When Should You Report a Cyber Crime?

With cyber-attacks only becoming more common, understanding your obligations in the event of an incident is more critical than ever. A failure to obey the relevant laws can lead to hefty fines, data breaches that could have been avoided, and reputational loss – and for small and medium-sized businesses (SMBs) in particular, these consequences are often more than they can recover from. 

But when should you report a cyber crime? And what are the steps you should follow if you experience a breach?

Common Types of Cyber Crime

To understand your reporting obligations, it is first important to know what a cyber crime is likely to look like. There are hundreds of kinds of cyber-attack, but here are some of the most common.

  • Data Breaches: A consequence of many of the other attacks listed here, a data breach has occurred when sensitive business data has been accessed without authorisation. This may include financial data, security data, or personal customer data. 
  • Ransomware: This is a type of malware designed to encrypt your data, so that a cybercriminal can hold it hostage for ransom. 
  • Distributed Denial of Service (DDoS) Attacks: These attacks disrupt the normal traffic of a targeted server, service, or network by creating an artificial flood of internet traffic. 
  • Insider Threats: Rarely, your own employees may misuse their access to company data for malicious purposes, such as stealing sensitive information or sabotaging systems.

When Should You Report an Incident?

The exact requirements for reporting a cyber crime vary, based on a few factors. It is important to note that in Australia, the government body that handles cyber incidents is the Australian Cyber Security Centre (ACSC). 

  • If your business operates within the European Union, you must comply with the General Data Protection Regulation (GDPR). This regulation states that you must report a data breach to the relevant authorities within 72 hours of becoming aware of it. The GDPR applies if you do business with the EU in any way, even if your company is not based there.
  • If you have any reason to believe that serious physical harm to an individual could occur as the result of a cyber-attack, you must contact 000 immediately.
  • Under ACSC guidelines, if you become aware that a critical cyber incident has occurred or is occurring, and the incident has impacted or is currently impacting the availability of your asset (your critical systems or data), you are obligated to make a report to them. Contact the ACSC to verify their required timelines and procedures. 
  • In the case of less severe cyber crimes, the ACSC may still require a report. You should always contact them in the case of a breach, to double check if a report is required. 

What Steps Should You Take?

In the event of a cyber incident, there are certain steps you must take for an effective response.

  1. Identify the nature and scope of the cyber-attack. Lock down any necessary systems and isolate affected devices, to limit the amount of damage the attack can cause. You should do this before anything else. 
  2. Determine the potential impact of the attack on your business, stakeholders, staff, and customers. 
  3. Report the incident to the relevant authorities. Provide detailed information about the attack, including when it occurred, the point of origin, the type of data compromised, and any steps you have taken. 
  4. If individuals such as customers have been impacted by the attack, this is when you should inform them. Your communications should provide instructions on what they can do to protect themselves from any harm the incident might cause. 
  5. Restore data, clean malware out of company systems, and increase cyber security measures. Conduct a thorough review to determine how the incident occurred and how it can be prevented in future. 

Fulfill Your Obligations with Confidence

For many SMBs, it is difficult to feel confident that your understanding of the laws and regulations that govern your industry is correct. But fulfilling your obligations, in this case, is simpler than you might expect – and it is necessary in order to prevent severe consequences.

Platform 24 offers comprehensive IT consultancy services, helping you navigate regulatory compliance with ease and confidence. We take the stress out of understanding your obligations, allowing you to focus on more pressing matters. Discover our IT consultancy services today.

1300 602 480