Why you need to know about cyber security
If you work in or manage a business, you need to know about cyber security for a range of reasons.
- You are expected to know and respect the laws and regulations governing the use of computers and information.
- It’s important that you understand what’s at stake legally for all stakeholders.
- You need to keep abreast about the emerging legal requirements for confidentiality, integrity and availability of data. Ignorance is never an acceptable excuse.
- There are requirements that your organisation/authorities must respect in terms of the legal rights that are owed to a person.
- There are liabilities for not exercising best practice security.
- Security professionals must be prepared to apply wise judgement, often in tense situations, so that appropriate decisions are made.
Due care and due diligence
Many of the SMEs you work in will be dealing with a range of stakeholders. For example, you will have both employee information and customer information. You are obliged by law to keep this information secure through due care and due diligence; not complying can increase business risk.
Due diligence is the continuous activity an organisation engages in to understand the current threats and risks that it faces.
Due care standards are met when an organisation makes sure that every employee knows what behaviour is acceptable as opposed to unacceptable, and knows the consequences. These standards are the verifiable and measurable steps an organisation takes (e.g. implementing controls) to provide protection from the current security threats and risks it faces.
Failure to practice due care and due diligence can expose an organisation to negligence. For example, an organisation is in violation of the due care concept if it does not implement a data protection mechanism and ensure that the mechanism is being enforced.
Cyber security regulations
There is a link to a handy resource below that collates many of the cyber security related legal and regulatory requirements of the Federal Government of Australia. It lists some of the state-specific requirements to gain some insight into how some of the state laws differ from Federal laws. This can be an especially tricky area for privacy, as there could be both state and federal laws that apply to an organisation, depending on your country.
One particularly interesting example is the Australian Spam Act of 2003 (Cth). As a business owner or marketeer, the goal is always to get more customers. What better way than through email or SMS advertising? Many businesses believe they are allowed to send out as many emails as they want to advertise various products and so forth. However, the Australian Spam Act prohibits sending unsolicited commercial electronic messages via email, SMS, MMS and instant messaging. Failing to adhere to this law can lead to fines of up to AUD1.1 million per day. Do you know the requirements and laws in your country?
Ultimately, as a business owner or even employee, there are a range of cyber laws we have to adhere to when we are conducting our daily work tasks. It is best to be aware, be educated and ensure that you know what you need to do. Most importantly, keep up to date with current regulations and standards.
Were you aware of these obligations and requirements? Do some research on how they might differ in a country other than Australia and share your findings in the comments section.
© Deakin University