Many Australians, especially those whose data has been compromised, are very concerned about the Optus data breach. As cyberattacks become more sophisticated, how can businesses avoid a similar fate? Here are some lessons on cybersecurity.
For businesses, the breach serves as a timely reminder of the value of knowing what customer data is held, how it is secured, how your systems operate and the process to identify gaps and deficiencies, the proper actions to be taken if and when a breach occurs, and the impact on your relationship with your customers. This is a problem that affects the entire business and cannot be purely delegated to IT.
The responsibilities of business
Everybody is aware that no system is totally secure. This is not the first time for Optus. For violating the Privacy Act in 2015, Optus agreed to an enforceable undertaking in 2015.
A data breach occurs when personal data is accessed, disclosed, or lost without authorization. When a data breach involving personal information is likely to cause serious harm, you must notify the affected individuals and the Office of the Australian Information Commissioner if the Privacy Act of 1988 applies to your company. The notification must be made as soon as practically possible, but no later than 30 days is typical. Each day matters.
A company is required to take all practical measures to uphold its obligations and avoid data breaches. These obligations go beyond shielding against online threats. 55% of all reported data breaches are the result of malicious or illegal attacks. However, 41% and 4%, respectively, are caused by human error and system flaws. 43% of human errors involved sending personal information to the incorrect recipient via email, and 21% involved the unintentional release or publication of personal data.
How to express apology
Trust is a key component of your client relationship. The client relationship is the other issue, in addition to the breach notification requirements.
So how exactly does a company apologize? University of Chicago economist John List, and other academics studied this issue for Uber ride sharing after John List, who was then Uber’s Chief Economist, had a negative ride sharing experience. The final word? For the apology to be effective, it must cost something. This cost may be in terms of reputation, a promise to perform better in the future (the higher standard), or money. The effectiveness of an apology and whether it could backfire depend on how it is delivered. Secondly, apologies are not a cure-all. Sometimes, a financial benefit can help – many companies provide a credit or discount to help provide for the inconvenience involved. Thirdly, there are times when sending an apology is worse than not sending one at all, particularly when it comes to repeated incidents without sufficient action taken.
Assisting in the prevention of data breaches
- Recognize your Privacy Act duties. Advanced requirements are frequently necessary for specific businesses and industries that hold particular types of data.
- Review the customer personal data that is kept. Is their complete date of birth essential to what your company does? Do those identification documents need to be kept after being validated if you need to confirm identity? Or is a “Yes” sufficient confirmation? Are the client’s data being stored securely, and who has permission to access it?
- Ensuring multifactor authentication in systems
- Increasing staff awareness of not only cyber threats and how to avoid them—phishing, fraudulent messages, etc —but also the management and access of personal data.
- In order to avoid security holes or “backdoor” system access, it is important to understand your systems and how they interact.
Cybersecurity is one of the most pressing issues confronting business leaders today. Fullstack Advisory is proud to help businesses continue moving onward and upward, if you have questions, feel free to reach out to us here.