Notifiable Data Breach law takes effect
Australia’s Notifiable Data Breach (NDB) legislation is now in effect, but many organisations remain unprepared to deal with the new mandatory reporting rules and will need to make wide-reaching changes to their security policies and practices.
The NDB scheme applies to all Australian government agencies as well as all businesses and non-profit organisations governed by the Privacy Act.
These include all organisations with an annual turnover of more than $3 million, plus a number of smaller businesses including health service providers, businesses that buy or sell personal information, credit reporting bodies and government-contracted service providers.
Failure to comply with the new legislation will put companies at risk of fines of up to $1.8 million for organisations and $360,000 for individuals, which could be crippling to a smaller company.
Any data breach that involves the exposure of personal information likely to result in serious harm must be disclosed to both the Office of the Information Commissioner and to affected individuals.
The scheme also requires organisations to make a “reasonable and expeditious” assessment of any suspected data breaches within 30 days of becoming aware of a potential incident.
The impact of the scheme could be wide ranging — research from Forcepoint published last year found that more than 90% of ASX-listed businesses, government departments and large NGOs were exposed to a data breach in 2016.
Are you ready?
The NDB scheme passed the Senate in May after being introduced in 2016. The previous government had attempted to pass its own version of the scheme in 2013, but it failed to pass the Senate.
But while the NDB legislation has been a long time coming, many Australian organisations remain ill-prepared. Recent research from Canon Australia found that three in five businesses that will be governed by the new legislation are unaware of the scheme and what it means for them. This increases to four in five for small businesses.
A CyberArk survey from December found that 50% of organisations did not fully disclose data breaches to customers, 44% are only partly prepared to meet the guidance timings for a breach investigation and notification, and 41% of Australian business leaders report not having sufficient knowledge about security policies.
Similar research from consultancy MinterEllison indicates that just 40% of Australian organisations have prepared for the NDB scheme by reviewing their policies, data breach response plans and security controls. In addition, only 54% of organisations have a cyber risk response plan in place, although uptake of cyber insurance has grown from 39% in 2016 to 62% in 2017.
“Our findings show that while most Australian organisations are well aware of cyber risk and the need to address it, much remains to be done to increase their resilience to meet requirements of the NDB Scheme,” said Paul Kallenbach, MinterEllison partner and head of cyber security.
“Our firm recommends organisations focus on understanding and documenting their data and information flows; prepare, test and update their incident response plans; and provide regular training to staff at all levels. It’s vital they do this, as cyber attacks are here to stay and pose a serious risk issue for government and business.”
Chris Hockings, IBM Security master inventor, said many organisations will struggle to find the skills needed to detect and respond to data breaches.
“With the increased accountability of boards to cybersecurity incidents, an organisation requires a proactive security approach. To meet the obligation of the Privacy Act and to meet customers’ expectations, acting with speed and precision are essential,” he said.
“The introduction of Australia’s Notifiable Data Breach scheme is a welcome addition to our ongoing fight against cybercrime, and for it to be a success requires all businesses to take a renewed approach to managing their security defences, to ensure that personal information is adequately protected. IBM recommends businesses in Australia build a risk-based approach to cybersecurity around three pillars — detect, protect, respond.”
Always prepared
Splunk area VP for ANZ Simon Eid added that the scheme should serve as a reminder that organisations should constantly be reviewing their security infrastructure.
“Now is the time for the C-suite to consider whether they need to shift their approach to security within the business as a whole, in order to comply. By taking steps now to ensure data is secured and managed appropriately, organisations can decrease the likelihood of a data breach,” he said.
“Having access to and analysing all data is integral to detecting where a data breach may have occurred. The next step is implementing a clear data breach response plan so the right people can take steps to mitigate the situation, which includes notifying individuals whose data has been exposed.”
According to Centrify senior director for APAC sales Niall King, a response plan should be guided by the answers to six questions, the first of which are who is responsible for the potential corporate impact of a data breach and who is responsible for preventing data breaches.
Other pertinent questions are whether passwords being used by employees are strong enough, what happens when IT security is breached, what happens to security credentials when an employee leaves a company and how prepared an organisation is for the NDB scheme.
Even those organisations that are making efforts to improve their security posture may be focused on the wrong areas. A survey from Fortinet indicates that poor security hygiene is the root cause of a substantial portion of data breaches, with respondents stating that 31% of breaches experienced in the last two years were the result of social engineering, ransomware and email phishing.
But only 15% of Australian IT decision-makers (ITDMs) ranked employee training as their top cybersecurity investment priority, and just 20% nominated implementing security policies and processes.
“ITDMs continue to prioritise the maintenance and upgrade of their cybersecurity solutions in an attempt to combat today’s cybersecurity adversaries. Although important, other security best practices within their broader cyber and technology strategy are still missed opportunities,” said Patrice Perche, Fortinet senior executive vice president for worldwide sales and support.
“In particular, the urgency to prioritise security hygiene, educate with broader awareness or implement security approaches that leverage automation, integration and strategic segmentation is critical to defend against the highly damaging internet attacks possible in our near future.”
Risk profile
Australian millennials in particular display an alarmingly laissez-faire approach to security in the workplace, Forcepoint research suggests.
A survey from the company found that 72% of young Australian adults have connected to public Wi-Fi at coffee shops and airports, 37% shared passwords with non-family members, 63% click on links even if they aren’t sure the source of the link is legitimate and 56% of tablet owners do not secure their device with a password.
“Compliance with the NDB scheme is only the beginning. The true success of this new law will be judged on the behavioural and cultural shifts that it seeks to drive within our organisations,” said Guy Eilon, Forcepoint Australia country manager.
“The blending of our work and personal data on mobile devices, growth of cloud services and carefree data protection attitudes that permeate our workforce have seen traditional network perimeters dissolve and data visibility diminish. At best, this moment of legislative history should spark a step-change in the way we secure data — moving from a threat-centric to a human-centric approach; one that protects data at the human point — the intersection of users, data and networks.”
Another concern for Australian businesses needing to comply with the scheme is overlooking the need to ensure security of their information stored on third-party cloud services. The recent news of Tesla’s Amazon Web Services account being hacked and used to mine cryptocurrency shows that companies are at increasing risk of being hacked through third-party cloud providers.
“Cloud systems tend not to be covered in risk audits because the providers fall outside of the company’s network, but more often than not, this is how hackers manage to infiltrate businesses. Furthermore, in cloud deployments, there is always a shared responsibility model. That is, what are you responsible for, and what is the provider responsible for in terms of security,” Sense of Security COO Murray Goldschmidt said.
“The fixes to these problems are normally very simple — they are just configurations that need to be improved to more secure settings. Starting from this Thursday, organisations will need to place greater effort in conducting more ongoing automated scanning and testing to determine if they are prone to attacks.”
Finally, Adam O'Neil, Y Soft managing director for Australia, noted that even Australian organisations not covered by the Privacy Act may need to get more serious about privacy, with Europe’s far-reaching General Data Protection Regulation (GDPR) due to come into effect in May.
“While the Australian regulation generally applies mainly to organisations covered under the Privacy Act, the GDPR requires all organisations that do business with any European entity to comply. That means an Australian business that’s not covered by the Australian regulations may still be subject to the European legislation, according to the Office of the Australian Information Commissioner,” he said.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.