Australian companies and organisations are being warned to remain vigilant and increase cyber security measures. The Australian Cyber Security Centre has issued a high status alert because of the risk of cyber attacks having international consequences.
This is a timely reminder of the importance of having a cyber security policy for your business. If your business doesn’t have a cyber-security policy, you could be leaving yourself open to a cyber attack.
The implications of a cyber attack on your business are likely to be more than just an inconvenience. Important information or data held by your business such as customer records and personal information, financial records, emails, business plans, intellectual property and employee records could be at risk. You could potentially suffer financial loss due to the theft of funds, data or information, disruption to your business, damage to your reputation and loss of public trust and significant costs to restore your systems.
You will need to develop policies and procedures to help employees understand how to prevent an attack and to identify potential incidents. You will need identify what is important to your business and then consider the risks and the steps you will need to take to reduce the effects of a cyber attack.
A policy helps your employees to understand their role and their responsibilities in protecting your business in order to avoid a cyber security incident.
It is easy for employees to make mistakes and enable a data breach or attack. A basic cyber security policy should address the following at a minimum:
If a cyber security incident occurs, you will need to minimise the impact of it on your business and get back to business as usual as quickly as possible. It can be difficult and stressful to respond to an incident in the moment so it is beneficial to have an incident response plan in place that will guide you through the required steps. An incident response plan should guide you through the following:
It is not enough to just have a policy in place, you must ensure that employees are trained in and understand the policy and that the policy is implemented at all levels.
You should also consider providing employee training to ensure employees are aware of:
Technology
If the following protections and processes are not already implemented, you should consider implementing them to ensure your business is protected:
When undertaking these steps, it is important to ensure that employees are aware of the systems in place and their obligations, which may need to be incorporated into your policies and, in some circumstances, into employment contracts.
Insurance policies
You should also ensure your business has the appropriate insurance policies in place that would cover losses in the event of a cyber attack. Cyber liability insurance cover can help your business with the costs of recovering from an attack. Like all insurance policies, it is very important your business understands what it is covered for and an experienced insurance adviser should be consulted to determine the appropriate policy for your business needs.
Privacy Policy
When considering the protection of your business and the information you hold, it is also important to review your privacy policy. It is essential that you keep your customers’ information safe. If you lose or compromise their information, in a cyber-attack or otherwise, it will damage your business reputation, and you could face legal consequences.
If the Privacy Act covers your business, you must comply with the Australian Privacy Principles. Even if the Privacy Act doesn’t cover your business, it’s important to handle your customers’ personal information appropriately.
You need to have a clear and up-to-date privacy policy that outlines the information you collect, what you use it for and how you protect it. It is recommended that you make this policy available on your website.
If your business is covered by the Privacy Act, you will also need to comply with the Notifiable Data Breaches scheme in the event that a data breach occurs.
Our experienced corporate and commercial lawyers can assist you to draft a cyber security policy, an incident response plan and a privacy policy for your business. If you have existing policies, we can review these with you and update them as required.
We can also advise you as to your legislative obligations in relation to cyber security incidents, data breaches and the protection of personal information.