Against the evolving landscape of Australia's privacy and data protection regime, we conducted our fourth annual cyber security survey to assess how Australian organisations are responding to cyber risk. More than 110 senior executives across legal, technology, finance and procurement participated in the survey.
2018 ushered in more stringent privacy and data protection laws along with harsher penalties. New incoming regulation including Australia's Notifiable Data Breach and consumer data right regimes, as well as the European Union's General Data Protection Regulation, which brought Australia closer in line with emerging international standards.
Numerous recent and high profile examples of data breaches, both in Australia and overseas, demonstrate that those organisations not designating cyber security as a top priority are exposing their business, customers and reputation to a clear, present and escalating danger.
Against this background, our latest survey results indicate that more should be done to address this danger. Respondents indicated that they are aware of the cyber threat, and year on year we have seen a significant increase in organisations' acknowledgement and understanding of the risk. However, this has not always translated into appropriate and considered action.
78% of respondent organisations said that they have a data breach response plan in place, but only 45% of survey respondents told us they regularly (at least annually) tested it.
Artificial intelligence (AI) and big data solutions are important drivers for organisations seeking a competitive advantage. However, our survey indicates that many organisations are yet to jump on board.
Only 25% of respondents reported that they currently use, or intend to implement in the next 12 months, AI or big data solutions.
Of those survey respondents who are using, or who plan to implement, AI or big data solutions, only a few told us that they have undertaken a privacy impact assessment or security risk assessment of those solutions. A thorough understanding of the privacy and security impact of these new technologies will be an increasingly important aspect of understanding an organisation's cyber risk profile.
The fourth industrial revolution: at the crossroads of current and developing data-related rights
With many organisations now exploring the potential of AI, big data and the Internet of Things, the security of data as a right and an asset, as well as a liability and a cost, has taken on an increased significance. Regular, day-to-day activities that in the past would not have involved digital interaction may now leave both individuals and organisations exposed.
Organisations cannot afford to be complacent about cyber risk. They need to implement robust data governance arrangements and strategies for managing and protecting data. These should be developed with a customer-centric approach to data use.
“At a time when the law cannot keep up with the pace of technological change, it is incumbent on organisations to develop their own set of baseline privacy and data protection rules.”
The time to act is now.
Taking strong, decisive and consistent action is the best defence against a potential attack.