Steep fines for data breaches come as hybrid work worsens security challenges
Cybersecurity is a critical concern for IT departments, as hybrid work has exposed organisations to cyberattacks. But human resources professionals also have a key role to play by educating the workforce about the security challenges created by remote connectivity.
“Some organisations and employees are bending cybersecurity rules ‘to get a job done’,” said Mark Lukie, sales engineering director, Barracuda APAC. Research commissioned by the company reveals that companies are extremely vulnerable to email-borne threats as 60% of respondents assume a link in an email is safe to click on if the email has come through the corporate IT system.
Read more: Can you terminate an employee for refusing to return to the office?
What should HR be doing to ensure staff don’t let in the hackers?
Making sure that employees are fully trained and made aware of how phishing and other cyberattacks might occur has moved up the priority list. Barracuda researchers uncovered a lack of awareness regarding cybersecurity among employees, with 37% of respondents saying they had not had training in key areas of cybersecurity awareness such as email security, malware, or ransomware, and 14% had no training at all.
If mistakes are being made and data is being leaked, companies can now face big fines as well as reputational damage.
Following data hacks at Optus and private health insurer Medibank, the government is introducing legislation that will crack down on companies who fail to protect sensitive information.
Read more: Worker's urination case makes splash at High Court
Affected companies will face a massive increase in fines for serious or repeated breaches. Penalties will rise from $2.22 million to $50 million, 30% of the company’s turnover in the relevant period, or three times the value of any benefit obtained through the misuse of the information – whichever is greater.
The government is intent on making privacy laws in Australia more robust. Attorney-General Mark Dreyfus said: “Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset.”
Overseas businesses are also included in the bill, which proposes that a company that carries on a business in Australia but doesn’t collect or hold Australians’ information from a direct source in the country, must still comply with local rules.
The increased penalties are likely to have a deterrent effect on businesses already hit by ransom demands from the hackers.
The official advice from the federal government’s Australian Cyber Security Centre is never to pay a ransom. But in reality many firms do. No word has been forthcoming from Medibank on whether the company will pay a ransom for the extraction of 200GB of files with data on all of the company’s 3.9 million customers. Although the hackers have not locked up the data as is typical in a ransomware attack, negotiations over the data have followed the breach.
Cybersecurity firm Sophos’ State of Ransomware report, released in April, showed 43% of companies in Australia paid ransoms after ransomware attacks, compared to 46% globally.
This month, another cybersecurity company, Proofpoint, also released a new report revealing that Australian boards significantly lag behind global counterparts in cybersecurity maturity and understanding. Only 58% of Australian boards see cybersecurity as a top priority, the least among the 12 countries surveyed (US, Canada, UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico), where the average was 77%. Even more worryingly, only half of Australian boards agree that organisations should be required to report a material cyberattack to regulators within a reasonable timeframe – again, the lowest of all 12 countries surveyed (global average 80%).
Skeeve Stevens, who was jailed in 1998 for a data hack that was described at the time as Australia's most “notorious” internet cybercrime, told SBS News recently that “there’s a lot of ‘FUD’ in government and industry: fear, uncertainty, and doubt from officials.” He believes Australia is lacking in literacy around cybersecurity beginning with the average Australian and extending to business and government leaders making decisions about data collection and storage.
While cyberattacks are commonplace, he fears that large-scale attacks will become normalised – with no real action made until a “cyber epidemic” hits Australia.
Stevens said Australians and governments should be questioning why companies need to have as much sensitive data as they do, and whether there are alternative ways to confirm identity or store personal information.
The recent data breaches at least have helped to bring cybersecurity into the spotlight and a
focus of conversations across boardrooms, says Lucia Milică, vice president and global resident chief information security officer at Proofpoint. However, there is still a long way to go for boards and senior management to understand the threat landscape and prepare their organisations for material cyberattacks.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs (chief information security officer). The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success,” Milică said.
Australia scores the lowest of any market surveyed when it comes to investing in increasing cybersecurity budgets in the next 12 months. In addition, 22% of boards expect their budgets to go down, according to Proofpoint.
Meanwhile, high-risk employee behaviours continue putting companies at grave risk.
“Australian organisations need to urgently review their hybrid and work-from-home environments, commit to the adoption of best security practices like the Australian Cyber Security Centre’s Essential Eight framework, and provide cybersecurity hygiene refresher training to staff, in order to protect against today’s evolving email threats, application vulnerabilities and the ever-present risk of data breaches,” Lukie said.