11 May 2017

Cyber-related incidents and attacks have come to dominate news headlines in recent years, and for good reason.

Digital platforms are growing exponentially from desktop through to portable devices and other internet connected technology, and software companies are also driving the storage of information to the Cloud. This proliferation of data and technology, together with the increasing sophistication of targeted cyber-attacks and the potential for human error mean that the likelihood of a cyber-related incident affecting an organisation’s systems, data and reputation is perhaps now greater than ever.

As organisations globally face the threat of cyber-attacks, it is important to be just as aware of the dangers of errors by employees or third party service providers which can lead to cyber security issues.

Recently, a government organisation emailed a survey to a number of constituents, and the employee who emailed the survey accidentally attached the mailing list which incorporated personal details of all recipients and with enough information to potentially enable identity theft.

Another example is a large retail chain that sent out the names and passwords for gift and voucher cards with a total value of around $1.5 million to all registered card owners by mistake.

In both of these instances, simple and avoidable errors were made leading to reputational, and in one case, financial damage.

At the forefront of combatting errors by employees and reducing the risk of cyber security issues is employee training.  At the end of the day, employees and contractors are human and organisations need to ensure they have adequate security procedures and safe guards in place.

Evidence shows that in most cases, an organisation’s lack of engagement with cyber security and appropriate training of staff is a leading cause of these mistakes.  The foundation of effective cyber security policy and procedures is  a well developed information secure culture where privacy is seen and treated as an important component to the company’s business.

To achieve this, everyone within the organisation needs to be aware they are responsible for the information they hold.  Having the carrot rather than the stick approach is also important.  Encouraging staff to take proactive steps around information security (for instance by following procedures to report suspicious emails or telephone calls, or for reporting irregularities to the IT team and management) is more successful than punishing simple and innocent errors.

A concept that may be useful here is the idea of being a High Reliability IT Organisation –where management understands that a mistake on a small scale can have a major impact on the entire organisation; and so eliminating the smaller threats such as human error is important for the greater good of the organisation.

Response to a cyber incident is also essential.  When an issue or incident arises, an organisation needs to be in front of the situation to mitigate any resulting damage as quickly as possible. Consequently, cyber risk and incident response should form a key component of an organisation’s business continuity and disaster recovery plans, and organisations responsible for collecting and using personal information should ensure they also have effective procedures in place to respond following a data breach.

Organisations cannot afford to underestimate their varying exposures.  The belief that cyber security and the associated risks are limited purely to someone hacking their networks from outside needs to change.   Cyber risk  is much more than merely the idea of an external hacker; organisations also need to consider the full gamut of other possible scenarios, including a mistake as simple as sending a mailing list in error, right through to a rogue employee deliberately instigating a programme error or creating a system backdoor in order to breach  security. It is imperative organisations continually look outside the square and continually analyse their systems to reduce their exposure. 

At present, the potential loss to organisations from 3rd party claims alleging purely a breach of privacy or loss of personal information is difficult to quantify – claims of this type have generally been unsuccessful in other jurisdictions due to the plaintiffs’ inability to prove damages, except in cases where there has been a loss of credit card data. However the potential for significant reputational damage should always be in the forefront of management’s thinking, and the potential for an investigation by a regulator such as the Office of the Australian Information Commissioner and the associated costs should not be overlooked, especially in light of the 2017 legislation establishing mandatory data breach notification requirements in Australia.  

Establishing effective policies and procedures, building an information secure culture and having safe guards and mitigation strategies in place is fundamental in protecting an organisation’s data and technology systems, as well as its reputation.  It is important for organisations not to underestimate their increasing reliance on information technology; and to take proper account of their need for the ongoing availability of those systems and associated data for the organisation’s continued operation.

Print article