When you lock up your home, you don’t board up the windows nor roll steel gates across the property to ensure its safety. But while a simple lock isn’t difficult for thieves to bypass, your home is protected by the bigger picture; the door lock combines with the alarm system, neighbours, perhaps a dog barking, the police and common law to deter intruders. In this regard, cyber security is much the same – networks (and the Internet) are multi-layered entities containing confidential data that needs to be protected through a multi-layered strategy. That means defence in depth and breadth.
To effectively protect clients’ and consumers’ personally-identifiable information, intellectual property and other sensitive content, organisations must first evaluate what data should be treated as confidential. This will vary depending on vertical industry. Once prioritised, rules must dictate which systems and personnel are able to access and use it. These factors contribute to a ‘data footprint’ – the bounds that constrain the data’s flow within the organisation to minimise risk.
When these parameters are established, organisations need to adopt the appropriate technologies to safeguard data. These must be underpinned by a virtualised network that encompasses approved systems and all communications paths. The network will not only segment business requirements, but also create a level of invisibility so the data remains proactively hidden to hackers.
Finally, a set of daily security practices need to be implemented to eliminate human error, whether it’s eliminating shadow IT (the use of unauthorised devices and applications within the network), defining data sharing restrictions, or generally advising employees on what can and can’t be done with data.
But security doesn’t end with technology and policy. Organisations must create transparency with their stakeholders by employing data disclosure directives to keep clients and consumers informed of threats and breaches. While the Australian Government may soon pass legislation to enforce mandatory breach notifications, the fact is that there were 110 voluntary data breach notifications made to the Office of the Privacy Commissioner or OAIC in 2014-15, while many would have been intentionally swept under the rug.
A lack of breach disclosure not only risks the integrity, security and potential safety of trusting consumers, but inhibits the wider community’s ability to prepare for and prevent similar incidents from occurring.
In its 2015 Australian Privacy Index [PDF], Deloitte reported that 33 per cent of organisations have had a privacy issue relating to their customers data, while 18 per cent of survey participants (persons) received a notification following the loss of their personal data by an organisation.
Perhaps surprisingly, while there is fear around publicising a breach, Deloitte also indicated 73 per cent of the public who received a breach notification did not trust the organisation any less.
The reality is that there is no good reason for an organisation to hide a data breach, particularly if it can prove due diligence and solid forensics before and after the fact – as outlined in the strategies above.
And breach disclosure will only continue to rise in importance as more and more devices are connected to networks in the Internet of Things, therefore expanding the potential numbers of access points through which an attacker can enter the network.
So in fact, attempting to sweep an incident under the rug could prove more damaging, particularly if it comes to light through other means or after a significant period of time. It shows blatant disregard as an owner of the confidential data, and is likely to have a more profound impact on the organisation. Should the Government’s proposed legislation go ahead as drafted, organisations will be forced to take security more seriously, adding to the breadth and depth of data security strategies to protect the home with multiple layers rather than a single lock.