MYTH #1: It won’t happen to me
Cyber criminals only attack large companies and government organisations like banks, the stock exchange or the Centrelink. I’m too small for them notice me.
- Cyber criminals rarely target any organisations they instead are opportunistic.
Just like fishing they spread their nets as wide and as far as they can in the hope they trap an unsuspecting victim regardless of the victim’s background.
- As large corporations and governments invest in more sophisticated cyber defenses, cyber criminals are turning their attention to small more complacent organisations to satisfy their criminal schemes.
Recommendation: It is recommended that a robust Privacy by Design regime be implemented regardless of organisation size or cyber maturity to ensure cyber resilience.
MYTH #2: Cyber Security Insurance
I have Cyber Security Insurance – I don’t need to comply with the Australian Privacy Principles or perform regular audits of my Cyber Security vulnerabilities.
- The Australian Privacy Principles are legally binding legislation on which Cyber Security Insurance does not abolish your responsibilities.
- There is currently significant legal debate ongoing as to whether insurance companies are “legally prohibited” from offering insurance against actions that have been made statutory unlawful e.g. Workplace Health and Safety laws. Compliance with the Australian Privacy Act would be a similar scenario.
Just like placing locks on your home rather then relying on your home and contents insurance – proactive responses are far less costly then reactive responses.
Recommendation: It is recommended that a robust Privacy by Design regime be implemented, taking all reasonable acts to prevent a cyber attack before it occurs, combined with appropriate Cyber Security Insurance in the unfortunate event that an attack did take place.
MYTH #3: I don’t need to do regular independent data security tests on my equipment
I can rest assured my existing IT provider to already makes me secure and compliant to the APPs.
- The Australian Privacy Principles outline that regular (e.g. annual) independent assessments of an organization should be performed by qualified and certified professionals.
- Traditional IT providers typically are not qualified or have knowledge of the regulatory frame work such as the Australian Privacy Act to appropriately conduct end to end privacy assessments including associated cyber security audits.
Just like an internal accountants cannot audit themselves, but instead require external auditors, IT providers require independent assessments to ensure compliance with regulations and quality control.
Recommendation: It is recommended that organizations regularly (at least annually) conduct a Cyber Security Audit conducted by a qualified independent expert. That expert should provide a detail report on the weaknesses identified and partner and work alongside with any existing IT providers to ensure appropriate fixes are made to those weaknesses.
MYTH #4: Aren’t I already compliant.
I took all reasonable steps when I set up my computer a few years ago. I am already compliant with the APPs.
- Cyber crime is always changing and adapting – it is dynamic. Also one of the biggest cyber vulnerabilities is failing to update software or applications.
- Due to these significant risks, the Australian Privacy Principles outline that organisations must do regular checks (e.g. annually) to ensure they continue to resilient rather than at a point in time.
Recommendation: It is recommended that organizations regularly (at least annually) conduct an independent Cyber Security Audit conducted by a qualified independent expert.
MYTH #5: I am not responsible for third party suppliers data security
I use third party suppliers to handle my privacy compliance e.g. Practice Management Software or Accounting Software. They are responsible for my client’s privacy and data security not me.
- The Australian Privacy Principles are legally binding Using third parties does not abolish your responsibilities.
- The APP’s clearly state that a principle practitioner are responsible for any data given to a Third Party supplier however can relinquish that responsibility after doing a robust due diligence.
Recommendation: It is recommended that a robust due diligence process is implemented on all third party supplies that handle an organization’s collected personal data.
MYTH #6: I am a subcontractor, I’m not responsible for data privacy.
I am a subcontractor as part of a larger practice. The principle takes a large portion of my fees. Doesn’t this cover my client’s privacy not me.
- The Privacy Act 1988 sets out the responsibilities of those as part of an organisation.
- The Privacy Act defines those that “Hold or Control” personal data and those that merely “Use” personal data Those that “Hold or Control” personal data are deemed responsible for it and those that only “Use” it are unlikely responsible.
Ask yourself – did I collect the information, do I control where it is stored, do I have access to change or edit the information. If the answer is yes, then you are likely to be held responsible for that data regardless of your contractual arrangements.
Recommendation: It is recommended that a robust Privacy Impact Assessment is conducted to flowchart how personal information moves throughout your organization and the responsibilities that come with that.
MYTH #7: I am Compliant I have done Cyber Security Awareness training and have a IT security policy.
I have done Cyber Security Awareness training and even had a consultant come out and deliver it and have good IT security policies. I am compliant.
- The Office of Australian Information Commission sets out 9 key components to be data security with over 170+ subcomponents all of which are required to be regularly tested or reviewed. Awareness training and policies is only 2 of these key components.
Would it be acceptable if you had a virus and went to a medical provider and all they provided you was some awareness training and a policy? Of course not, the expectation would be that the medical professional would give you the awareness training, plus do a practical assessment or test, plus a treatment plan to eliminate the virus, plus follow up at the end of the treatment plan to recheck that the treatment plan was effective.
Information System Assurance including Cyber Security is no different.
Recommendation: It is recommended that a robust, End to End, Privacy By Design Assessment program is undertaken to ensure reasonable compliance to the Australian Privacy Principles is in place. Be wary of any organisation that only offers Training, Strategy or Policies as a solution to compliance.