Business cyber security obligations

Cyber-attacks are a constant threat to individuals and businesses. From malware to phishing, cyber security risks are on the rise and attacks are becoming more sophisticated. While you may think your business is safe and you have done everything to protect it from a security breach, the truth is no system is impenetrable.

Large corporations with up to date software and protections in place have fallen victim to cyber-attacks. There have been successful attacks, both within Australia and internationally, on a range of organisations such as financial, IT, healthcare and telecommunications as well as governments at various levels.

In comparison, small business owners may assume, or hope, that the information and data they hold would be of little interest to hackers. However, small businesses that hold sensitive data such as healthcare records and credit card information, or vulnerable data such as childcare records, are a target for hackers too. Some small organisations are less advanced in terms of their data security, and this can make them an easier and more realistic target. Gaining access to a small business can also in some cases give hackers access to larger corporations.

Protecting your business from a cyber-attack

It’s important for all businesses to understand that protecting themselves from a cyber-attack is not just an IT or management issue.  This requires a whole business focus that all staff need to be aware of so they can contribute to the risk management processes and systems.  If any staff fail to adhere to the strategies put in place, regardless of that staff member’s role and level of responsibility, this can put the business at risk.

There are many ways a business can be protected from a cyber-attack. From software updates and data backups to passwords and staff training, the options available are improving all the time. To find out what you can and should be doing to protect your business, go to https://www.cyber.gov.au/resourcesbusiness-and-government.

Tips for protecting your business from a cyber-attack

  • Be sure staff only have access to what they need; don’t grant universal access across a business
  • When staff leave the business, remove all access and permissions immediately
  • Create strong passwords
  • Engage IT security experts to assist with your cyber security
  • Train all staff on the risk of a cyber-attack and the prevention strategies in place
  • Regularly back up data and information.
  • Use the resources and information found on staysmartonline.gov.au.

Incident response plan

An incident response plan is written instructions for what to do if your business experiences a cyber-attack.  These instructions help minimise the damage and improve the response and recovery time.

The plan should include an outline of what threats could impact your business and a strategy to manage each incident type with clear timelines. The plan should also identify the critical assets that could be a target, such as customer information, so the business knows what it needs to protect.

A list of responsibilities and accountabilities should also be included so that staff are aware of their roles in dealing with the situation. A PR or media response plan could also be something you incorporate in case you are required to make public statements regarding the incident.

You can find further details about what to include in your incident response plan at www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan

Notifiable Data Breach (NDB) scheme

The NDB scheme requires all businesses covered by the Australian Privacy Act 1988 to notify the OAIC and affected individuals when an eligible data breach has occurred.

Businesses covered by the Privacy Act includes all organisations with an annual turnover of more than $3 million. The Privacy Act also covers some small businesses who have an annual turnover under $3 million if they operate in one of the following categories:

  • A private health service provider such as a day surgery or a pharmacist
  • An allied health professional
  • Complimentary therapy such as a naturopath
  • A gym or weight loss clinic
  • A childcare centre, private school and private tertiary education institution
  • A business which sells or purchases personal information

An eligible data breach occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds
  • the breach this is likely to result in serious harm to one or more individuals, and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action

Serious harm to a person may include serious physical, psychological, emotional, financial or reputational harm.  Determining if serious harm is likely, meaning more probable than not, requires as assessment from the perspective of a reasonable person. 

A quick response to a data breach decreases the impact of the breach on those affected.  To be able to respond quickly, a data breach response plan is needed.  This plan will outline the business’ strategy for containing, assessing and managing the incident from start to finish. 

Further information about the Notifiable Data Breach scheme can be found at: www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme  

Cyber insurance

Cyber insurance can help cover financial losses to your business, your customers and other parties following a cyber security breach. This might include costs associated with:

  • Loss of revenue due to interrupted business
  • Hiring negotiators and paying ransom
  • Recovering or replacing your records or data
  • Liability and loss of third-party data
  • Defence of legal claims
  • Investigation by a government regulator
  • Misuse of intellectual property online
  • Crisis management and monitoring
  • Prevention of further attacks

When considering cyber insurance, it’s crucial to choose an insurer who understands cyber risks are changing, and new risks are constantly emerging. The costs of a cyber-attack can be enormous. However, the right insurance policy will help safeguard your business now and well into the future.

