Businesses that continue to prioritise perimeter security over data protection will face a day of reckoning when a perfect storm of new regulations comes into effect next year, security experts have warned as new research finds that more than half of Australian businesses admit they’ll fail to meet deadlines for compliance.
Fully 59 percent of the 1050 IT decision-makers polled in Gemalto’s http://www2.gemalto.com/data-security-confidence-index/ " target="_blank">Data Security Confidence Index 2017 said they believe all of their sensitive data is secure – but 65 percent said they were not confident their data would be protected should their network perimeter be breached.
These apparently contradictory opinions were reinforced by the finding that businesses were continuing to invest in perimeter security protections – 76 percent said they had increased investment in perimeter tools such as firewalls, antivirus, content filtering and anomaly detection – even though 68 percent believe that unauthorised users could access their network.
Those levels of compliance bode poorly for businesses that will face new regulatory burdens as Australia’s Notifiable Data Breaches (NDB) scheme kicks in next February – followed shortly by the imposition of mandatory PCI DSS compliance for organisations handling customers’ financial data, and then the May introduction of the European Union’s General Data Protection regulation – whose home page already has a http://www.eugdpr.org/ " target="_blank">countdown clock noting the less than 320 days until the deadline.
Australian businesses may be unaware of their https://www.cso.com.au/article/621296/general-data-protection-regulation-gdpr-requirements-deadlines-facts/ " target="_blank">obligations under the GDPR, which extend globally to any company holding information on EU citizens and https://www.cso.com.au/article/620561/2018-gdpr-existential-threat-will-force-australian-boards-get-real-about-security/ " target="_blank">may impose punishing fines for a breach. Even when aware, fully 53 percent said they won’t be compliant with GDPR by the time it comes into effect.
Given that the incoming regulations are focused on protection of data rather than networks, says Gemalto ANZ regional director Graeme Pyper, it’s surprising that so many companies continue to rely on perimeter defences that they’re not even sure are protecting them properly.
“One side of the business says the perimeter is good enough and protecting us, but the other half said that if they do have a breach they’re open to compromise,” Pyper told CSO Australia. “It begs the question ‘why are you spending so much money on your perimeter?”
Internal protections tended to be even less robust, with the report revealing the “staggering” finding that most companies are still accessing network information and data stores using nothing more than a standard username-and-password combination.
Customer data was the most likely to be protected using two-factor authentication (2FA), but only 54 percent of such data was protected in this way. Passwords were more widely used, protecting 69 percent of company intellectual property and 60 percent of employee data. Biometric authentication was only used in around a quarter of businesses.
The heavy reliance on passwords remains a weak spot in data protection: if these are compromised, attackers can access any information in the network that is available to the compromised user account. This is particularly problematic – and raises further questions given the looming introduction of https://blog.pcisecuritystandards.org/pci-dss-32-is-here " target="_blank">mandated changes under PCI DSS 3.2 next February – given that the report’s analysis of recent breaches found just 8% of breached data was encrypted.
“There have been stronger [2FA] access control methods in place for at least 20 years and there are still a large number of organisations that are still just using the basics,” Pyper said. “You can protect an organisation in its entirety from identity theft just by getting rid of weak passwords around the organisation, and by using something that is unique can only be used once. It’s all about getting the basics right.”
For companies that don’t get the basics right, the NDB scheme is expected to generate a flood of breach disclosures in its early days: participants in a panel discussion at this week’s https://www.conveneit.com/secure/oaic/privacy_jul_17/ " target="_blank">Data + Privacy Asia Pacific Conference 2017 – which featured a host of experts including Australian information commissioner (AIC) Timothy Pilgrim – said they are expecting 20,000 data breach notifications under the GDPR scheme.
The influx of notifications is likely to lead to some significant penalties as the OAIC quickly shifts from education mode to enforcement mode, Nigel Phair, managing director of the Centre for Internet Safety told the audience at the recent VMWare Evolve conference.
“At the moment you’ve got an AIC who has been very generous with his work and his time,” he said. “But come that drop-dead date, the 12 months-plus of cajoling people along might change once the first investigation comes along.”
Phair noted the way companies jumped to action once revised Work Health Safety Acts http://www.companydirectors.com.au/director-resource-centre/publications/company-director-magazine/2014-back-editions/may/opinion-boards-face-the-rap-for-safety-breaches " target="_blank">threatened company boards with personal fines for work health and safety violations – and expects a similar response once the OAIC shows its teeth.
“The concept of personal fines really piques peoples’ interest into doing something,” he explained. “And if that’s what it takes to get the extra spend and focus to do something, I’m all for it.”