Here’s why cyber security education needs to be central to businesses of all sizes

Business Insider’s Cyber Security series is brought to you by Open Universities Australia, who offer programs that provide knowledge & understanding in contemporary policing, intelligence, counter terrorism, cyber security and security studies.
Prime minister Malcolm Turnbull. Photo: Stefan Postles/ Getty Images.

Next year, Australia’s Mandatory Data Breach Scheme will come into effect. This is going to mean big changes for a lot of Australian businesses. Although Cyber Security is considered important, it isn’t always at the centre of business conversations. And there continues to be a a question over should be leading the charge. But the Australian Government is looking to change that.

Minster Ellison’s 2017 Cyber Security Report found that their board respondents said “IT departments remain principally responsible for cyber risk management, compliance and review activities.”

It seems that education may be the primary cause of this misconception, as one of the study’s key findings was that “awareness of cyber risk has increased as the problem grows — but concrete actions have not changed.”

The study found that despite a 10% increase in attacks from 2015/16, 13% of the directors and executives who participated aren’t briefed on the topic at all. Furthermore, half of them are only briefed once a year.

Image: Minter Ellison Cyber Security Report 2017

The reality is cyber crime is on the rise. In the same study, 18% of respondents reported on cyber incidents that compromised their systems. 42% also admitted not having a a data breach response plan within their businesses.

Meanwhile, Telstra’s 2017 Cyber Security Report revealed that 59% of respondents were impacted by a cyber security incident in the last year.

It sounds a long way from the dream of the “cyber smart nation” that the Australian government is hoping to build with its Cyber Security Strategy. As Prime Minister Malcolm Turnbull stated in the 2017 First Annual Update of the strategy:

“Australia will face major cyber security challenges in the future. Australian families and businesses continue to be targeted by cybercriminals. Some foreign nations continue efforts to compromise our national security. Over the past year we have witnessed cyber security events here and overseas disrupt infrastructure and services, cause hundreds of millions of dollars in damage to companies, threaten the confidentiality of networks on an unprecedented scale, and attempt to interfere with democratic processes. This is unacceptable.”

In the last 12 months alone, big-name companies such as Westpac and Sony have been targeted. The Australian Bureau of Statistics even fell victim via the during the 2016 Census. It’s time for more attention, more focus.

When reviewing cyber security policy, it’s imperative for organisations to brief all staff from the top down. After all, cyber attacks can come in a variety of forms. It’s important for everyone in an organisation to be on high alert, because some of the most common threats are the simplest.

According to Telstra’s 2017 Cyber Security Report, some of these can include:

  • Email phishing
  • Ransomware
  • Malware and viruses
  • Unpatched systems
  • Web application attacks

Even something as simple as a weak password can pose a security risk.

Image: Telstra Cyber Security Report 2017

The Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, has estimated that cyber crime costs the Australian economy around $1 billion dollars a year, and that could continue to grow if companies don’t act.

As Tehan said: “In the world of cyber security, if you are standing still you are going backwards. The cyber security environment is constantly evolving, and we need to be adaptive and proactive.”

This is particularly the case when cyber attacks can result in significant recovery time.

Image: Telstra Cyber Security report 2017

In the future, all organisations who fall under the Privacy Act 1988 will be obliged to report serious data breaches to the Office of the Australian Information Commissioner (OAIC). Fines as high as $1.8 million can be issued to those who fail to comply. These organisations include:

  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million
  • Australian Government agencies

It will also apply to some businesses with an annual turnover less than $3 million. These include:

  • Business that purchase or sell personal information along with credit reporting bodies
  • Private schools, private tertiary education institutions and child care centre
  • Private sector health service providers, including gyms, weight loss clinis and alternative medicine practices

In the end, this is why small and large businesses alike will need to start prioritising cyber security in the very near future. Not only will it protect their customers, systems and profits, but it will save them from a government crackdown on lax practices.