Despite having a year to prepare for the new notifiable data breach (NDB) scheme, almost two-thirds of Australian businesses remained unaware of the new legislation as recently as last month, according to a new survey that also found Australian businesses failing to implement even basic protections for their infrastructure.
The figures are a wake-up call for a business community that has had a year of preparation in anticipation of the February 22 NDB deadline. Yet as of January, 59 percent of Australian small businesses – and nearly 80 percent of small businesses – still had no idea what NDB means for them or what they should have been doing to prepare for it, according to GfK-Canon Australia’s newly released Business Readiness Index on Security.
This level of ignorance had translated into worryingly low levels of risk assessment and compliance efforts. Just 56 percent of Australian businesses said they had conducted a risk and management assessment in the leadup to the NDB – a similar percentage to the 56 percent that have a documented internal IT security/cyber security policy for their employees, and the 55 percent that invest in security training for their employees.
Despite that level of risk awareness, actual action to address NDB exposure was lighter on the ground. Just 27 percent of small businesses, for example, said they have implemented six or more of the Australian Signals Directorate Essential 8 (ASD8), while 40 percent of larger businesses had done the same.
The low level of compliance was correlated with low levels of concern about the likelihood of a security breach. Just 38 percent of all businesses said they were ‘extremely concerned’ or ‘very concerned’ about the likelihood of a security breach within the next 12 months, with just 21 percent of small businesses expressing their concern.
Even where a breach had been detected in the past – viruses, spam, malware, phishing and ransomware had all been experienced by survey respondents – the average time to detect the breach was 24.7 days.
Yet Sop Chen, general manager of managed IT and security services with Canon subsidiary Harbour IT, was sceptical of this finding. “Our experience tells us that in fact it is much longer than this, giving cyber criminals enough time to know your business better than your IT department,” he said in a statement.
“Australian businesses are citing technology as their biggest downfall, but the question is if they’re setting themselves up for success…. There needs to be much more urgency accorded to being safe rather than sorry, and businesses need to better appreciate how their actions may affect the wider industry.”
Many businesses still have yet to get that message: even though technology was the most widely cited vulnerability in small businesses’ IT strategies, 15 percent of participating businesses said they are not at all concerned about a security breach.
Whatever their efforts to boost network security, others had still left gaping holes by forgetting to secure their printers – an often ignored vector for attack that can provide hackers a way onto the corporate network. Just 4 in 10 businesses have secured their printers, the survey revealed, with 31 percent of small businesses not even aware of the risks around printer security.
High levels of inaction are likely to create real problems for Australian businesses, notes Proofpoint APJ vice president Tim Bentley, who expects that despite a year of warnings many companies will still fumble their response until it’s too late.
“There is concern that the new data breach disclosure laws will not amass real action on the ground in the business community until a big, local breach in post-data disclosure Australia occurs,” he said in a statement. “That said, this new mandatory data breach notification is a strong step forward: when passed, the legislation will mean that Australia has some of the strictest disclosure rules in the world.”
Such strict rules reflect Australia’s prominence in the data-breach stakes: even before the NDB scheme kicks in, Australia reported 15 data breaches in the first half alone – putting it on par with India and well ahead of every other APAC country, according to figures from Gemalto’s Breach Level Index Report.
There is no telling how this figure will change once breach reporting is mandatory, as opposed to the voluntary disclosures to date, but experts have been universal in warning every business to evaluate its data holdings and revisit its risk exposure.
With a range of better security technologies available and the ASD8 well publicised, companies genuinely keen to improve their risk profile have many options – but the impetus for change must, Bentley said, come from within.
“Data breaches are not just an IT security issue, but a fundamental data governance issue,” he said. “Organisations must combine information security with data governance programs that identify, classify and protect critical and sensitive data assets.”
“Technologies like encryption and Data Loss Prevention (DLP) provide automated controls that protect the processing and storage of sensitive information. By implementing multi-layered defence strategies leveraging technology controls, businesses can reduce the likelihood of data exposure.”