Contact Guild Insurance on 1800 810 213 if you are considering taking out cyber insurance and would like further information.

Download the full article here.

Similar Articles

  •

    Property maintenance - could your property cause an injury?

    Guild Insurance sees many insurance claims which have come about due to poor maintenance of a property.  In too many of these cases, the poor state of the building or its grounds is obvious and it’s quite surprising, as well as disappointing, that repairs haven’t been carried out before an incident has occurred.

    What can go wrong?

    There are a range of incidents which can occur due to poor maintenance of a property.  Staff can be injured leading to a worker’s compensation claim as well as staff being absent from work for an extended period.  Visitors to the premises, such as customers, clients or contractors, can also suffer injuries leading to public liability claims.  As well as the insurance claims which need to be managed, there’s the added stress of knowing that someone has been injured while at your premises.  Some of these injuries can be very serious and life changing.  Unfortunately, the hazards which lead to these injuries are often not viewed as seriously as they should be.  Yet with appropriate property maintenance many of these injuries could be avoided.

    Case 1

    A client entered a building and tripped over an edge of carpet which was ripped and curled up.  The client sustained a fractured wrist when they landed.

    Case 2

    An awning out the front of a building was old and worn out.  During heavy winds it broke off from the building and hit a person walking past at the time.

    Case 3

    While walking through the carpark of a premises, a staff member has tripped on a large crack in the asphalt which had caused the surface to be uneven.  They fractured their ankle as they fell.

    Case 4

    Poor maintenance doesn’t just lead to people suffering injuries, it can also lead to further damage to the property.  An old deteriorating roof collapsed when hit by heavy rain as it no longer had the strength to support the weight of this rainfall.  This led to excessive water damage within the building.

    Property maintenance tips

    • Have a documented maintenance program in place. This requires a schedule for regularly checking the property to identify hazards as well as details on what needs to be serviced, repaired or replaced and when.
    • Be aware of the out-of-sight, out-of-mind hazards. Many properties have roofs, guttering and downpipes in poor condition due to a lack of maintenance as no one has thought to get up on the roof and inspect it. Include the less obvious hazards in the maintenance program.
    • Have a maintenance budget. Some maintenance work can be planned, other work will come up unexpectedly when something breaks down. You need to be able to find money to fix hazards when identified.
    • Be sure to use qualified tradespeople to undertaken maintenance work. While it can be tempting to undertake some DIY and save money, the risk of things not being maintained or repaired correctly will not be worth the savings in the long term.
    • If you’re a tenant, be aware of what you’re responsible for maintaining and what’s the responsibility of the landlord. Not all tenancy agreements are the same, so you need to be across the details of your agreement.
    • Don’t wait to undertake maintenance till a more convenient time. There are many cases of injuries occurring due to hazards which had been identified but not yet acted upon, usually due to costs, time or not acknowledging the risk of the hazard.
    • All staff have a responsibility to create and maintain a safe workspace. Some hazards will be identified through regular property inspections, however, you can’t rely solely on these inspections. Therefore, encourage all staff to continually be on the lookout for hazards and to speak up when they see something.
    • Don’t think it won’t happen to you and your property. These incidents are a lot more common that many people realise.

    Download Property Maintenance article

  •

    Understanding social media risks

    Social media is an ever increasing form of communication for many people in both their personal and professional lives. It presents people with many benefits in allowing them to communicate a variety of messages to many people with great speed and efficiency. However, those benefits need to be balanced with the many risks social media presents.

    Social media is a very broad term which includes any websites and applications which allow users to interact with other people as well as create or share information (text, photos, videos etc.).

    There are endless examples where people appear to have not stopped and thought before they’ve posted on social media. Poorly considered social media posts can and do affect the personal and professional reputation and image of individuals as well as a businesses; even if the post isn’t directly related to a business.

    The following tips will assist individuals and businesses manage their risks when using social media.

