Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career
GET STARTED

The 4 non-negotiables of a resilient, responsible firm in digital Australia

As the nation becomes increasingly digitised, there are fundamental steps that professional services businesses must take to protect the personal information of both themselves and their clients, write Hana Lee and Nick D’Orazio.

user iconHana Lee and Nick D’Orazio 06 September 2024 SME Law
expand image

Not if, when.

You’re out of free articles for this month

Looking at new laws, evolving infrastructure, or brand-new innovations in technology, it must be said that data privacy and cyber security are well into their renaissance. Around the world, threat actors are deploying increasingly creative methods, running rampant in the digital sphere, and converting personal information into revenue. On the good side, cyber security specialists work hard to keep up by developing new hardware, software, operational technology, and workflows that limit the effectiveness of threat actors and, when implemented by businesses, can be used to quickly identify, respond, and recover from data incidents.

Here are four non-negotiables that we think every Australian business should incorporate to protect their – and their client’s – personal information, to become resilient, responsible businesses in digital Australia.

 
 

  1. Enable multifactor authentication (MFA)
If you’re not already aware, MFA is any additional method of confirming that you are who you say you are in the virtual world. Typically, it takes the form of an authentication code sent to your phone, email address, or authenticator app that must be entered on login. In 2024, MFA is required to access the vast majority of reputable online services.

Though it’s undoubtedly an industry standard, MFA is still not absolutely required by every user of every platform. Notwithstanding, Australian businesses can no longer rely on the notion that MFA is annoying and unnecessary given that enabling it reduces the likelihood of being hacked by 99 per cent!

More importantly, companies are at risk of being found legally negligent for failing to employ MFA, given how effective it is for such little additional effort.

The reality is, threat actors have developed countless methods to harvest massive quantities of passwords, from dark web auctions to complicated phishing schemes. By enabling MFA, you can make cyber threat actors’ lives much more difficult, and your data that much more secure.

  1. Delete data you don’t strictly need
Time and again, we heard from cyber security experts that regardless of business size, value, or sector, data security incidents are bound to happen to everybody at some point. It’s not enough to have a data incident response plan anymore. Businesses must incorporate practices that ensure the least amount of data is at risk at any given time. To be proactive is to be prepared. In the words of cyber security specialists, data is a poisonous hot potato that you should only keep in your business if it absolutely needs to be there.

Looking at the 2022 Optus data breach, we can see the dangers that come with holding excessive and unnecessary data. Prior to the data breach, Optus retained the name, bank details, address, driver’s licences, passport numbers, and Medicare numbers of its customers for as long as six years after the customer had left Optus. Optus argued that it had a legal obligation to keep these details so that it could chase debts and assist law enforcement agencies. This was found ultimately to not be true because, for example, why would it need Medicare numbers to send an invoice?

By routinely holding onto so much extra information without a valid purpose, Optus put all of its customers at risk. In short, don’t hold onto what you don’t need.

  1. Educate your team
When a data incident occurs, think of it as you and your staff entering a chess match against a chess master. On the positive side, you have your incident response team on your side. On the other, you have a hacker who is likely well versed in exactly what they need to do to extract your data, having prepared just like a chess pro. It will benefit you and your team immensely to be prepared well in advance to work collaboratively in minimising the impact of the data incident.

In terms of how best to prepare, experts at the summit agreed that the first step is to assign roles and establish responsibility. Specifically, these roles should assign responsibility for reporting obligations, managing the technical response, and communicating with executives throughout the incident. By establishing responsibility prior to an incident, you forego having to allocate roles in the middle of a crisis.

The second step is to conduct regular (twice annually is recommended) walkthroughs, known as “table-top” exercises, where you and your team take the time to walk through each stage of a data incident as if it was occurring in real time. During these walkthroughs, team members are given the opportunity to experience the flow of a data incident response, become familiar with their roles, and gain the knowledge and confidence to act efficiently when an incident occurs. Regular table-top exercises are recommended due to the ever-changing landscape of data incidents, and so that your staff are familiar with variations to the response plan as and when they are made. Every minute you spend training data incident response will save you hours (and $$$) during a real incident

  1. As an executive, buy into cyber security!
Although cyber security is on a rampant upward trend in importance in our increasingly digital world, executives around Australia remain sceptical of its significance. As the people who hold real decision-making power regarding the direction of Australian businesses, executive buy-in remains the largest hurdle in ensuring that data protection and cyber security are given the attention they need.

The worst possible outcome to a data incident response meeting, and one that is all too common, is for the CEO or chairman to declare that they are completely unaware of any data incident response or business continuity plan. As mentioned above, prior preparation is imperative to a resilient, responsible business, and it all starts at the top with executives taking a proactive approach to data security. Without buy-in from each and every executive in a business, the important and necessary changes to workflows, policy, and training cannot take place.

Hana Lee is an associate and start-up and capital team leader, and Nick D’Orazio is a commercial paralegal at Burch & Co.

Tags