An HP study, released today, has found almost half of Australian small and medium businesses (SMBs) with an annual turnover of $3M+ do not consider themselves to be prepared for the Australia’s new data breach notification laws. Just 51% of respondents said they had developed, or were in the process of developing, an IT security policy to ensure their compliance.
The HP Australia IT Security Study, conducted by ACA research in November 2017, surveyed 528 Australian SMBs with between 10 and 99 employees across the services, production, retail and hospitality, health and education, and distribution industries. A key objective of the research was to uncover Australian SMBs’ approach to IT security, including policies, procedures and risk management, as well as exploring their preparedness for the new data breach notification laws.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed by both houses of Parliament in February 2017, establishing a Notifiable Data Breaches scheme, which comes into effect on 22 February 2018. The scheme requires organisations covered by the Australian Privacy Act 1988 to inform the Australian Information Commissioner and members of the public if it believes or is aware that its data has been compromised.
Throughout 2017, Australian organisations were urged to put a spotlight on cyber security and to step up their capabilities, by proactively putting a data breach response plan in place and assessing and improving the current state of their IT security. Regularly reviewing their IT security ensures organisations have the right hardware, software and policies in place to protect themselves from increasingly sophisticated threats. The HP Australia IT Security Study found 57% of SMBs admitted to not undertaking any sort of IT security risk assessment in the last 12 months, despite a series of high profile breaches in that time.
“The consequences of a data breach can be severe; from financial to brand and reputation damage,” said Paul Gracey, Director, Printing Systems, HP South Pacific. “Organisations should implement a process to monitor, detect and report data breaches, but prevention – and reducing the frequency and severity of breaches – is equally important.”
An antivirus product only protects from malware running in the Operating System (OS). There are many other threats and security risks to a PC, for example those that aim to modify Boot-time or Runtime firmware. HP’s industry-leading set of security solutions are focused on protecting not only the device, but the user’s identity and data security.
“Endpoint security – at the device level – is critical to that mix. Organisations tend to rely solely on third party software security to protect their devices when, in reality, stronger and better business security must be integrated into the device itself,” said Gracey. “With hackers able to bypass traditional network perimeter security and antivirus programs, it’s time we scrutinise a hardware’s security as closely, if not more, than our external security solutions.”
While many IT departments apply rigorous security standards to PCs, tablets and other connected devices, they often overlook the printer. The HP Australia IT Security Study found that of the 43% of SMBs that had undertaken a risk assessment, just 29% included printers in their analysis – compared to 78% for servers and 76% for PCs.
This is in line with other US studies released this year. A Spiceworks report found just 16% of respondents think printers are at high risk for a security threat or breach; 43% of companies ignore printers in their endpoint security practices; and only 18% monitor printers for threats. Meanwhile, Quocirca noted in July 2016 that the ‘need for secure print solutions and services is heightened given the fact that 61% of organisations reported at least a single print-related data breach in the past year.’
“Security threats are evolving every day. Due to reduced effectiveness of firewall protection, every device on an organisation’s network is at risk, and unfortunately printing and imaging devices are often overlooked and left exposed,” said Gracey. “Protecting against security breaches is one of the biggest challenges organisations face. HP is determined to push the industry forward – building security solutions at the device level to help fend off data breaches, such as HP Sure Start in our enterprise printers, which enables detection of and self-healing recovery from malicious BIOS attacks.”
With 63% of respondents stating their employees work remotely on a regular basis, and the same percentage allowing employees to access company data from personal devices, Australian SMBs are becoming increasingly concerned about the risks associated with the lack of control over these devices. Over half of the respondents also flagged ‘employee carelessness’ as a significant security threat to their business, with concerns over not just the behaviour of staff when outside the office, but external threats such as visual hacking. Despite this, less than half (44%) of respondents have an IT security policy in place for employees that bring a personal device to work, and only 37% restrict the data that can be accessed from that device.
As organisations increasingly offer more flexible work options, the traditional network perimeter security and antivirus programs can be bypassed with relative ease, making it more important than ever before that security solutions are fully integrated at the endpoint device level. Visual hacking can be difficult to monitor or defend against, but there are security features at a device level that can help, such as HP Sure View, a privacy screen that’s integrated into the PC.
With the universe of connected devices growing exponentially, so is the sophistication and volume of cyber attacks and data breaches that can cause acute harm to businesses and people alike. The increasingly complex landscape makes securing devices, data and identities essential to preserving the trust and confidence people have in technology and the companies they choose to connect with.