Within the next year, Australian business will be subject to a mandatory data breach notification scheme following the passage of legislation through the senate earlier this month. The legislation covers government agencies and organisations governed by the Privacy Act as well as businesses with a turnover of more than $3 million a year.
Organisations that determine they have been breached or have lost data will by law need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach. But how aware is Australian business of the extent of the security threats they currently face?
Around the world, data breaches have become a regularly reported issue during the past few years. Organisations from large retailers and service providers to government departments have all fallen victim to attacks. As a result, the personal details of millions of people have been compromised.
The legislation is designed to encourage Australian corporations to tighten their digital defences and ensure any data they retain is securely stored. Yet, while the motivation behind the legislation is sound, the preparedness of many organisations leaves a lot to be desired.
The evolving threat landscape
One of the biggest challenges for organisations is gaining an understanding of the constantly evolving cyber threat landscape. Security is not a set-and-forget exercise and knowing the types of threats being faced is critical.
One example is the rising number of ransomware attacks being reported by organisations of all sizes. Often introduced through a targeted phishing campaign, ransomware code encrypts data stores with the attacker then demanding payment in exchange for the decryption key.
Other attacks focus on obtaining access to valuable data, such as customer records, credit card details and sensitive business information. Once obtained, this data can quickly find its way onto the black market.
These attacks can occur in the form of Trojans or worms that infiltrate an organisation's IT infrastructure and provide attackers with remote access to core systems. Such attacks can often occur without the knowledge of the target, which means attackers can have widespread access without restriction for extended periods.
A business problem
Organisations need to realise that digital security is no longer a technology issue - it's a business issue. Where once it was sufficient to leave security to the IT department, it must now be high on the priority list for all senior management.
The planned breach notification legislation, likely to come into force later this year, will require organisations to report when they have suffered a data breach. The impact this could have on their reputation and ongoing business operations could be very significant. Ensuring the best possible security protection mechanisms are therefore in place is vital.
The steps an organisation should follow to ensure it has in place an effective security program include:
1. Undertake a security audit
The first step is to gain a clear picture of the security tools and procedures that are currently in place. This includes reviewing everything from firewalls and anti-virus tools to system log-in procedures and remote access channels. An external security expert should be retained to help with this process and provide advice on any additional measures that might be required.
It is also important to have a clear picture of exactly what sensitive data is being kept and where it is stored. It can be extremely difficult to respond to any breach if there is a lack of knowledge about what might have been compromised.
2. Monitor the threat landscape
The nature and capability of digital threats is constantly changing. For this reason, it is important for senior management to remain up-to-date with the latest developments. Maintain an open dialogue with your security vendor, suppliers, partners and customers to ensure that new threats can be recognised as soon as they appear. Having a proactive strategy is much more effective than relying on a purely reactive approach.
3. Regular patching
Organisations rely on software and having the latest patches in place is a vital piece of the security jigsaw. All devices and applications should be regularly reviewed to ensure they have had the latest updates applied. Particular attention should be given to mobile devices which connect to centralised applications and data stores.
4. Review the use of Administrator rights
Administrator rights allow a user to make changes and access features within an IT infrastructure that would normally be off limits. In many organisations, this level of access is given to a wide group of people, from senior managers to developers. If an attacker manages to compromise the account of a person with admin rights, they automatically have access to the entire IT infrastructure of the organisation.
However, the truth is that most people don't require Administrator rights to complete their day-to-day work. By reducing the number of people who do, the risk of compromise can be significantly reduced.
5. Formulate a response plan
Even if all security preparations have been completed, there is still a chance an organisation may fall victim to a cyber criminal. For this reason, having a response plan in place will ensure that remediation can be completed as swiftly as possible should an attack take place.
The response plan should be regularly reviewed to ensure it covers new systems, data stores and users as they join the organisation.
6. User education
Perhaps the most important component of an effective security program is the proper education of users. All must understand the risks that are being faced and the steps they need to take to minimise those risks.
The education process should not be a one-off event, but take the form of ongoing training to ensure that security is top of mind for everyone in the organisation.
By following these steps, organisations can be confident they are best prepared to remediate cyber attacks that could result in data breaches and the soon-to-be-legislated requirement to declare such incidents publically. Making digital security part of an organisation's DNA should be high on the to-do list for everyone.