Forcing organisations to report is a useful stick to make them get their cyber security house in order. When implemented, this Act will provide a higher quality of data to drive national security policy-making. Organisations that are concerned about whether an incident is ‘significant’ should control the language used to talk about it; only calling it an incident when they are certain that is the case.
To avoid this situation, organisations should minimise the number of internet-facing assets; closing unneeded open ports; identifying all physical and digital elements that are accessing the network; and identifying and prioritising for remedial action the vulnerabilities within your internet-facing software.
Residual risks can be managed by implementing appropriate security policies, proactive detection and response to threats and regular testing and validation of their security incident response plan.
Since phishing accounts for 90% of all data breaches, organisations should conduct regular employee training on phishing awareness; implement multi-factor authentication where they can, or enforce strong passwords where they can’t.