w w w . O n y x O n l i n e L a w . c o m

CyberSecurityProtect Your Business

What You Need to Know@CLICK!DigitalExpo #CLICK2017 #IncredibleCLICK #OnyxOnlineLaw #legal #business #cybersecurity

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

This is for you if -• You want a simple explanation of your

cybersecurity risks• You want some easy steps to protect your

business• You’d like to understand your real legal

obligations

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

Who Am I & Why LISTEN To Me?• Worked with over 1000 clients to protect

their businesses• Insider understanding on business needs

after over 8 years in house• Over 18 years experience, working with

online business since 2010• Practical, solution focused, easy to talk to• Author of international bestseller “Cover

Your Arse Online”• LLB, LLM, GradDip LP, GAICD

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

Who Am I & Why LISTEN To Me?• Worked with over 1000 clients to protect

their businesses• Insider understanding on business needs

after over 8 years in house• Over 18 years experience, working with

online business since 2010• Practical, solution focused, easy to talk to• Author of international bestseller “Cover Your

Arse Online”• LLB, LLM, GradDip LP, GAICD

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

DisclaimerThis is general legal information only.

If you have very specific questions, consider getting legal advice appropriate to your

circumstances. Don’t advise others, refer them for legal

advice.

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

What we’re covering1. Risk Management in the age of cyber-

attacks 2. Mandatory Data Breach laws and how they

apply to you 3. Why not knowing is no excuse

w w w . O n y x O n l i n e L a w . c o m

Risk Management

w w w . O n y x O n l i n e L a w . c o m

Risk management?1. Identify a potential problem for your

business2. Work out what you can do to solve the

problem or to reduce the chance of it happening, or the impact if it does happen

3. Revisit every 6 – 12 months to check

w w w . O n y x O n l i n e L a w . c o m

What is cyber risk?• The risk of

– financial loss or data destruction– reputational damage– business disruption = lost productivity – systems failure

through technology

w w w . O n y x O n l i n e L a w . c o m

What is cyber risk?Common method• phishing email

– attachments

• spear phishing email• waterhole attack

– Websites

• back door

Common risk• Hacking• Malware• randsomware (WannaCry,

Petya)• trojan (steals credentials)• payments diverted

w w w . O n y x O n l i n e L a w . c o m

The cost…Ransomware first appeared in 1989

In 2015 victims paid out $24 million to hackersIn 2016 it was estimated at $1 billion

The overall annual cost of global cybercrime was thought to be $3 trillion in 2015 and this is

expected to double to $6 trillion a year by 2021.www.ZDNet.com

w w w . O n y x O n l i n e L a w . c o m

What is cyber security?What we use -• technology • techniques• processes • practices

What we protect -• devices• networks• programs• data

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

What is cyber security?What we use -• technology • techniques• processes • practices

What we protect -• devices• networks• programs• data

w w w . O n y x O n l i n e L a w . c o m

What does that mean for you?

w w w . O n y x O n l i n e L a w . c o m

Devices• strong password protection• use antivirus and security software• keep software updates current• monitor software and applications used• back-up daily to an independent location• apply remote deletion of data from devices

w w w . O n y x O n l i n e L a w . c o m

Networks• appoint a responsible person• keep a current inventory of all devices• monitor software and applications used• keep all software up to date• segment the network• back-up all data, daily• store back-ups securely, offsite

w w w . O n y x O n l i n e L a w . c o m

Programs• map all programs used• back-up program files and license keys • keep operating systems, applications and

data up to date• don’t use counterfeit copies• complete a threat analysis

w w w . O n y x O n l i n e L a w . c o m

Data• use data encryption• use trusted storage providers• back-up daily to an independent location• test that back-up reinstatement works• keep software updates current• don’t accept payment instructions via email

w w w . O n y x O n l i n e L a w . c o m

Assessment of risk• know who is responsible and for what?• threat analysis• penetration testing• quality of back-ups• monitoring program• remove affected machines from networks

Mandatory Data Breach Laws

22 February 2018

w w w . O n y x O n l i n e L a w . c o m

Do the Law apply to you?• business, organisations (including sole

trader), and government agencies already covered by the Privacy Act

• small business >$3m annual turnover• provide a health service or hold health

information

w w w . O n y x O n l i n e L a w . c o m

Do the Law apply to you?• collect personal information for sale/benefit

– conference organiser who shares attendee information with exhibitors

– business that collates online or offline information to create databases for sale

– research organisation surveying people for eligibility for government rebates

w w w . O n y x O n l i n e L a w . c o m

Notifiable breachPersonal information• personal data is lost, accessed or disclosed

– tablet left on plane– hacked system eg. Ashley Madison– phone number on whiteboard on tv broadcast– job applicant CV left on reception desk

w w w . O n y x O n l i n e L a w . c o m

Notifiable breach• the breach is likely to result in serious harm

to any person who’s data has been lost or accessed

• Serious harm– physical, psychological, emotional, economic,

financial or reputational harm

w w w . O n y x O n l i n e L a w . c o m

If there is a breach -

• Notify individuals at risk of harm• Notify the Office of the Australian

Information Commissioner www.oaic.gov.au• www.privacy.gov.au

w w w . O n y x O n l i n e L a w . c o m

If there is a breach -Notice within 30 days• identify your business• describe the data breach• explain what information is involved• let people know what steps to take to protect

themselves

w w w . O n y x O n l i n e L a w . c o m

Need more?www.onyxonlinelaw.comLegal Articles• Mandatory Data Breach Notification Laws

Australia – FAQs

Not Knowing is NO EXCUSE

Ignorance of the law is no excuse in any country. If it were, the laws would lose their effect,

because it can always be pretended.

Thomas Jefferson

w w w . O n y x O n l i n e L a w . c o m

Tech Neutral• Data breach laws are technology neutral. • Just because you still operate with a largely

paper based system does not mean that this law will not apply.

• Most filing cabinets can be unlocked with a paperclip.

w w w . O n y x O n l i n e L a w . c o m

Penalties• direction for compliance / undertaking• public apology • compensation for individuals• Commissioner has 6 years to seek civil

penalties– fines <$360,000 for individuals– fines <$1.8m for organisations

w w w . O n y x O n l i n e L a w . c o m

What we’ve covered

1. Risk Management in the age of cyber-attacks

2. Mandatory Data Breach laws and how they apply to you

3. Why not knowing is no excuse

w w w . O n y x O n l i n e L a w . c o m

Do you need help?

w w w . O n y x O n l i n e L a w . c o m

Action Steps

w w w . O n y x O n l i n e L a w . c o m

Connect @OnyxOnlineLaw on social media to receive a cybersecurity for small business checklist

w w w . O n y x O n l i n e L a w . c o m

Action Steps

advice@onyxonlinelaw.com

www.onyxonlinelaw.comwww.lawforwebsites.info

w w w . O n y x O n l i n e L a w . c o m

w w w . O n y x O n l i n e L a w . c o m

Questions

w w w . O n y x O n l i n e L a w . c o m