aware and prepared for the new regulations with only 1 in 5 small businesses citing awareness.
This is concerning given failure to comply puts private organisations with a turnover of more than $3 million at risk of crippling fines of up to $2.1 million.
Not only does this leave these businesses vulnerable to data breaches, their lack of preparation could make them a potential back door for hackers angling at larger enterprises, and cost them contracts in the long run.
Of those that were aware, few scored well on ‘preparedness,’ despite potentially crippling fines of up to $2.1 million for non-compliance.
Businesses simply aren’t prepared enough, particularly small businesses.
Only 40% have 6 or more of the Australian Signals Directorate Essential 8 (ASD8) strategies in place, this decreases to 27% for small businesses with 12% having no ASD8 strategies in place at all.
The prognosis is clear: Australian businesses need to improve their data protection measures. Failure to do so could risk compromising confidential data, expose them to hefty fines and lead to significant reputational damage.
The biggest risks & what to do about them
Across the board, businesses reported that technology was seen as the biggest vulnerability when it comes to assessing their security risks. However, this trend changes as the report looks at larger businesses who have a more balanced view of their risks across people, processes and technology.
While medium and large businesses have a more balanced view of their security risks, small businesses are less aware of the risks to their business caused by their people and processes.
“The lack of awareness around the non-technological threats is a concern and creates a considerable vulnerability in the Australian business landscape – particularly for organisations that are partnering with small businesses that may not have comprehensive security measures in place,” the report said.
“Employees in particular pose a huge threat to business’ information security, whether that’s by intentionally taking or unintentionally jeopardising information.”
“Small businesses are just as vulnerable when it comes to the people in their business. 80% of hacking related data breaches involve weak or compromised passwords.1 Making sure that your people understand the threats and are trained to help protect your business’ information, will help you turn your weakest link into your best weapon against cyber-attacks.”