28 October
Credit: © George Davis 2021

Cyber Security Awareness

October is Cyber Security Awareness month. A good time to be reminded of our cyber security needs, especially as we’re all receiving more and more fake emails and texts to track deliveries, take up marketing offers and what not.  Cyber scams such as ransomware are on the rise with hackers gaining control of your data and demanding ransom before returning it to you.

Every time you send or receive an email, or upload information onto your system, you are dealing with data. Data is the information that is stored on your workplace systems, and includes: 

  • Personal information – information about individuals, including employees, artists, clients (e.g., name, photograph, address, credit information); and  
  • Commercial records – information about artworks and prices.

Artists and arts organisations should be aware of the risks associated with holding data.

Data Breaches

If data is not adequately protected, there is the risk that data breaches may occur:

  • Data breaches can be unintentional – e.g., due to human error. An example would be sending an email to the wrong address. Or,
  • Data breaches can be malicious – e.g., hackers can access databases through security flaws. Once a hacker has gained access to one system, they can access the whole network. A common example of hacking is phishing, where the hacker sends an email disguised as being from an official site or email address and designed to trick the victim into clicking a link or downloading an attachment which then deploys malicious software onto the victim’s systems.

It is in all our best interests to manage this risk, as it can cause:

  • Reputational harm: If you have a poor reputation for data governance, customers will turn to competitors instead, damaging your commercial interests.
  • Legal consequences: The Australian Privacy Principles (‘APPs’) under the Privacy Act may apply to your organisation. It is recommended that organisations comply with the APPs and apply the appropriate standards to data management.  If you want to find out more about the APPs, have a look at the Office of the Information Commissioner’s website which has some good summaries and an overview of the APPs.

The following APPs are particularly relevant to Art Organisations:

  • Privacy policy (APP 1): If you fulfil the criteria, you will need to have a privacy policy in place which includes information about how you manage personal information.
  • Collection of personal information (APP 3):  Organisations cannot collect personal information unless the information is ‘reasonably necessary’ for its functions or activities. If it is ‘sensitive’ information, the individual concerned must also consent to the collection. Sensitive information includes: information about an individual’s racial or ethnic origin, political opinions, membership of a political or professional association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices, health information and criminal record.
  • Use or disclosure of information (APP 6): Personal information may only be used or disclosed for a purpose for which it is collected, unless an exception applies such as the individual consented to the disclosure.
  • Security of personal information (APP 11): Reasonable steps must be taken to protect information from ‘misuse, interference and loss’, as well as from ‘unauthorised access, modification or disclosure’

How You Can Protect Your Data

Cyber security is the practice of having protections in place to defend systems and data against attempts by outside parties to gain access to and control over that data.

Some ideas for what you can do to protect your systems are:

Due Diligence:

As a starting point, you should perform due diligence on current practices and systems.

  • Identify any ‘gaps’ where information can be accessed by outside parties including website and social media access and whether there are suppliers with access to your systems.
  • Identify any slack workplace practices where multiple personnel can access a database of personal or sensitive information when they don’t need to use it. There should be security clearances (e.g. login required) in place so that not everyone can access all levels of the database. Access should be given on a need-to-know basis.

Data Register:

Set up a data register, which records what data is being collected and where it is stored. You may also consider having a register that shows employee training on privacy and data protection matters. 

Data Governance System:

To manage the security of your data, your organisation should have procedures in place that must be followed when dealing with data.

  • Develop internal policies and guidelines for staff (e.g. having multi-factorial authentication, protocols for sending/opening emails, etc.)
  • Ensure that staff are aware of the organisation’s privacy policy and all the terms and conditions on the website. This should form part of the induction process and regular training.
  • Implement oversight mechanisms that formalise responsibility and accountability for data:
    Be clear about who’s responsible for the oversight of the system – both on a day-to-day basis, and in terms of ultimate responsibility.
    Note that the whole of the Board will be responsible for cybersecurity due to directors’ duties under the Corporations Act.
    Consider appointing a Privacy Officer, who is the first point of contact for privacy matters in an organisation, and takes action for any privacy breaches. 

Clear arrangements with internal and external parties:

  • Ensure transparency with customers and artists, including having clear clauses in agreements about uses to which information will be put. Remember that the terms and conditions on your website are a contract between you and the user. 
  • If you engage external service providers, make sure your agreement has terms which cover things like: where the data will be stored and who is liable if there is a data breach. Engage External IT: Consider engaging an external IT consultant to further improve data management.  Have a cyber security specialist in mind in case things do go wrong.

What Happens if there is a Breach of Privacy Policy?

If there is a privacy breach, it must be reported to the Office of the Information Commissioner. This should be included in the privacy policy so that people (internally and externally) are aware of who to contact if there is a breach. 

The following four steps should be taken if there has been a breach: 

  1. Contain the breach: undertake risk management. For example, if it’s an email sent to the wrong address, immediately notify the receiver and ask them to delete it.
  2. Evaluate the associated risks: this would be undertaken by the Privacy Officer or a supervisor. 
  3. Notify the affected individual: You need to determine if the affected individual needs to be notified (e.g., if their credit card details are released, they would want to change their PIN, freeze the account, etc).  
  4. Prevent a repeat: training and reminding staff. 

Podcasts

Arts Law has done a podcast on cyber security which you can find here called ‘Lock the Doors and Check the Windows’.

And here’s an interesting podcast on cybercrime you might enjoy – the Darknet Diaries.  https://darknetdiaries.com/ See for example episodes 97 ‘The Pizza Problem’ and 98 ‘Zero-Day Brokers’. 

Cyber Literacy

There’s a very good quiz that only takes a few minutes to gauge your, and your employee’s, cyber literacy developed by the Australian Cyber Security Centre.  https://www.cyber.gov.au/acsc/view-all-content/programs/stay-smart-online/scam-messages/quiz