Lax attitudes to NDB legislation, CompTIA says

Monday, 11 March, 2019

Nearly one-quarter of organisations have not changed their security policies to comply with Notifiable Data Breach (NDB) legislation, according to a CompTIA survey.

The research shows that since the introduction of the NDB Scheme in February 2018, 23% of organisations have not made changes and a further 35% are unsure whether their organisation has made changes.

According to the Office of the Australian Information Commissioner (OAIC), more than one-third of companies that had data breaches in the past quarter passed on private customer information because of simple human mistakes.

“With human error accounting for a large proportion of breaches, it is concerning that some people are not even aware of whether their company has changed its policy to comply with the NDB. Education and awareness need to play a critical role in protecting customers and mitigating risk,” said James Bergl, CompTIA ANZ Channel Community executive council member and director of sales, APAC, Datto, Inc.

When it comes to incident response, 37% of respondents said their organisation did not have formal policies and procedures, but relied on unwritten rules that were typically followed. A further 14% did not have policies and procedures addressing security incident responses.

In the July–September 2018 quarter, 245 breach notifications were reported to the OAIC.

“These breaches are happening, and will continue to do so, which means organisations need to take the threat seriously and make sure they are compliant with the legislation,” said Bergl.

According to the respondents with formal response plans, these included: roles and responsibilities for addressing the incident (90%); complete backup/recovery plan including prioritisation of systems (80%); identification of affected systems (75%); identification of attack (74%); education on how the incident occurred and future mitigation strategies (73%); and a public communications plan if customer/partner data was affected (55%).

“Most businesses think they are in control of security. However, the reality is quite different for many. It can be easy to forget how dynamic the danger is, and cybercriminals rely on this complacency,” said Bergl.

“A security risk assessment is an effective way for businesses to assess their current posture. Businesses should treat information security risk assessments as an ongoing process of discovering, correcting and preventing security problems.”

Image credit: ©stock.adobe.com/au/Nmedia

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.