CyberSecurity Protect Your Business What You Need to Know€¦ · What You Need to Know...
Transcript of CyberSecurity Protect Your Business What You Need to Know€¦ · What You Need to Know...
w w w . O n y x O n l i n e L a w . c o m
CyberSecurityProtect Your Business
What You Need to Know@CLICK!DigitalExpo #CLICK2017 #IncredibleCLICK #OnyxOnlineLaw #legal #business #cybersecurity
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
This is for you if -• You want a simple explanation of your
cybersecurity risks• You want some easy steps to protect your
business• You’d like to understand your real legal
obligations
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
Who Am I & Why LISTEN To Me?• Worked with over 1000 clients to protect
their businesses• Insider understanding on business needs
after over 8 years in house• Over 18 years experience, working with
online business since 2010• Practical, solution focused, easy to talk to• Author of international bestseller “Cover
Your Arse Online”• LLB, LLM, GradDip LP, GAICD
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
Who Am I & Why LISTEN To Me?• Worked with over 1000 clients to protect
their businesses• Insider understanding on business needs
after over 8 years in house• Over 18 years experience, working with
online business since 2010• Practical, solution focused, easy to talk to• Author of international bestseller “Cover Your
Arse Online”• LLB, LLM, GradDip LP, GAICD
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
DisclaimerThis is general legal information only.
If you have very specific questions, consider getting legal advice appropriate to your
circumstances. Don’t advise others, refer them for legal
advice.
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
What we’re covering1. Risk Management in the age of cyber-
attacks 2. Mandatory Data Breach laws and how they
apply to you 3. Why not knowing is no excuse
w w w . O n y x O n l i n e L a w . c o m
Risk Management
w w w . O n y x O n l i n e L a w . c o m
Risk management?1. Identify a potential problem for your
business2. Work out what you can do to solve the
problem or to reduce the chance of it happening, or the impact if it does happen
3. Revisit every 6 – 12 months to check
w w w . O n y x O n l i n e L a w . c o m
What is cyber risk?• The risk of
– financial loss or data destruction– reputational damage– business disruption = lost productivity – systems failure
through technology
w w w . O n y x O n l i n e L a w . c o m
What is cyber risk?Common method• phishing email
– attachments
• spear phishing email• waterhole attack
– Websites
• back door
Common risk• Hacking• Malware• randsomware (WannaCry,
Petya)• trojan (steals credentials)• payments diverted
w w w . O n y x O n l i n e L a w . c o m
The cost…Ransomware first appeared in 1989
In 2015 victims paid out $24 million to hackersIn 2016 it was estimated at $1 billion
The overall annual cost of global cybercrime was thought to be $3 trillion in 2015 and this is
expected to double to $6 trillion a year by 2021.www.ZDNet.com
w w w . O n y x O n l i n e L a w . c o m
What is cyber security?What we use -• technology • techniques• processes • practices
What we protect -• devices• networks• programs• data
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
What is cyber security?What we use -• technology • techniques• processes • practices
What we protect -• devices• networks• programs• data
w w w . O n y x O n l i n e L a w . c o m
What does that mean for you?
w w w . O n y x O n l i n e L a w . c o m
Devices• strong password protection• use antivirus and security software• keep software updates current• monitor software and applications used• back-up daily to an independent location• apply remote deletion of data from devices
w w w . O n y x O n l i n e L a w . c o m
Networks• appoint a responsible person• keep a current inventory of all devices• monitor software and applications used• keep all software up to date• segment the network• back-up all data, daily• store back-ups securely, offsite
w w w . O n y x O n l i n e L a w . c o m
Programs• map all programs used• back-up program files and license keys • keep operating systems, applications and
data up to date• don’t use counterfeit copies• complete a threat analysis
w w w . O n y x O n l i n e L a w . c o m
Data• use data encryption• use trusted storage providers• back-up daily to an independent location• test that back-up reinstatement works• keep software updates current• don’t accept payment instructions via email
w w w . O n y x O n l i n e L a w . c o m
Assessment of risk• know who is responsible and for what?• threat analysis• penetration testing• quality of back-ups• monitoring program• remove affected machines from networks
Mandatory Data Breach Laws
22 February 2018
w w w . O n y x O n l i n e L a w . c o m
Do the Law apply to you?• business, organisations (including sole
trader), and government agencies already covered by the Privacy Act
• small business >$3m annual turnover• provide a health service or hold health
information
w w w . O n y x O n l i n e L a w . c o m
Do the Law apply to you?• collect personal information for sale/benefit
– conference organiser who shares attendee information with exhibitors
– business that collates online or offline information to create databases for sale
– research organisation surveying people for eligibility for government rebates
w w w . O n y x O n l i n e L a w . c o m
Notifiable breachPersonal information• personal data is lost, accessed or disclosed
– tablet left on plane– hacked system eg. Ashley Madison– phone number on whiteboard on tv broadcast– job applicant CV left on reception desk
w w w . O n y x O n l i n e L a w . c o m
Notifiable breach• the breach is likely to result in serious harm
to any person who’s data has been lost or accessed
• Serious harm– physical, psychological, emotional, economic,
financial or reputational harm
w w w . O n y x O n l i n e L a w . c o m
If there is a breach -
• Notify individuals at risk of harm• Notify the Office of the Australian
Information Commissioner www.oaic.gov.au• www.privacy.gov.au
w w w . O n y x O n l i n e L a w . c o m
If there is a breach -Notice within 30 days• identify your business• describe the data breach• explain what information is involved• let people know what steps to take to protect
themselves
w w w . O n y x O n l i n e L a w . c o m
Need more?www.onyxonlinelaw.comLegal Articles• Mandatory Data Breach Notification Laws
Australia – FAQs
Not Knowing is NO EXCUSE
Ignorance of the law is no excuse in any country. If it were, the laws would lose their effect,
because it can always be pretended.
Thomas Jefferson
w w w . O n y x O n l i n e L a w . c o m
Tech Neutral• Data breach laws are technology neutral. • Just because you still operate with a largely
paper based system does not mean that this law will not apply.
• Most filing cabinets can be unlocked with a paperclip.
w w w . O n y x O n l i n e L a w . c o m
Penalties• direction for compliance / undertaking• public apology • compensation for individuals• Commissioner has 6 years to seek civil
penalties– fines <$360,000 for individuals– fines <$1.8m for organisations
w w w . O n y x O n l i n e L a w . c o m
What we’ve covered
1. Risk Management in the age of cyber-attacks
2. Mandatory Data Breach laws and how they apply to you
3. Why not knowing is no excuse
w w w . O n y x O n l i n e L a w . c o m
Do you need help?
w w w . O n y x O n l i n e L a w . c o m
Action Steps
w w w . O n y x O n l i n e L a w . c o m
Connect @OnyxOnlineLaw on social media to receive a cybersecurity for small business checklist
w w w . O n y x O n l i n e L a w . c o m
Action Steps
www.onyxonlinelaw.comwww.lawforwebsites.info
w w w . O n y x O n l i n e L a w . c o m
w w w . O n y x O n l i n e L a w . c o m
Questions
w w w . O n y x O n l i n e L a w . c o m