Privacy commissioner Timothy Pilgrim has issued a direct warning to business and government agencies that they must take steps to protect citizens' personal information from the most recently discovered computer bug or risk breaching the Privacy Act.

The bug – dubbed Shellshock – was found in the Bourne Again SHell (Bash). It is a security hole that could be used by hackers to access or manipulate the data held in vulnerable systems. Bash is a widely deployed system, providing the coding framework for many applications developed for Linux, some Unix and potentially Apple computers.

Under Australian Privacy Principles, organisations must take reasonable steps to protect the information they hold from misuse and loss and from unauthorised access, modification or disclosure. Last year, the Australian Privacy Commissioner found AAPT Limited breached the Privacy Act for failing to adequately protect customer data from unauthorised access after customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

The traditional response to a computer bug that might render organisations' information systems vulnerable is that the tech-guys start billing overtime as they plug holes and patch software. But this time around the Privacy Commissioner has bought into the debate, signaling to senior executives that they can't abdicate responsibility to their tech teams.

Commissioner Pilgrim issued an alert within days of Shellshock being identified that reminded all organisations of their obligations under the Privacy Act 1988. These obligations include regularly monitoring the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information. Where a vulnerability has been identified, patches and software upgrades should be rolled-out as soon as possible," he noted, advising companies also to keep a close eye on the recommendations from CERT Australia, the nation's computer emergency response team.

However at time of writing, not all the Shellshock patches have proved entirely successful and some organisations are still vulnerable. Even if watertight patches are developed for Shellshock, there will be other bugs and new vulnerabilities uncovered in the future.

At the same time targeted and malicious attacks on enterprise computer systems are becoming more widespread.

Organisations are still getting over the Heartbleed bug first disclosed in April 2014, which allowed hackers to hijack passwords and access what had been considered secure records.

In September hundreds of small businesses around Australia ground to a halt when unsuspecting employees clicked on links in emails that appeared to have come from legitimate sources, such as Australia Post. The links contained malware, which then effectively locked up computer systems and sent a demand for ransom in return for restored access.

A bogus email, purporting to have emanated from Apple then did the rounds, suggesting that an account had been suspended and inviting users to click on a link that launched a virus on to their system. Similar suspect emails supposedly from banks are a daily hazard for the unwary.

Meanwhile a concerted attack by hackers recently saw them hijack misconfigured computers in New Zealand to launch a distributed denial of service attack on a range of organisations across Europe, bringing some organisations to their knees.

Most modern enterprises are reliant on their information systems to conduct day-to-day operations. They also face rising compliance burdens from a variety of regulators regarding the integrity of those information systems, particularly regarding data privacy and security.

Not surprisingly computer security is now a boardroom issue for enterprises of all sizes in all sectors.

A recent Fortinet global survey of 1,600 IT leaders found that two thirds rated senior executives' awareness of IT security as "high" or "very high" compared to just 40 per cent a year earlier. Data privacy was identified as a particular concern with 83 per cent of IT leaders saying that planned to revise their approach to data protection as a result.

There is also mounting evidence that information security fears are starting to stifle corporate innovation. The Fortinet survey also discovered that 55 per cent of organisations had abandoned or delayed at least one new business initiative because of IT security concerns.

But as Timothy Pilgrim reminded Australian organisations, this issue demands eternal vigilance, high levels of technology scrutiny and investment, and ongoing training and awareness campaigns to ensure all staff are aware of the risks and consequences of data security failures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.