On Thursday, new mandatory data breach notification legislation comes into effect, but despite the introduction looming, the education sector is one of the least prepared for the new laws.
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, almost every significant sized Australian business must report all data breaches made within or from outside their organisation.
According to Canon Australia’s Business Readiness Index on Security, 42% in the education and training sector are ‘slightly’ or ‘not at all’ concerned about the new laws, while 39% are very/extremely concerned.
Fifty-eight percent of businesses have been assessed for security risk management or IT security, but the education sector has by far the highest incidence (17%) of decision makers who are unsure of any security assessments.
Alarmingly, while the wider industry views Technology/IT infrastructure as the biggest security risk Australian businesses are facing, the education sector sees people (e.g. documentation, training, compliance, etc) as its weakest link (39%).
Despite this, a vast majority of the sector (75%) has not sufficiently implemented six or more of the Australian Signals Directorate's Essential eight effective strategies to mitigate security incidents.
Schools and universities also fall behind when it comes to being proactive about data protection.
While Australian businesses rank ‘protecting company data’ as their highest concern (when it comes to security threats) at 52%, this figure dips to 44% for the education sector.
Instead, the Education sector’s top concern seems to be viruses (56%).
Sop Chen, General Manager of Managed IT and Security Services, Harbour IT, a Canon Group company, said that when it comes to overall security, ignorance is no longer bliss.
According to the Index, it reportedly takes nearly a month (24.7 days) on average for a security breach to even be detected – whether it’s seemingly innocuous spam, or insidious ransomware,” Chen said.
“Our experience tells us that in fact it is much longer than this, giving cyber criminals enough time to know your business better than your IT department.”
“Australian businesses are citing technology as their biggest downfall, but the question is if they’re setting themselves up for success.
Chen pointed out that only two-in-five businesses have implemented six or more of the Australian Signals Directorate’s Essential Eight (ASD8) – developed by the Australian government as the best practical strategies designed to help mitigate cyber security incidents.
“Also, just 3 in 5 have been assessed for security risk management,” Chen said.
“There needs to be much more urgency accorded to being safe rather than sorry, and businesses need to better appreciate how their actions may affect the wider industry.”