The government needs to take this step forward but it will take an organisation being hit for any change to occur.”
According to the government, the NDB scheme will strengthen the protections afforded to everyone’s personal information, while improving transparency in the way that organisations respond to serious data breaches.
This in turn supports consumer and community confidence that personal information is being respected and protected.
Furthermore, it also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
“This could have an impact for a short period of time but it could end up being a blip on the radar,” Sophos sales director David Sykes said. “What the government decides to be will determine how impactful this law will be initially.
“I think it will be necessary from a consumer point of view because people need to have confidence. But the conversations we are having with our customers centre on reputation and revenue damage.
“If you’re being fined, chances are you have a whole bunch of other problems that are a lot bigger and more expensive to worry about, and that’s the conversation that partners should be having.”
Going forward, recommendations are in place advising organisations to review internal practices, procedures and systems for securing personal information in preparation for the scheme.
But despite a flood of information and awareness, is the end-user prepared?
“One of the scary parts of the industry that we’re seeing is the targeting of utility providers, such as water and energy,” Trustwave senior vice president Robert Pizzari added. “This represents the fundamentals of how any economy across the world operates and runs.
“If any of those facilities are compromised, then forget about how strong your cyber protection is if you’re a bank or ecommerce website, because this will have serious implications.
“The government must be seen to put a platform in place and start a process around education. But it’s not just about educating the enterprise, it’s also their own departments around having the correct security posture.”
Organisations that suspect an eligible data breach may have occurred are required to undertake a “reasonable and expeditious” assessment to determine if the data breach is likely to result in serious harm.
Yet despite directives at government level, many businesses still believe such legalisation is applicable.
“The mentality that we still see is that organisations don’t believe they are at risk,” InfoTrust director of enterprise cyber security services Nick Lowe said. “It will take another organisation in a similar vertical or of a similar size to take a hit before they take notice.
“We see businesses of all sizes in the same boat in that respect but the ASX 100 Cyber Health Check report is forcing organisations to think. They can’t afford to be exposed in the media, therefore they are now looking for guidance around where to start.
“There’s a role for the partner to start from the ground up with the customer to help these businesses prepare, which can be through consultancy services.”
Published in April 2017, the ASX 100 report addressed six key areas: understanding the threat, leadership, risk management, awareness of help, cyber incidents, investment and customer data.
Of the top 100 companies invited to participate on a voluntary basis, 76 companies took part, with findings reporting a high level of risk awareness among directors, but gaps in organisational preparedness and resilience.
“Who in the organisation accepts responsibility?” SecureSoft Distribution national business manager Steve Cronan asked.
“What is risk and what level of risk should we accept? And what are we going to do about it when that happens?
“It’s very easy to talk about legislation but these are the questions that require answers. It’s about continuing the work of the ASX 100 survey, which suggests that there’s still a great deal of opportunity for the channel to pursue.”