Security breach

Smart CIOs are making plans today to protect their customers, and their brands, from long-term damage tomorrow

It’s unlikely 2011 will go down in history as a great year for information security. The year is barely half over but already we have witnessed some of the largest hacking attacks since the advent of computing. So far, media organisations, game companies, banks and governments have all been the targets of largescale attacks by international hackers, with big name brands like Sega, Nintendo and Citigroup, as well as large public organisations like the CIA and the Malaysian government, all suffering cyber attacks in recent months.

In late April, Sony Entertainment’s PlayStation online gaming network was the target of perhaps the largest hacking attack in history, compromising the details of as many as 100 million customers. Closer to home, Australian telecommunications company Vodafone was the subject of an inquiry by the Privacy Commissioner, Timothy Pilgrim, after an alleged security breach.

Even the security providers themselves are not immune. In March, information about RSA’s SecurID authentication tokens — which are used by many of Australia’s largest banks and government agencies — was stolen in what the company described as an “extremely sophisticated cyber attack”.

Read more about security in CIO’s 2011 Global State of Information Security Survey.

In RSA’s case, the company was the victim of an ‘advanced persistent threat’ (APT) attack, a complex cyberattack which usually requires knowledge of a company’s network, employees and various inner workings.

But data breaches don’t have to be sophisticated to cause severe, costly damage to a company’s business or brand. Low-tech causes such as simple human error or disgruntled employees are responsible for many data breaches, a risk that continues to rise as portable devices such as USB sticks, laptops, tablets and smartphones, which are easily lost or stolen, spread rapidly throughout organisations. In June, for example, the Australian Institute for Company Directors (AICD), a high-profile peer organisation for local company directors, warned members to be alert for identity fraud after announcing a laptop was stolen from its offices during a power outage.

According to research conducted by Symantec and the Ponemon Institute, the average cost of significant data breaches reported by Australian organisations was about $2 million in 2010. It is only the tip of a very large iceberg, however. Once news of the breach at Sony reached investors, for example, the company lost about $2 billion in market capitalisation overnight. Numbers like that are enough to keep any CIO awake at night.

The legislative landscape

The European Union and Canada have laws requiring mandatory disclosure and notification of a data breach, as do most US states. Australia, however, has no such requirement — at least not yet.

In August 2008 the Australian Law Reform Commission tabled ALRC Report 108, Australian Privacy Law and Practice, which represents the culmination of a 28-month inquiry into the Privacy Act and related laws. The result is a three-volume report containing 74 chapters and 295 recommendations for reform. Despite a multitude of recommendations, including calls for mandatory notification of data breaches, the proposed changes have languished in limbo for nearly four years. In fact, Australia’s Privacy Commissioner was effectively demoted last November when the role was folded into the office of the Australian Information Commissioner, a move that privacy advocates view as an unfortunate indicator of the poor status privacy issues have among local regulatory bodies.

“One can only guess about the reasons for the delay in implementing these recommendations, but the government doesn’t appear to think privacy issues need to be resolved with any sense of urgency,” says David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of NSW, which contributed several submissions to the ALRC report.

“It’s a pity this is the situation, because social networking and Cloud computing are making personal information security issues more critical than ever,” Vaile says.

“There are many areas where this failure to implement the proposals from the ALRC 108 report is detrimental, particularly in e-health, where these kind of policy problems have serious ramifications.”

Australian law might be weak in the area of data breach notification but that doesn’t mean local CIOs should feel secure that news of a breach at their organisation won’t go public. Modern commerce doesn’t recognise borders, and if an Australian company does business worldwide there’s a good chance it will be subject to mandatory disclosure legislation in another country. Information about breaches has also been known to be provided to the media by affected customers or leaked by disaffected employees.

The fact is, Australian companies risk public disclosure if they lose personally identifiable information — whether regulators force them to or not. And if that happens they are likely to suffer a catastrophic fall from grace with their customers.

Next: Jeanswest: Protecting the brand

Join the CSO newsletter!

Error: Please check your email address.

Tags infosecsymantecsecuritydata breachVodafonelegalPonemonsecurity breachrsa

More about APTetworkNintendo AustraliaRSASegaSmartSonySymantecUniversity of NSWVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Rodgers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts