A new report has found that many Australian businesses aren’t prepared for a legal obligation coming into effect within days that requires them to report data breaches.
Australian Small Business and Family Enterprise Ombudsman Kate Carnell is urging small businesses to prepare for the introduction of a new data breach notification law, which carries significant financial penalties for non compliance.
“Small businesses can’t afford not to understand what the new laws mean to them,” she says. “With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”
The HP Australia IT Security Study found that almost half of Australian small and medium businesses with an annual turnover of more than $3 million do not consider themselves to be prepared for the Australia’s new data breach notification law.
Just 51 per cent of respondents said they had developed, or were in the process of developing, an IT security policy to ensure their compliance.
HP surveyed 528 Australian small and medium businesses with 10 to 99 employees across the services, production, retail and hospitality, health and education, and distribution industries.
The research aimed to uncover Australian SMBs’ approach to IT security, including policies, procedures and risk management as well as exploring their preparedness for the new data breach notification laws.
The Privacy Amendment (Notifiable Data Breaches) Act 2017, passed by both houses of Parliament in February 2017, establishes a Notifiable Data Breaches scheme which comes into effect on February 22.
The scheme requires organisations covered by the Australian Privacy Act 1988 to inform the Australian Information Commissioner and members of the public if it believes or is aware that its data has been compromised.
Throughout 2017, Australian organisations were urged to put a spotlight on cyber security and to step up their capabilities.
The HP Australia study found that 57 per cent of small and medium businesses admitted to not undertaking any sort of IT security risk assessment in the last 12 months, despite a series of high profile breaches during that time.
Over half of the respondents also flagged ‘employee carelessness’ as a significant security threat to their business, with concerns over not just the behaviour of staff when outside the office, but external threats such as visual hacking.
Despite this, less than half of respondents (44 per cent) have an IT security policy in place for employees that bring a personal device to work. Only 37 per cent of respondents restrict the data that can be accessed from that device.
► At CCI we know that helping business work helps West Australians work. Talk to our Membership team today on 1300 4 22492 about how we can help grow and support your business.