Recently, Dando had the pleasure of working with Rachael Falk, cyber security advisor, on what cyber security looks like in the contemporary world, the steps we can take to stay safe in the digital realm, and what our responsibilities are if a breach occurs. Here is what we learned:
What, in layperson’s terms, is cyber security?
RF: While it sounds like something out of a science-fiction movie, cyber security is simply like any other type of security. You put a lock on your door to stop people breaking in—well, cyber security is just the digital equivalent. Methods such as passwords and encryption are ways to ‘lock’ your important or protect sensitive data from those trying to access it.
Then there is also the extension of the practical side of the concept. It is important to always think about protecting your personal information, and not becoming complacent about your digital safety.
Personally, I think of it as knowing the value of your data; if someone walked up to me in the street and asked really personal questions, would I answer all of those willingly? No. So, it is the same online—be careful about how you share and who your share data with. This goes for both your own data, but also when you are running a business—your client data is valuable to them, and you have an obligation to protect it securely.
How does a breach of cyber security occur?
RF: The simple answer to this is when an unauthorised person or persons accesses data that is not theirs. If you’re talking about the ‘method’ someone might use to implement a breach, then you may as well ask: how long is a piece of string? Hacking; phishing; identity theft; scams; viruses. It could also be employees browsing sensitive information they should not have access to. The list of methods is extensive—not to mention that it is always growing, and always evolving. Keeping up with the ever-changing method of cyber attacks is a never-ending job.
In what ways can one suffer from a security breach?
RF: A cyber security breach can cause suffering for an individual, a group of individuals, or entire businesses and companies. It could involve anything from the loss of data, to the compromise of sensitive information. It can also be more like a ‘real life’ security breach, where people’s money or identity is stolen—or physically they can be put at risk, and the consequences can be severe . People (and organisations) must always be incredibly vigilant with protecting their information, especially when storing it online or giving it to third-parties, because there is no such thing as a perfect solution when it comes to cyber security.
If you think you have suffered a security breach, what should you do and what are you required to do?
RF: This depends on the type of breach, but the main thing NOT to do is nothing. Even if a breach is appears minor and insignificant, the fact that it has happened means it could happen again. For an individual it could be that credit card information has been stolen, and all of a sudden strange transactions start showing up on bank statements from places around the world. In these kinds of cases it needs to be stopped at the source, i.e. cancelling a credit card or putting a block on an account. Make sure you know how to contact your bank quickly—like storing its details in your phone.
For larger scale breaches, there could be more drastic actions to undertake. It is critical that any suspected or actual breach is investigated immediately. If, for example, there is a breach through a supplier, it may not just be your own data that has been compromised, but also your clients’—their needs have to be paramount as well. Transparency is key, both with your clients but also with the Privacy Commissioner. It is important, especially given the changes to the Privacy Act 1988 and new obligations to report data breaches, that all organisations that hold personal information and suspect that there has been a breach have an incident-response plan in place now.
If you are in doubt and suspect there is a data breach, and that the breach could cause your clients serious harm, then you will need to understand the nature of the breach and what you can do to minimise that harm, and/or notify the Office of the Australian Information Commissioner. They have prepared a Data Breach Preparation and Response Guide and it is on their website. This is definitely recommended reading for all businesses who have obligations under the Privacy Act—which is most businesses!
When is it okay to have access to someone’s data, and at what point should it be relinquished?
RF: There are obviously plenty of situations where your personal information is accessible by others, primarily so they can provide a service to you. Then there are situations such as a company that will need certain bits of information from a client. However, not everyone in a company needs to have access to all client information, and therefore only those who need it should have access. The availability of this kind of information should also be relinquished when agreements are terminated or there is no legal or business need to retain the information.
We’d like to sincerely thank Rachael Falk for her time with Dando, and—with her guidance—we have undertaken our own cyber security ‘audit,’ and we feel far safer and more informed about the integrity of our online presence and our clients’ data.
RF: Thank you! I enjoyed it too. Remember … all data has value, so protect it accordingly.