Management Memos

Making Measurably More For You Since 1985

November 2018

November 2018 Don't Play Santa To Data Thieves

New laws protecting people from data breaches are now in effect in Australia - yet they've gone largely unnoticed by SME's. This makes those SME's vulnerable to fines up to $1.8 million if the breach is not acted on and reported. In the rush of business coming up for Christmas, don't slip up and play Santa to the crooks!

These new laws should make a difference to the way you do business. With so much going through your desktop, tablet, or phone these days, a computer glitch or the network going down shows just how vulnerable business operations have become. But now we need to really think about business data too!
email Security
Despite this, most people are doing email the way they always have, not really understanding the risks they're running.

Enter cloud-based accounting and documents - and a whole new set of problems. It is now known that it's SME's who are at greatest risk. And a breach is so easy to trigger.

Easy Examples
A few years ago, a client had a staff member extract confidential reports and email them to her. The staffer used Facebook to send the information. Another client, referred to in the that report (with her knowledge) now found her information freely accessible on Google - and that was without her approval.

This was a data breach due to the stupidity of a junior staffer, but it was still a data breach. Our system had been protected against malicious attacks, but It took weeks to completely redesign our security system to protect against stupidity!

In another case, this time not our staff or a client, an administration staffer had to email fifty people. He put all the addresses in the 'To' field, meaning that all fifty people had their email addresses sent to forty-nine other people without their knowledge or consent. That's a data breach!

And it's not only email. Have you ever accidentally accessed confidential files in the workplace when access should not have been granted? You’re not alone. What might that suggest to you about your cloud-based accounting system?

A new report by Australian cybersecurity company QuintessenceLabs, reveals that office workers in micro and small businesses are the most likely to increase the risk of a data breach, yet business leaders of this size organisation are the least likely to be aware of them doing so.

The Law
Notifiable Data Breach The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

To see more on this go to The Office of Australian Information Commissioner (OAIC). (

For a business that fails to report an eligible breach, penalties top out at $360,000 for individuals and $1.8 million for organisations. These are significant penalties.

Who Is Affected?
With most publicised data breaches being reported by the world's 'big data' companies, it's easy to forget that a great many SME's are subject to these laws.

Any agency or organisation already subject to the Privacy Act (known as an APP entity) is subject to this legislation. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of at least $3 million, health service providers and more.

What Is Affected?
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Notice that this is very broad.

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as 'eligible data breaches', which trigger notification obligations.

The Key Question
What constitutes serious harm? That question is hard to answer, but here are some typical areas in which data breaches can occur:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.


Did you notice that? Personal information mistakenly provided to the wrong person is a data breach. How simple is it for someone in your organisation to do that?

How At Risk Am I?
Policies and Training That depends on the training you have given staff, and the protocols you have put in place. However, while thinking about that, it's worth looking at this very recent Australian survey:

  • Three quarters (74 per cent) of office workers in small or micro businesses have done something which could potentially lead to a data breach
  • Yet only 42 per cent of business leaders of this size organisation are aware of their employees behaving this way
  • One in three SME business leaders do not fully understand Australia’s cybersecurity reporting legislation
  • 45 per cent of SME Office Workers admit [that they've been taught to believe] user experience is more important than data security
  • Australian workers in small businesses are the most likely to have no idea what the relevant security protocols should be (64 per cent)
  • Business leaders in small/micro organisations are the least likely to be aware employees are creating password vulnerabilities (39 per cent) and email vulnerabilities (25 per cent)
  • Business leaders in small/micro organisations are the least likely to be aware of confidential files being copied and carried out of the office (8 per cent)


Looking at these numbers, it seems that every SME is at considerable risk.

What To Do?
There are several things you can start with right now.

Immediately forget the idea that your information doesn't matter to anyone else. It does - it's the way to a goldmine of information about other people an online crook can easily use. Are you emailing customer information to your service techs? Stop it now. Or encrypt it!

Hacker At the same time, forget the idea that your computers are protected. About a year ago, our office saw a huge and unexplained increase in data usage. One of our machines had had a program installed in a 'drive-by' attack, and it was downloading videos, and then redirecting them to the crook's location. Probably to sell as pirate videos. Our top line professional protection software (two different top-line providers) had been modified by the malware to see this program as legitimate, and so let it operate. You are never safe!!

In this case a very secure 8-bit password had been cracked. It took a week to identify and remediate, and the problem was finally solved with two extra malware protection methods and an even more secure 16-bit password.

Creating protective policies regarding passwords and usernames on email and other internet accounts is an absolute must! For example, we had a client use her own name as a user name. Good for the ego. Bad for security.

Using your pet's name or your partner's name as the password is also a big 'no-no'! The solution is to download and install a password manager - software that will do it for you.

It automatically generates passwords and remembers them for you. You need to remember only the password for the manager itself. Your computer techs can help you set up such a system.

Then establish the policy of changing passwords every three months.

Credit Cards What about the credit card numbers you take over the phone? What are your rules about those? There is a lot of information about customers on your computers, and it should all be in encrypted files in folders with meaningless names. Again, your computer contractor will help you with the right encryption software.


Here is your guide:

Determine whether your business is subject to the NDB scheme.

Check out the Information Commissioner's Guide to securing personal information.

Be aware of how personal information is stored and managed - and encrypt it (Remember the credit card numbers you take over the phone?).

Have in place procedures and protocols should a data breach occur.

Have in place a data breach response plan. The Information Commissioner has an excellent guide to help prepare such a plan.

Seek legal advice at any step along the way to ensure that you are fully aware of your obligations, ensuring the safety of staff and customers.


It is important to note that you have a responsibility to notify the OAIC of the breach, but you also have to notify your customers who are affected. That way they can take steps, whatever they choose, to deal with compromised credit card numbers, email addresses, bank details, and the like.

We can help you see your strategic strong points, protect your strategic weak points. After that, you can just hang up - if that's what you'd like to do. NSA!

Phone us (see the numbers below) or use the contact form here to get help. Absolutely obligation free.


Like what you see? Share with friends and contacts

Or Like My Red Zebra on Facebook

McNicol Williams Management Memos is brought to you as a service by My Red Zebra.

Contact Us Here

Click Here to Subscribe monthly.

You can unsubscribe at any time

Management Memos Current Index

Management Memos Archive

Any advice, information or comment contained in this document is general in nature, and should not be relied on as the basis for any specific commercial, business, employment, or financial decision. Specific advice should always be obtained for each individual circumstance. Accordingly any advice, information or comment contained herein is for general guidance only.