Reading time: 7 minutes

COVID-19 has changed the way we work and do business. Unfortunately, scammers are taking advantage of the pandemic to exploit businesses and consumers across Australia. In a time where we are working more remotely than ever and using technology to connect, it is important to ensure your business is protected against cyber threats. Cyber security is about protecting your business’ technology and information from accidental or illegal access, corruption, theft or damage. Cyber security breaches also pose a threat to our customer data and could result in a data breach under the Privacy Act. Additionally, a cyber threat or incident can cause many issues for businesses, including: 

  • financial loss;
  • business or reputational loss; 
  • time notifying relevant authorities of the incident; and
  • time to get your systems up and running again. 

There may be no foolproof solution. However, there are many things your business and staff can do to ensure these risks are minimised as much as possible. This article explains what they are. 

Why Is It So Important? 

There are many significant issues that can be caused as a result of a cyber attack, including: 

  • financial loss from theft of money; 
  • information or distribution to businesses; and 
  • business reputational loss. 

Data breaches are another major risk associated with cyber attacks. They are especially risky where your business holds the personal information and data of your customers and this data is compromised in a cyber attack. 

Data Breaches

Criminal attacks are the main cause of many data breaches. This can have significant consequences for businesses that are considered APP companies. An APP entity is a business that:

  • has an annual turnover of $3 million or more; or 
  • is a subsidiary of a holding company that has a $3 million or more turnover. 

Some businesses with a lower turnover may also qualify, such as businesses that provide a health service and hold health information. Therefore, it is important to check with a lawyer if your business would be considered an APP entity for the purposes of the Privacy Act. If your business is considered an APP entity, you will need to comply with the Notifiable Data Breaches (NDB) scheme.

A notifiable data breach is when your business: 

  • loses personal information (which could include losing a laptop); 
  • discloses personal information to an unauthorised person; or 
  • has an unauthorised third party access the information (for example, if your database is hacked). 

If your business believes that an eligible data breach has occurred, you must notify all individuals affected by the breach as soon as possible. You must also notify the Australian Information Commissioner (OAIC). Your notifications must include certain specifics, and it can be a timely and costly procedure. 

Depending on the type of breach and the business’ compliance with reporting requirements under the Privacy Act, penalties can reach up to $2.1 million dollars for a body corporate and from $105,000 to $420,000 for any other entity. 

If your business is an APP entity, it is important to have a data breach response plan in place. This will allow you to respond efficiently and effectively to a data breach.

What Can Your Business Do to Minimise a Risk of a Cyber Threat During the Pandemic?

Invest in Cyber Security 

Cyber security is crucial for any organisation, and investing in cyber security can help reduce the risk of a cyber attack. Cyber security experts can advise you on the best forms of security for your business to ensure you have protection for your business. You may need to update your software or invest in better IT infrastructure to ensure you have the best chance of not having a cyber attack against your business. An example is ensuring your emailing tool has a system to flag and filter out spam emails your staff may receive.

Cyber insurance is another investment that you can make to help minimise the impacts of a cyber attack or data breach. Cyber insurance can provide mechanisms to control, contain and coordinate responses to cyber scams. It may help protect or minimise the aftereffects of a cyber attack by covering certain costs for your business. 

Train and Educate Staff

During the pandemic, your staff may be working remotely and commuting to different locations. It is an important time to educate your staff on these cyber risks to help them manage these issues. 

Employees are constantly interacting with multiple company systems within your business. Therefore, it is important to train them adequately on how to use each of these. These systems range from emails, software or systems even to social media pages such as Linkedin. 

Password Security 

Educate your staff on the importance of password security. Passwords are the first line of protection to keep sensitive and personal information safe. They also make it more difficult for hackers. Show your staff how to set strong passwords for any of their devices, emails or work systems. Strong passwords should incorporate a combination of:

  • letters;
  • numbers; and
  • symbols.

Emails 

Train staff to identify spam emails and ensure they know not to click on any links that may look suspicious. You should let your staff know what they need to do or who to contact (for example, your internal IT team) should they get a suspicious email or at least before clicking on any links. 

Ensure that you update and repeat your training regularly as a refresher to staff. Further, you should let staff know of the latest scams or issues that have arisen in the public so they understand the importance of the training. It is also important to ensure you are training any new staff that come on board. 

Acceptable Use Policies

Your IT acceptable use policy should clearly set out what you expect of your staff when they interact with company systems. The content of the policy will vary depending on your industry and business practices, but some key features include:

  • how staff should respond to suspicious emails they have received;
  • restricting the type of software that an employee may download without permission;
  • setting out what employees must do if they think a data breach has occurred;
  • notifying employees of how you are monitoring them;
  • regulating how an employee must conduct themselves on both personal and company social media channels;
  • the types of websites they can visit; and 
  • what is acceptable for them to download.

When a new employee or contractor commences work with your business, it is crucial to clearly set out the guidelines they need to follow and the expectations on them when using your IT systems. This will reduce the risk of employees inadvertently causing harm because they were unaware of the correct approach.

You can also clearly set out the consequences of breaching your IT acceptable use policy. These consequences might include termination or disciplinary action.

Key Takeaways 

With the shift to remote working likely to extend beyond the pandemic, cyber security will be an ongoing risk associated with operating your business. It is important to ensure you have the best protection possible against a cyber threat. Ensure you have:

  • appropriate cyber security protection;
  • updated IT systems;
  • staff that are trained and understand how to spot a cyber threat; and
  • IT acceptable use policies; and
  • systems to provide guidance to staff members on how to behave and the consequences if they do not.

If you would like to discuss these issues or wish to incorporate an IT acceptable use policy, contact LegalVision’s data, IT and privacy lawyers on 1300 544 755 or fill out the form on this page.

Frequently Asked Questions

What is a notifiable data breach?

A notifiable data breach is when your business loses personal information, discloses personal information to an unauthorised person or has an unauthorised third party access the information.

What is an APP company?

An APP entity is a business that has an annual turnover of $3 million or more or is a subsidiary of a holding company that has a $3 million or more turnover.

Webinars

Negative Online Reviews: What are the Legal Options?

Wednesday 22 September | 11:00 - 11:45am

Online
Negative or false online reviews of your business can be disheartening and damaging. Understand your legal rights and options with this free webinar.
Register Now

Australia’s Global Talent Visa: How to Attract Top Talent

Thursday 7 October | 11:00 - 11:45am

Online
Understand how to navigate Australia’s complex migration system to attract top overseas talent with our free webinar.
Register Now

5 Essential Contracts for your Online Business

Thursday 14 October | 11:00 - 11:45am

Online
Learn which key contracts will best protect your online business with our free webinar.
Register Now

Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Online
Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer