The finding comes from ‘The Enemy Within’, a research report that was released today by cyber-security firm Clearswift, which found a major lack of awareness amongst businesses about upcoming changes to privacy legislation and wider challenges.
78% of IT security decision makers admitted it is difficult to keep up with the ever changing security landscape, while almost a quarter of organisations (24%) have suffered some form of data security incident in the past 12 months
The proposed mandatory data breach legislation could come into effect next year, meaning businesses should start learning about how they'll be affected.
The legislation, which will require organisations to report data breaches they suffer to impacted customers, has yet to enter most organisations’ security considerations, with 73% of IT decision makers indicating they are unaware of the proposed legislation.
Michael Toms, Clearswift ANZ Regional Director, said he's alarmed by the number of organisations unaware of the upcoming changes to legislation and the lack of business preparedness.
“We are surprised by not only the number of organisations unprepared for the significant impact these legislative changes will have on their business, but that many businesses aren’t even aware of that the changes exist. Over half of the respondents we surveyed work in compliance so it’s concerning those responsible for ensuring their business is on top of the regulatory environment are in the dark,” Toms said.
“The new legislation encourages more transparency for customers in how their data is being used, with increased powers for the privacy commissioner and large fines of up to $1.7 million for non- compliance. That type of fine is not small change for many Australian businesses so it’s vital businesses take action now to protect the sensitive information they hold.”
Toms also warned that businesses should not just be reacting to changes in government legislation when it comes to avoiding data breaches.
“The real focus shouldn’t be in complying with the proposed legislation in the event of a data breach; rather investment should be made to avoid breaches in the first place. The reputational damage a breach can have on an organisation is huge and will become greater as changes to legislation increase transparency," he said.
“The first step any business should take to protect the information it holds is to assess where the risk of data breaches could come from. Given breaches are more likely to come from an employee sending an email to the wrong recipient or via a personal email account than a large scale espionage hack, resources and policies should be in place that reflect that."