As data breaches become more and more common, the question of how companies respond is top of mind for businesses and customers alike. The response to a breach, which includes addressing the breach publicly, has become as risky as the breach itself.
Earlier this year the Australian government set a policy here, passing Notifiable Data Breach (NDB) legislation. According to the Office of the Australian Information Commissioner, an eligible data breach arises when a device containing a customer’s personal information is lost or stolen; a database containing personal information is hacked; or personal information is mistakenly provided to the wrong person.
NDB requires organisations that suffer a data breach that may cause serious harm to individuals to alert the OAIC. More importantly, the NDB also dictates that companies that experience a data breach must also let each and every one of their affected customers know that their confidential data was breached.
Imagine if rather than notify of a data breach, an organisation had to publicly notify their customers that they are running their multi-million dollar business on a non-sustainable budget using antiquated systems and processes.
That’s exactly what we’re looking at here. There is a much broader issue at play than just data breach notification. NDB is a hot topic, and rightly so, but what it addresses is an effect of having inadequate or antiquated IT systems, policies and procedures in place. One of the many things this can cause is data breaches.
Many IT systems, particularly in Australia, are simply not good enough to support the modern-day world that we live in. Legislation similar to what’s being introduced in Australia this year came about and began being enforced a dozen years ago in the U.S.
Organisations may lean on naivety, ignorance or budgetary constraints for not modernising their IT, but the reality that we face is that these organisations are simply not fulfilling their corporate social responsibility. If we take it a step further, they’re exposing their customers, patients and the general public to risk of harm, expense and inconvenience. This is not a sustainable business model and needs to change.
Of course, it’s not just the public that is harmed by a data breach. Organizations themselves are negatively affected. Downtime associated with a breach that can cost millions. Last year, Swedish manufacturing firm Sandvik had a remote worker get encrypted with a €275 ransomware fine. It locked down the company’s entire system and the business was down for two days, costing millions.
Downtime then means inconveniences for your customers; in turn damaging your brand. Keep in mind that if your customers are unable to access your products and services they will turn to your competitors. The impact of a breach to your business goes far beyond the notification aspect of the NDB, which is focused on preventing data breaches. Take on the NBD as an opportunity for your business to:
- Invest in a security audit to validate whether your systems and processes are robust before you have a costly breach or downtime.
- Eliminate human intervention as much as reasonably possible; particularly when you are responsible for client data. Automation and cloud technologies are cost effective today, letting you eliminate human error and focus on your core business.
- Ensure that you have a plan B – and a plan C. This means having a multi-layered security platform and a business continuity and disaster recovery solution and plan in place so that when the worst happens you can minimise downtime and potential harm to your employees, business reputation and customers.
Just a quarter of respondents in CompTIA’s forthcoming annual security study cited an internal breach or incident as drivers for changing their approach to IT security, while only 39 percent had a public communications plan as part of their incident response plan. So, the majority cites a range of reasons for what they’re doing to address security, including data breaches, while not looking at what to say when a data breach occurs.
Don’t be the organisation that thinks a breach won’t happen to you – and go scrambling to notify in the wake of it. Be proactive and mitigate the risks. Your customers and brand will thank you for it.
Click here to access CompTIA’s published research and resources on IT security and cybersecurity.
Click here to engage in CompTIA’s IT Security Community.
Click here to engage in CompTIA’s ANZ Channel Community.
James Bergl is a member of CompTIA’s ANZ Channel Community Executive Council and director of sales, APAC, Datto, Inc.
Add CompTIA to your favorite RSS reader
