Skip to main content

Edition 351 – Data Compromise

Written by Dean Robinson.

Like 10 million other Australians, our personal details have been caught up in the cyber attack on Medibank Private.  A recent email late one evening from the Health Insurer confirmed that our private information had been compromised.

My first emotion at hearing this was anger. We’ve not been insured with Medibank Private for at least four years. Why are our details kept on their main system and not elsewhere? If you’re a former customer, why do they need to retain your details on file at all?

What I don’t understand with Medibank Private or, recently, Optus, both of whom have massive multi-billion dollar budgets, is:

  1. How does it happen?
  2. Why are their systems so weak?
  3. Who was asleep at the wheel over the past few years, not war-gaming a potential data hack?

Those are the same questions that should be asked of small and family businesses. Most business owners and managers see IT as a cost, not an investment. As such, they put the least amount of money, and thought into it, until something breaks. They look at the operational functionality of their hardware and software first, last and always, yet don’t consider, for a moment, the data they retain in their systems.

In my experience with small and family businesses, I’ve observed:

  1. Businesses retain detailed plans for large infrastructure projects, electronically.
  2. Data backups not working.
  3. Self management of the IT function.
  4. Passwords retained on smartphones or, even worse, a scribbled notebook in the top drawer.

I’m no IT expert, which is why I leave it up to a dedicated team of professionals to ensure my systems are in top shape. So should you!

In this era of heightened cyber attacks, one of the most significant risks for small and family businesses is the potential harm to your business if you are hacked. Inadequate systems, lack of cyber insurance and a DIY approach to IT are all recipes for a significant law suit against your business, and you personally, if your client’s details or data are compromised.

In actual fact, for most of you, I would suggest that if you were sued by a client as a result of you compromising their data:

  1. Your insurance won’t specifically cover cyber security.
  2. The size of a legal claim, particularly if it is from a large client or public entity, would force your business into liquidation and potentially, you personally into bankruptcy.

In other words, playing it cheap could cost you everything you’ve spent your whole life to this point building.

My advice to small and family business owners:

  1. If you don’t have an IT advisor, get one ASAP.
  2. Have an independent assessment undertaken on your current IT systems and what needs to be done to bring them up to speed (because most of you are well behind where you should be).
  3. Speak to your insurers or broker about insurance coverage in the event of a cyber attack.
  4. Look at your own internal systems – who has access to your data, what protocols do you have in place and how often are you reviewing them in-house?

Optus & Medibank Private are the first of a large wave. At some stage, your IT will be attacked. The question is, are you going to do something about it now, before it happens? Or, will you leave it until something does happen, in which case, be prepared for significant pain.

This Week’s Tip

“You need to pay for ongoing IT advice in a fast changing world.”