The Australian Financial Review Cyber Summit in September put the spotlight on growing consumer concern that organisations are not protecting their personal data to an effective standard. Organisations and business leaders can no longer plead ignorance to cyber security and must dedicate ongoing effort to meet customer expectations or risk facing legal & financial consequences if there’s a data breach.
Consumer expectations have shifted
Personal data is a valuable asset, particularly as organisations are constantly seeking ways to collect, store and use it to do business. This means there’s more opportunity for cyber criminals to steal and misuse it.
The 2023 Deloitte Australia Privacy Index reports that in the past year, 1 in every 3 consumers were affected by a data breach and 69% of the people impacted felt vulnerable or angry.
Twice as many people (24%) were reported to be angry with the organisation rather than the cybercriminal (12%) and 80% of people believe that the organisation should be liable for providing compensation.
While businesses are requesting more and more personal data, consumers understand how valuable it is and are thinking twice before handing it over, expecting greater accountability to ensure they’re information is secure.
ASIC is taking action
Minimum standards for cyber security are now being enforced by the Australian Securities and Investments Commission (ASIC), targeting organisations that fail to sufficiently prepare for a cyber attack. In the lead up to the Cyber Summit, ASIC chairman Joe Longo made it clear “For all boards, cyber resilience has got to be a top priority”. Organisations need to accept that there’s no more cutting corners and no more ‘I don’t understand technology’ or ‘I don’t understand how data works’. Legal action is a reality for organisations who get breached and haven’t taken sufficient action towards protecting their own and their customers data.
Privacy Act changes also come into play
On the 28th of September the Australian Government released their response to the Privacy Act Review Report. Long story short, they've agreed that businesses with annual turnover of less than $3 million should now fall under the Act, and no longer be exempt. While it's early days and there's a lot of work to be done to put the changes in place, SMB's should remain informed and be prepared to make operational adjustments as the reform rolls out.
From amateur to state-sponsored attacks, the rate of cybercrime is growing and unlikely to ever stop. Organisations who prepare by addressing cyber security early on, gain a competitive advantage and can get ahead of the trajectory. If there’s an attack, the risk of a data breach is significantly less than if they were unprepared at all.
In addition, they become more resilient to threats, lowering the chance of being attacked in the first place. Speaking at the Cyber Summit, Andy Penn emphasized "Boards should know what data they hold, have an inventory of their IT systems, and a plan to upgrade their systems. And they should have a response plan to manage the fallout of a breach and repair their systems if they are hacked."
The message to organisations can be no clearer. Don’t wait until a cyber-attack happens, act now to ensure your organisation is prepared. The move for change is a collective effort. It’s necessary to keep informed, be proactive and work together to minimise risk. Executives, employees, consumers, and government bodies all have a part to play when it comes to being cybersafe.