All businesses have a responsibility to protect the privacy of customers, staff, and anyone else they hold sensitive information about.
Payroll is a good example of this, as you need tax file numbers, date of birth, address and salary information to do the job properly.
Protecting this information requires firewalls, anti-virus software, good login and password practices, and a host of other controls. These controls extend beyond the boundaries of your business, as you are part of an information supply chain – because you often have to share sensitive information with other organisations to get work done. Again, payroll is a good example. You may be sharing information with your accountants, Vision Super, the ATO and your bank. You rely on all of these parties to maintain the privacy of your staff.
We’ve had a very strong reminder of this recently with the ‘Solar Winds’ attack that has targeted the US Treasury, Dept of Commerce and others. (If you are interested here are some links to news stories about this here and here.
This attack was a big deal. Everyone in the cyber security world is taking it seriously and a lot of resources are being turned towards understanding what has occurred and who has been compromised.
When Vision Super heard about these incidents the first thing we did was check our own systems to make sure we were not using any of the software that was part of this attack, which we weren’t. But that’s not enough – we also had to liaise with our supply chain, to be satisfied that all the other parties that we share information with were not impacted.
As part of your supply chain please be advised that we have checked both our systems and our supply chain. We are satisfied that we have not been impacted and that the privacy of our members has been protected – including information you may have provided to us. We continue to monitor this.
If you want to look at your own supply chain then we recommend two key steps:
- Look at your business processes and identify all of the 3rd parties with whom you share sensitive data. Vision Super will be on that list, but there may be a number of other organisations.
- Reach out to each and ask them for assurance that this particular event has not impacted them.
If they are taking cyber security seriously then they shouldn’t have any issue answering this question, Vision Super will always welcome questions like this.