Insights
Privacy Act: One small tweak that can make a big difference to data security and compliance
If you only make one security tweak to your business, it should be this: turn on multifactor or two factor authentication. Multifactor authentication (MFA) is a simple change that can massively improve data protection. Without it enabled, your business or Not for Profit organisation could be in breach of the Privacy Act depending on the type of information you hold.
What is multifactor authentication?
Multifactor authentication means accessing a particular app or system requires more than one method of identification. Without MFA, you log on via one device, with a single set of credentials. MFA requires more from users based on three factors:
Something you have, like a smartphone or a secure USB key
Something you are, like a fingerprint or facial recognition.
Something you know, like a password or PIN.
For example, to log into Xero online, you enter your email and password. With MFA, you then need to confirm your identity another way – such as on your phone via the Xero app. If MFA is enabled for Microsoft Outlook and you log on using a device that isn’t trusted, you will also need to enter a security code that has been sent to a trusted email account or phone number.
Whether it’s a text code, a fingerprint or a phone confirmation, MFA ensures more than one ID method is required to get into your important data. Most platforms and applications give you the option to switch it on through your security settings.
It seems inconvenient – why would you bother?
Single-factor authentication can make it much easier for a cybercriminal to compromise your bank accounts, accounting software, or business systems from anywhere in the world. All they need is your email address and password, which might have been stolen or leaked, or gained through phishing.
With two-factor authentication, it becomes exponentially more difficult for malicious users to get access to your systems. According to Microsoft, there are more than 300 million fraudulent sign-in attempts on its cloud services daily: “All it takes is one compromised credential or one legacy application to cause a data breach.” It estimates that MFA can block more than 99.9% of account compromise attacks. If that seems too high, perhaps it is, but MFA is still highly effective; Google says its implementation of MFA halved the number of account compromises.
When you have MFA enabled, it’s less concerning if your password is leaked or compromised. That alone won’t be enough to allow a hacker to gain access.
Without MFA, you’re probably in breach of the Privacy Act
The Office of the Privacy Commissioner recommends all organisations, regardless of their size to introduce MFA. When a breach occurs, one question often asked is whether an organisation has taken reasonable steps to protect the data they hold. If it is deemed the organisation did not take reasonable steps to protect its data, this could result in a breach of the Privacy Act. What’s reasonable depends on the size of the organisation breached and the scale and sensitivity of data it holds. No matter how small your business or charity might be, it almost certainly holds some personal information. It might be as basic as a list of members’ names, phone numbers and email addresses. Or perhaps it’s a more complex customer management system that includes payment details, health information or biometric data. As such, implementing the MFA is no brainer.
Under the Privacy Act, every organisation or individual that holds data must collect it appropriately, keep it safe and allow the people it concerns to be able to access it (for more details, read the Privacy Principles).
The Office of the Privacy Commissioner describes two-factor authentication as a bare minimum for small businesses or organisations that hold digital information. Without MFA in place, if someone unauthorised accesses your business data, you are likely to be in breach of the Privacy Act. This could lead to a penalty under the Act starting from $10,000; the most ever awarded is just over $168,000.
The risks of a data breach go far beyond penalties, though. Your organisation may also experience potentially huge financial losses, reputational damage, and be forced to shut down. We know of one instance where a small online business experienced a data breach, and the cost of remediation and compliance was so high that dissolving the business was the best outcome. Cyber incursions are such a significant risk it’s hard to overstate their potential impact – yet many organisations are unaware of their responsibilities and risks.
It’s all part of everyday risk management
Cyber security can feel like a particularly thorny specialist topic that sits outside business as usual. But there’s a better way to think about it – cyber security is simply another risk management activity.
It’s not separate or unique or different to other risks in your business, so managing it should equally be an everyday task. This means switching on MFA and getting everybody using it automatically, as well as keeping up to date with software patches and managing passwords effectively. Simple steps like these go a long way to protecting your organisation from breaches.
In some cases, you might need to switch platforms to be able to access MFA for your organisation. We also occasionally see small regional organisations in areas that are digitally excluded, which can make this tricky. There may be workarounds available, or alternative platforms that can help.
Create awareness and provide training
We know that it can feel inconvenient to add MFA to apps you use frequently. If those who use your systems don’t understand the importance of using MFA, they may find this extra effort irritating, or try to switch it off.
It’s essential to have all users on board. Education is the key – you need to explain to everyone why MFA is vital and why it is well worth the additional effort. You need to create awareness and provide training. According to research by Verizon, 82% of all cyber attacks “involved a human element”, and phishing scams still dominate social engineering attacks.
We know that many small and medium enterprises and Not for Profits, don’t have in house IT and cyber expertise, however, being small or local doesn’t exempt you from the Privacy Act, so you still need to make the effort to not only enable MFA, but to understand your obligations under the Act, establish cyber security policies, and incorporate MFA into your overall approach to risk management.