    1. Have a business plan for how and why social media is to be used
    When deciding whether or not to create a business social media presence, it’s very easy to think ‘if everyone else is doing it, so should I’.  However there needs to be greater thought put into this decision.  The decision to use social media should be well thought out and based on a company’s needs and business plans; the benefits and risks need to be considered.

    2. Business social media should be based on business requirements, not personal views
    Business owners and managers need to be sure that when they make a decision on whether to use social media for their business, this decision is based on the needs of the organisation, not the owner’s/manager’s personal views of social media.  For example, a person who chooses to not use Twitter for personal use may still decide it’s a great tool for them professionally.  Business decisions and personal decisions regarding social media use should be separated.

    3. Create clear business guidelines and processes regarding who is able to post on social media and how this is to be done
    Due to the risks associated with social media interactions, it’s very important that businesses have a clear process for who is responsible for posting on social media.  The person undertaking this role needs to understand when social media is an appropriate form of communication and what sort of messages are to be shared using social media.  This process should also provide guidance on how often social media is monitored and responded to and how to respond to negative comments.

    4. Consider training for those staff responsible for social media
    It’s often assumed that young people are well versed in social media use however this isn’t always the case.  Also, not all users of social media understand appropriate business use and its associated risks.  Therefore it’s worth considering training in social media communications and its risks for the responsible staff members.

    5. Understand the social media site you’re using
    There’s a wide variety of social media sites available to businesses, all providing similar yet different benefits.  When a business is using any of these sites, it’s very important they understand the various functions within that site.  Not fully understanding how a site works is going to increase the risks of using it.

    6. Consider what messages should be shared using social media
    All businesses have various ways in which they communicate with their customers and clients.  Social media is generally designed for short sharp messages, yet not all information suits this style of communication.  When businesses are communicating with their customers, they need to carefully consider how that particular message should be shared.

    7. Carefully consider the implications of engaging with clients on social media
    Professionals and businesses should consider if social media is an appropriate forum for them to be communicating with clients, both through business or personal accounts.  Engagement through personal accounts can blur professional boundaries.  When using business accounts, some conversations may not suit social media, especially if the conversation appears in a public setting.  It’s important to consider what conversations are best had away from social media and when to take a discussion off line.

    8. Your business social media use must adhere to the Ahpra Advertising Guidelines
    Ahpra regulated professionals need to adhere to Ahpra’s Advertising Guidelines with all of their advertising.  This includes any advertising or promotion done using any social media site.

    9. Understand that you can no longer separate personal and professional use
    Unfortunately many people hold a view that what they write within a personal social media account in their own time will have no bearing or impact on them professionally.  However this is not the case.  Whether fair or not, professionals are always representing their profession and professional self; personal social media posts can be considered to be representing a professional view.  Therefore the professional impact needs to be considered before any personal post is made.

    10. Don’t believe that any post is ever private
    Too often people post information on social media which they intended to remain private and not be seen widely.  However social media can never truly be private.  Many online groups claim to be private and state that members require approval.  However non-approved users don’t need to be particularly savvy to access these groups and then share or copy information being posted.  Professionals need to remember that if they don’t want their colleagues, clients or competitors seeing a social media post, it should never be posted on either personal or business accounts.

    11. Never post in haste, all posts need to be carefully considered
    As mentioned earlier, social media is designed for quick short messages to be shared widely.  This means social media can encourage messages to be shared with little thought or planning which on occasions leads to poorly worded messages which are easily misinterpreted.  It’s important to pause and think through a message before it’s shared.

    Download PDF here


    Guild Insurance Limited ABN 55 004 538 863, AFS Licence No. 233 791.  This article contains information of a general nature only, and is not intended to constitute the provision of legal advice. Guild Insurance supports your Association through the payment of referral fees for certain products or services you take out with them    .

    social-media
  •

    Let the record show... Veterinary record keeping

    Medical record keeping is unfortunately one of those dreaded risk management topics. Guild Insurance understands that it isn’t the most interesting of topics for veterinarians to spend time thinking and talking about. However, it’s incredibly important, and Guild’s claims management experience suggests veterinarians would benefit from learning more about good record keeping.

