Why new data breach laws may only be the tip of the iceberg for Australian SMEs

While Australia has already mandated remedial action against data breaches with the Notifiable Data Breaches (NDB) scheme coming into effect in February 2018, there may be more to follow and businesses must act now to prepare, according to Wavelink.

The laws being implemented overseas are far more stringent than those in Australia. The European General Data Protection Regulation (GDPR), being introduced in 2018, means that an organisation could be fined up to the greater of €10 million or two per cent of its annual revenue for failing to comply with the notification provision. (1)

Hugo Hutchinson, Wavelink’s national business development manager for Fortinet, said, “Standards implemented in Australia are often based on global and international initiatives. Irrespective of what happens in the future, small and medium-sized businesses (SMEs) must act now to plan for the NDB scheme, as it would be naïve to think this won’t be ramped up over time.”

Protecting against data breaches is essential for SMEs, many of which go out of business within six months if they face a data breach. According to the U.S National Cyber Security Alliance, 60 per cent of small companies are unable to sustain their businesses over six months after a cyberattack. (2) This means some type of security strategy is crucial to the business’s ongoing sustainability.

Many SMEs lack the resources to a take comprehensive security stance. But, despite a lack of in-house skills or budget, it is important that they at least start with the basics.

According to McKinsey & Company, one myth surrounding cybersecurity is that more advanced technology translates to stronger security. Cybersecurity teams often use powerful, cutting-edge technologies to protect data and other corporate assets but many threats can be mitigated using less-advanced methods. (3)

Hugo Hutchinson said, “There is no longer any excuse for SMEs to do nothing. Vendors are constantly working to offer scalable solutions that are accessible to every size business. SMEs should start by implementing a basic firewall and then work with a partner to create a 12- to 24-month plan to get security up to where it should be, and then review it regularly to stay on top of changes in the threat landscape.”

(1) https://www.lexology.com/library/detail.aspx?g=8185429b-c98d-484a-9fce-890606c42804
(2) http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/
(3) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/hit-or-myth-understanding-the-true-costs-and-impact-of-cybersecurity-programs