Whilst the integrity of your computer system is critical in keeping data breaches at bay, the latest report from the Office of the Australian Information Commissioner (OAIC) shows that human error and judgement – not malicious attack – is the most common cause of data breaches. So how safe is your data?
37% of data breaches result from human error. In over 20% of reported cases, personal information was simply sent to the wrong recipient – and in another 6% of cases, system faults were attributed blame. Innocent or not, data breaches of any type can have serious consequences. Which is why, since 22 February 2018, businesses covered by the Privacy Act need to report unauthorised access to or disclosure of personal information under the Data Breach Scheme.
The rules of the Data Breach Scheme impact organisations with an annual turnover of $3 million or more, businesses ‘related to’ another business covered by the Privacy Act, or if your business, regardless of size, deals with health records (including gyms, child care centres, natural health providers, etc.,), is a credit provider or holds Tax File Number information (see the list).
Organisations are required to take all reasonable steps to prevent a breach occurring, put in place the systems and procedures to identify and assess a breach and issue a notification if a breach is likely to cause ‘serious harm’.
What the statistics from the OAIC demonstrate is that procedural integrity in your business is paramount – train your team to not only be wary of scams coming in, but ingrain best practice for the day to day management of personal data going out. Privacy protection is not just an ‘IT’ issue.
Marriot Hotels recently discovered the importance of protecting your systems when the Starwood guest reservation database was breached. According to the latest announcement, up to 383 million records were potentially impacted. Of those, there were approximately 5.25 million unique unencrypted passport numbers. On 30 November 2018, the company announced that unauthorised access to the database may have been occurring since 2014.
Similarly, Cathay Pacific released a statement notifying that up to 9.4 million members of their Marco Polo Club, Asia Miles or a Registered Account holder have potentially had their data breached including passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information.
Hackers are extremely clever when it comes to disguising their activity, and it’s getting increasingly difficult to spot a hacking attempt. By simply clicking on a link, a staff member can unwittingly give hackers open access to your business’s data.
According to ScamWatch, hackers commonly gain access to a business’ email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of the business’s official email accounts. Payments then start to flow into the hacker’s account. The average loss from these scams is around $30,000.
A variation is where the hacker sends an email internally to a business’ accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.
In 2018, these scams cost Australian business $30 million.
So what can you do to protect your data?
There are a few simple measures you can take to protect your data, including:
- Having strong and enforced processes in place for the management of personal client information;
- Strengthening your authorising procedures for payments – two-step authority;
- Changing passwords often and using two-step authentication where available;
- Phoning a client if their bank details have changed;
- Training your team on cyber security:
- Checking requests for payments that arrive electronically from other team members and management.
- Checking email addresses are legitimate – look for slight variations.
- Being suspicious of poorly written emails.
- Not clicking on links from an email – always use your account with the supplier or Government department to check details.
If you’re concerned that your record keeping, invoicing and payroll may not be secure, we strongly encourage you to consider Xero cloud-based software. If you would like assistance getting set-up, simply call us on 9887 8751 or schedule an appointment online.