Australian SMBs Unprepared for New Data Breach Laws

An HP study has found almost half of Australian small and medium businesses (SMBs) with an annual turnover of $A3M+ do not consider themselves to be prepared for the Australia’s new data breach notification laws. Just 51% of respondents said they had developed, or were in the process of developing, an IT security policy to ensure their compliance.

The HP Australia IT Security Study, conducted by ACA research in November 2017, surveyed 528 Australian SMBs with between 10 and 99 employees across the services, production, retail and hospitality, health and education, and distribution industries. A key objective of the research was to uncover Australian SMBs’ approach to IT security, including policies, procedures and risk management, as well as exploring their preparedness for the new data breach notification laws.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed by both houses of Parliament in February 2017, establishing a Notifiable Data Breaches scheme, which comes into effect on 22 February 2018. The scheme requires organisations covered by the Australian Privacy Act 1988 to inform the Australian Information Commissioner and members of the public if it believes or is aware that its data has been compromised.

Throughout 2017, Australian organisations were urged to put a spotlight on cyber security and to step up their capabilities, by proactively putting a data breach response plan in place and assessing and improving the current state of their IT security. Regularly reviewing their IT security ensures organisations have the right hardware, software and policies in place to protect themselves from increasingly sophisticated threats. The HP Australia IT Security Study found 57% of SMBs admitted to not undertaking any sort of IT security risk assessment in the last 12 months, despite a series of high profile breaches in that time.

“The consequences of a data breach can be severe; from financial to brand and reputation damage,” said Paul Gracey, Director, Printing Systems, HP South Pacific. “Organisations should implement a process to monitor, detect and report data breaches, but prevention – and reducing the frequency and severity of breaches – is equally important.”

An antivirus product only protects from malware running in the Operating System (OS). There are many other threats and security risks to a PC, for example those that aim to modify Boot-time or Runtime firmware. HP’s industry-leading set of security solutions are focused on protecting not only the device, but the user’s identity and data security.

“Endpoint security – at the device level – is critical to that mix. Organisations tend to rely solely on third party software security to protect their devices when, in reality, stronger and better business security must be integrated into the device itself,” said Gracey. “With hackers able to bypass traditional network perimeter security and antivirus programs, it’s time we scrutinise a hardware’s security as closely, if not more, than our external security solutions.”

While many IT departments apply rigorous security standards to PCs, tablets and other connected devices, they often overlook the printer. The HP Australia IT Security Study found that of the 43% of SMBs that had undertaken a risk assessment, just 29% included printers in their analysis – compared to 78% for servers and 76% for PCs.

This is in line with other US studies released this year. A Spiceworks report found just 16% of respondents think printers are at high risk for a security threat or breach; 43% of companies ignore printers in their endpoint security practices; and only 18% monitor printers for threats. Meanwhile, Quocirca noted in July 2016 that the ‘need for secure print solutions and services is heightened given the fact that 61% of organisations reported at least a single print-related data breach in the past year.’

  • 63% of respondents state their employees work remotely on a regular basis, and as a result are becoming increasingly concerned about associated security risks – e.g. visual hacking
  • 63% of respondents allow employees to access company data from personal devices;  less than half (44%) of respondents have a security policy in place for employees that bring a personal device to work; and only 37% restrict the data that can be accessed from the device