    Records and insurance claims 

    Records can impact insurance claims in two ways:

    1. Poor records can contribute to a poor or unexpected outcome following treatment, leading to the client complaining and possibly seeking some form of compensation. For example, a dog’s weight was incorrectly recorded in the record due to a simple data entry error. This led to the dog being given a dose of medication which was too high; unfortunately the dog suffered renal damage and died as a result.

    2. Poor records may make a complaint, and therefore an insurance claim, difficult to defend due to the lack of evidence of what took place and why. Poor clinical outcomes and dealing with complaints can be very challenging and confronting. Therefore, understanding how to improve the standard of records really should be a focus.

    Why keep detailed records?

    1. Continuity of care

    It’s not uncommon to hear veterinarians believe they can remember the details of their consultations. However, at Guild we see examples where veterinarians haven’t remembered key aspects of prior consultations and treatment, and this has led to a poor outcome for the animal. It’s therefore imperative to have this information recorded to ensure certainty as to how and why you’ve treated an animal in the past. It’s also important to be sure you refer to the information within the record. Animals can suffer harm when key information is overlooked or forgotten about and they’re therefore not treated accordingly.

    2. Regulatory requirement

    All State and Territory Veterinary Boards within Australia have some sort of guideline or policy about a veterinarian’s obligations and requirements regarding record keeping. It’s the responsibility of every veterinarian to make themselves aware of and comply with the various codes, guidelines and policies relevant to them. Not knowing is not an excuse for not complying.

    3. Defence of a complaint

    If there’s an allegation of wrong doing made against a veterinarian, their records are going to be incredibly important. Those records provide evidence of what took place and why. Without this, the veterinarian will be relying on their memory as a defence. Information recorded at the time of the consultation is going to hold greater weight as a reliable defence than a veterinarian’s memory months after an event. As the saying goes ‘Good records = good defence, poor records = poor defence and no records = no defence’.

    What to record?

    A question many veterinarians ask when it comes to record keeping is, ‘How much detail do I need to record?’ Veterinarians should refer to their relevant Veterinary Board’s information to better understand the detail required in a record. Exactly what to include can vary according to the specifics of the animal’s condition and treatment. However, generally records should include, but aren’t limited to:

    • client identification
    • treatment date
    • animal(s) identification
    • history
    • examination details
    • diagnosis
    • treatment options offered and given, prescribed, or supplied
    • informed consent
    • response to treatment
    • other records/reports such as imaging reports, laboratory reports or specialist/referral reports
    • information provided to the client including post treatment instructions

    In some cases, it’s worth noting what didn’t occur as well as what did. For example, if a client has refused to consent to what would be considered the most ideal or obvious treatment option, the record should reflect that it was discussed and declined. If it’s simply left out of the record, it would appear that it wasn’t discussed as an option.

    When veterinarians are unsure if they have included enough detail, they should ask themselves whether or not another veterinarian could read the record and understand the full picture of what took place and why, without the treating veterinarian filling in any gaps. If the full story isn’t there, there isn’t enough detail.

    Professional and objective

    Records need to always be professional and objective. Criticisms of the client can be included, however this must be professional and only when relevant to the treatment being provided. This may occur in situations where the client isn’t complying with instructions and this is detrimental to the health of their animal. However, it’s important to remember that records can be accessed and read by a number of people, including the client and your regulator, so always be mindful of the language used. The language used should match the professional language a veterinarian would use when speaking to the client during a consultation.

    Changes and corrections

    If it’s noticed that errors have been made in a record, changes can be made to correct this. However, information should never be deleted. The original information must remain with a note explaining the correction and when the correction was made. Also, if additional information needs to be added to a completed consultation note, it should be done so it’s clear this is additional information and the date it was added.

    Download PDF here

    record-keeping
See more

The information supplied by you will be received, retained, used and disclosed by Guild Insurance Limited and its related companies and business partners for the primary purpose of providing you with further information on, evaluating, affecting, managing and administering products and services offered by Guild Insurance Limited and its related companies and business partners.

You may at any time request that no further marketing material be sent to you by clicking ‘unsubscribe’ via email communication. You may also access the personal information Guild Insurance Limited holds about you by contacting: Phone:  1800 810 213

© Copyright Guild Group Holdings Limited