Moving your business online is an exciting stage of your business journey. After all, it’s a lot easier to manage your business and store information when it’s all in one, accessible place. And it’s not exactly the best feeling when your business is being left out of the tech-savvy world.
But moving online also carries some serious risks.
If your business has stored data online (including client information), there’s always a risk of this data being stolen or manipulated for other purposes. Data breaches can cost SMEs some heavy losses; in some cases, more than they can afford. This is where a good Cyber Security Plan comes in handy.
What Is Cyber Security?
Cyber security is basically a business’ way of protecting their online data and information from being stolen or hacked.
Not having a suitable cyber security system in place is sort of like leaving your office unlocked. There’s some pretty valuable stuff in there, so you wouldn’t want anything being stolen. Locking the office is generally something you do out of habit, so it’s a good idea to make cyber security a common habit, too.
Think of it this way: the cost of protecting your business from a data breach is likely to be much lower than what it would cost to recover from it. Taking sensitive information like your clients’ credit card details (and in some serious cases, medical records) can have some serious consequences, so it’s definitely worth adopting the right measures to manage your cyber security.
What Kind Of Online Threats Are We Talking About?
Cyber security threats can come in many forms. In fact, this is what makes it even more dangerous and difficult to identify.
A cyber threat can be as small as an email pretending to be someone you know, and asking for you to confirm some sensitive information about yourself. This is known as spoofing, and is only one of the many forms of a cyber threat.
- Scam emails (‘phishing’)
- Malware: This includes viruses, spyware or worms
- Ransomware: This usually happens when the cyber criminal (or whoever is breaching) only agrees to return the data upon being paid a certain amount. Unfortunately, the data is unlikely to be returned even if the business does pay.
- Denial of service attacks: The scammer will usually overload the software with requests, causing it to crash.
Luckily, there are many ways you can protect your business and manage your cyber security system.
How Can I Protect My Data?
Most SMEs tend to skim over any cyber security plans and hand it over to the IT professionals. But this isn’t such a great idea.
Cyber security is something that everyone in the workplace should be involved in. Protecting your business against online threats requires effort and responsibility from everyone — even involving something as small as changing your password.
So, how do you get everyone on board?
Update Your Systems Regularly
Most businesses already back up their data and update their systems. But with the increasing complexity of the online world, it’d be best to do this more often.
This also includes changing passwords regularly (such as your employees’ credentials) and setting up two-factor authentication whenever they log on.
Most businesses also used cloud-based services for their convenience and encryption. However, this also means you need to organise your data appropriately, so you know exactly where everything is.
Monitor Who Has Access To Your Data
As a business, you’d need to give certain employees access to your data so they can do the required work. However, it’s important that you maintain good control over accessibility as information can easily end up in the wrong hands.
It’s strongly advised that you have a Cyber Security Policy in place to set out which employees can access data and on what terms — we’ll cover this shortly.
If you’ve employed independent contractors, it’s important to monitor how they use your data, too. Businesses generally have more control over employees’ work rather than contractors, so it’s a good idea to have a Contractor Agreement in place to have control over their use of that information. A Contractor Agreement generally covers:
- Scope of work
- Price and payment method
- Intellectual property
In this situation, we’re particularly concerned with IP and confidentiality. You can add provisions to your agreement that limit the contractor’s access or use of data. This way, it lowers the risk of your data ending up where it’s not supposed to be.
If you’ve engaged some overseas contractors, this can get a little bit tricky. In the case of a dispute, you’d have to decide whether your Contractor Agreement falls under Australian law or their local laws.
Of course, this depends on the relationship between you and your contractor, but it’s important to establish this in case their local laws around data use and privacy are different to Australian laws (you can read more about engaging overseas contractors here).
What If My Employees Are Working From Home?
WIth 2020 changing the way we work, it’s now also good business practice to have a Work From Home Policy. If your employees live with other people, or use their own devices at home, there is a risk of sharing your sensitive information with unauthorised people.
A Work From Home Policy can set out some ground rules around how employees can access data (for example, they can only use a specific software used by the business while working remotely). This is important because if an employee mishandles information belonging to a third party and it ends up being stolen, the business will be vicariously liable to that third party. We’ve written more about managing employees who work from home here.
If employees are not working from home, then it’d be best to update their Employment Contract to regulate their access to data on work devices, and whether their access is limited in any way. Otherwise, a Workplace Policy setting out their obligations in relation to data use will also suffice.
Train Your Employees About Cyber Security
Having the right policies in place is one thing, but that’s generally not much use if employees don’t actually understand why they’re required to follow them.
Your employees play a big part in the business’ use of data and where it goes, so it’s crucial that they understand the gravity of having that sensitive information taken. Educating your employees about cyber security plays a big part in protecting your business.
Once your employees have some basic training around cyber security, they can make more responsible decisions when accessing and distributing information.
Essentially, educating your employees about cyber security is the first step, and any workplace policies you implement are merely putting these rules in writing.
Getting Cyber Security Insurance
Like most other risks, cyber security risks can be mitigated with insurance. Thankfully, businesses can be covered by Cyber Security Insurance, which covers any costs involved in the recovery of a data breach.
There are many ways a business can protect their sensitive information. It’s important to look into your cyber security options, particularly as so much of your business’ information is online — we’ve written more about this here.
What Other Agreements Might I Need?
Let’s say you’ve taken all the necessary steps to prevent or reduce the risk of any data breach. Regardless, it ends up happening. Unfortunately, this might be the case for some businesses.
This is why it’s important to have a Data Breach Response Plan.
This will set out what will happen in case a data breach does occur. For example, the plan can set out how the affected parties can be notified of their data being stolen. Further, the plan can outline which staff will be responsible for what in containing the data.
It’s essentially a great way to be proactive in managing your cyber security.
You can either have a non-disclosure clause as part of your Employment Agreements, or it can be an entirely separate contract (an NDA). Either way, it has the same effect: it prohibits employees from disclosing any confidential information to anyone outside of the business.
This is a very common method used to protect business information and can be one of the first steps to prevent a data breach.
Similarly, your employment contract can have a Non-Compete Clause, which prohibits employees from working with any of the business’ competitors. This will also prevent any sensitive information floating around with others and will further protect sensitive data.
We know that putting together a proper cyber security plan can be overwhelming. The Australian Cyber Security Centre has covered some of the main points to consider here.
What Is A Notifiable Data Breach?
If your business is covered by the Privacy Act 1988, any data breach you suffer needs to be disclosed to the affected parties and the OAIC (Office of the Australian Information Commissioner). This is known as a Notifiable Data Breach.
A Notifiable Data Breach arises when the following situations have occurred:
- When there has been unauthorised access to your data (or loss of data)
- Where that breach is likely to result in serious harm
- Where it’s not possible for your business to prevent that harm
Am I Covered By The Privacy Act?
Generally speaking, the Privacy Act covers any business with an annual turnover of more than $3 million. However, it also covers certain types of business regardless of their annual turnover. For example, health service providers will be covered as they handle sensitive information.
If you’re unsure as to whether your business is covered by the Privacy Act, you can check here.
Data breaches and cyber security threats can happen to any business. In fact, it’s more common now that most businesses have moved online.
This is why it’s crucial to have a suitable cyber security plan in place to protect your business in case anything happens. But don’t worry: we have a team of professional lawyers who can help you with what you need.
You can reach out to us at firstname.lastname@example.org or contact us on 1800 730 617 for an obligation free chat.
Get your FREE quote now.
We'll get back to you within 1 business day.