29 Jul 2020

  • Data Compliance and Privacy
  • Governance
  • Privacy and Compliance

5 Steps to Avoid a Data Breach & Improve Data Security

Collecting and using personal data - from email addresses through to basic names and addresses - lubricates many marketing models. It also creates two distinct businesses: those that have suffered a data breach and those that don’t know they’ve been breached ...yet.

Data breaches expose personal information and are as common as the cold virus, with more than 997 Australian businesses violating Australia’s notifiable data breach laws during 2019. While criminals are behind the majority of breaches, human error is to blame in around one-third of cases.

Criminals, hacktivists and even other country’s governments - known as “bad state actors” in cybercrime parlance - are getting better at exploiting systems to access personal information. Yet it's people making mistakes at work that is a leading cause of data breaches.

“The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

Personal information stored in email accounts can include the ever-valuable email address but also financial information, tax file numbers, identity documents (remember all those organisations that want you to scan and send a copy of your driver licence or passport?) and health information.

The other data security problem is phishing emails that look legitimate but end up tricking unsuspecting - and perhaps bored - office workers into clicking on a link that opens the backdoor for cybercriminals to access information they shouldn’t.

Avoid Data Breaches & Maintain Trust

It goes without saying that data breaches are a huge trust risk - who wants to put their faith in a bank, airline, agency or software provider that lets personal information slip away to circulate the dark web?

Plenty of big Australian businesses - from tech unicorn Canva to HR software business PageUp, who supply the Australian Treasury, and property valuers Landmark White–have already had to publicise their data breaches and risk their brand and customer trust.

Everyday consumers may be surprised to know the extent to which their personal information has been compromised - simply entering an email address into have i been pwned can reveal startling data breaches.

Consumers can easily find out which brands and businesses have compromised their personal information by entering their email address into haveibeenpwned

Exploiting the free flow of data to create a business asset is an oh-so-last-millennium business idea - today, businesses have hard costs associated with collecting, storing and processing personal information.

At worst, businesses need to educate their entire staff on data responsibilities and at best they should have a notifiable data breach response plan, minimise personal information (PI) collection, and delete PI from systems when it’s no longer needed.

Organisations like ADMA offering data privacy education and members are able to sign up to monthly data regulatory news to stay across the ever-changing laws and codes that apply to data collection.

Governments are increasingly regulating data collection to ensure privacy laws favour people’s right to confidentiality and won’t hesitate to fine businesses who fail to do the right thing. More importantly, Europe’s stricter GDPR legislation means any Australians handling European customer data need to operate to a higher standard than local laws insist upon.

There’s also the cost of business interruption when a data breach happens. Work stops while tech experts - or expensive consultants - work out how the breach happened. Breaches by law must be reported to the OAIC and communicated to the people whose information has been put at risk.

What’s the solution?  Education on Data Security

As more of us work on the cloud and bring our own devices to work, we leave behind personal information – emails, profile photos and even social media logins – all of which have the potential to be compromised by a co-worker sending around an email or clicking on a phishing link.

Avertro CEO Ian Yip - a cyber security expert - says businesses must understand where important data is stored and encrypt it, creating “layers of defence” but also a culture of data privacy and protection.

He suggests a five-layered approach to help prevent data breaches:

  1. Encryption: coding the data you store or have at rest on your server or cloud
  2. Antivirus: good ol’ fashioned antivirus software is still important, but is not likely to protect businesses from sophisticated attacks like WannaCryor the recent Twitter hack.
  3. Educating people: creating a culture of data privacy and educating staff on the regulations and best practices is considered vital.
  4. Need to know: Personal information should only be available to the select few stakeholders who must see it.
  5. Reduce administrative privileges: Not everyone needs admin-level access to data and SaaS platforms.

“Don’t underestimate the risk you are exposed to - and if you have to do one thing, make sure everyone is actually educated about the risk,” Mr Yip says.

Educating staff - and the stakeholders they engage with online - is the key to building a culture of data privacy. ADMA’s Data Pass demonstrates to your team - and suppliers - that you take data security seriously, with 12 easy online modules to cultivate the right practices.

Existing in a world full of people bringing their own devices to the office, working in the cloud and constantly web browsing means all of us leave behind an exhaust trail of personally identifiable information –but it’s businesses that bear the cost for storing and securing that information.

Need more info?