COMMENT It’s a hell of a time to sell security. Hackers are spawning cleverer and cleverer ways to extort money from businesses (see WannaCry and Petya). In response, bureaucrats are thrusting SMEs into the frontline with legislative bayonets at their backs.
Losses from cybercrime stacked up to $4.5 billion a year in Australia six years ago, according to a study by McAfee, and have continued to climb. Ransomware is increasingly effective and perpetrators nearly impossible to trace, let alone bring to justice.
On 13 February, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which forces companies with more than $3 million in revenue or in healthcare to report data breaches immediately.
A targeted company has 30 days to investigate and report on the breach in greater detail. Failure to do so attracts a $360,000 fine for the directors and $1.8 million for the company itself. The legislation comes into effect on 22 February 2018.
“Corporate Australia has seven to eight months to put a plan together and know how to respond and be prepared” for a data breach, says Monica Schlesinger, a specialist cybersecurity governance expert, principal of Advisory Boards Group International and a director on five other boards.
“Directors need to know the regulatory environment,” adds Schlesinger, who spoke at a roundtable on security in July organised by Watchguard.
Resellers need to understand the implications of this legislation. Aside from companies turning over $3 million or more, it applies to healthcare companies of any size. Every doctor’s surgery, pharmacy and dental clinic has to comply or face crippling fines.
Schlesinger surveyed 145 Australian SMEs about their cybersecurity experience at a board level. The results were woeful.
Nearly 90 percent of directors surveyed had no idea what experience the board had with cybersecurity. Only 8 percent had talked about it briefly, and 4 percent had discussed it in depth. No respondents said they were well informed and had a cybersecurity strategy in place.
So what should these boards do? “They must understand the risks of cybersecurity and the enterprise risk, because it can take them out of business in a very short space of time,” Schlesinger says. “They need to have a cyber-governance assessment and understand the legal implications for their industry.”
The problem for Australia’s two million SMEs is that most of them don’t have a board let alone a plan to deal with a data breach. “They’re too busy running the daily operations of their business,” says David Cohen, managing director of Systemnet, a reseller of security hardware and services in Bondi Junction, NSW.
Cybercrime experts expect the situation to worsen as hackers take advantage of artificial intelligence and machine learning services to improve their attacks. Amazon Web Services has already been used as a command and control for a botnet.
“These hackers are not guys in hoodies sitting in their bedrooms. These are professionals sitting in air-conditioned offices with healthcare plans,” says David Higgins, regional director at Watchguard Australia and New Zealand.
Savvy security resellers will spot the opportunity here. Directors will want a response that not only protects the company from loss of data but themselves from the risk of fines.
Selling a firewall or other security appliance is not enough of a guarantee against the risk of a fine. Security as a service, ideally monitored and reported by a reseller, is far more appealing if it is comprehensive, easy to deploy and low maintenance to manage.
Even better if the service comes with a template cybersecurity strategy, customised to the industry and size of the customer. Wrap it all up with cyber insurance and you have a very attractive package: security from hacks, from government fines, and from loss of revenue.
The obvious place to start is with healthcare providers of all stripes. The Bureau of Statistics shows there were 120,000 “healthcare and social assistance” businesses in 2016.
Doctors and nurses need saving. Will you help them?