US retailer Target now admits that hackers stole personal financial details of up to 70 million people in their pre-Christmas raid. And a 16-year-old Melbourne schoolboy broke into system of Public Transport Victoria and exposed the records of tens of thousands of customers.
A massive difference in scale, but just more evidence that businesses and other organisations are not properly preparing for even the most probable crisis risks to reputation and operations.
The latest research from the Sensis Business Index for the December Quarter shows that over half of Australia’s small to medium businesses have no risk plans or strategies in place in the event of a natural or man-made crisis. The survey of 1,800 SMEs across Australia found one in six had suffered an emergency or business disruption in the past 12 months. Yet overall most did not rate their business as facing a very high risk from most types of disaster events. And while they identified data attack and theft as by far the biggest risk to their business, less than half backed up their data at least once a day, and 26% admitted they back up only once a month or even less often.
This worrying complacency mirrors conclusions from the PwC Global State of Information Survey 2014, which showed that while the rate and cost of data breaches is increasing, companies are simply failing to keep up with new threats. The survey covered 9,600 executives in 115 countries (21% from Asia-Pacific, including Australia), and an alarming 24% of respondents reported loss of data as a result of security incidents. Significantly, current and former employees were identified as the biggest IT security (think Edward Snowden).
Given this level of risk, it was even more concerning that the report said one third of US companies had no incident reporting system for dealing with insider security incidents, and among those who did, only 18% described that effort as very effective.
The threat to reputation and organizational integrity is very real and applies everywhere. For example, a previous comparative study for Symantec found that well over half of small to medium businesses in Australia and New Zealand had at least one security breach in the previous year, more than double the rate in the USA and Canada. The most recent Symantec study shows Australia has the highest average number of records breached and the second highest rate caused by malicious or criminal attack.
Some breaches will have been relatively minor, but a large IT breach can be a major crisis. Let’s not forget the malicious hack-attack on Melbourne webhost Distribute.IT in 2011 which erased 4,800 websites, leaving mainly small to medium businesses realising too late they needed to separately back up their own data. The webhost was quickly sold at a fire-sale price. Let’s also remember Privacy Commissioner Tim Pilgrim speaking last year: “Major data breaches in Australia are rising and are being reported at the rate of at least two every week.”
So what are the biggest obstacles to organizations being properly protected? According to the PwC survey, many companies have not deployed technologies to protect key assets and evaluate threats to business objectives, and have not yet established security as a foundation component of business strategy. They identified four major hurdles: (1) the CEO (2) insufficient funding (3) lack of actionable vision (4) lack of IT security strategy.
The start of a New Year is a great time to start working on these problems and getting crisis-prepared. Need help? Call Tony Jaques.