Australian businesses have been tested massively this year in terms of cyber security, with an increasing number of high profile businesses in the spotlight for all the wrong reasons. Not only are businesses at risk of irreparable damage to their brand’s reputation, but data breaches have a costly consequence – a study from Ponemon shows a data breach costs Australian businesses $2.51 million on average.
The year ahead will see some massive changes in this space, with mandatory reporting for the Notifiable Data Breaches Act coming into effect in February and the EU GDPR arriving in May. As Australian organisations adapt to these initiatives, the way they do business will also change. While businesses protect themselves externally, they also need to consider how they are handling their internal security.
It’s a good time to stop and take a look at what else companies should be aware of – particularly when it comes to security – in the year ahead. What businesses need to watch in 2018:
Biometrics Bubble Up
Thanks to Apple and the launch of the iPhone X, we’re now facing more interest in facial recognition, as we did with fingerprints and the iPhone 5s. Predictably, within hours of its release, pundits have ‘cracked the code’ of Facial ID, fooling it into unlocking with masks, identical twins and even generations with similar facial structures. Rather than function as a primary security factor, Facial ID will serve as an identity assurance signal: by itself, it's not perfect, but as a signal paired with, say a password and a device certificate, it serves a stronger assurance that you are who you say you are. And, where convenience plays a part, it can make some inroads into our daily lives.
As part of overall improving authentication, ‘multi-factor authentication’ (the requirement that you use two different methods to prove you are who you say you are, especially important in the face of all this year’s breaches…), will play an even larger role overall – and biometrics will add to the mixture of different types of authentication factors, which include what you know (i.e. a password), what you have (i.e. your phone, think a text message with a code; or another physical token like a Yubikey), and now, what you are (i.e. your fingerprint or face).
Data Breach Preventative Measures to Rise
The changes to the Notifiable Data Breaches Act (2017) in Australia, switching from voluntary to mandatory reporting on February 22, 2018, will usher in a new era of pro-activity around data protection. Senior leaders at businesses in Australia will be mindful of their reputation and take more stringent measures to prevent data breaches as much as possible.
These follow on from high profile leaks affecting Australia and beyond: some concealed, others more transparently handled throughout 2017, with Uber, Yahoo!, and Equifax as just a few. According to Verizon’s Data Breach Investigation Report, the primary access point for data breaches remains stolen or weak credentials (at 81%). In addition to the federal breach prevention legislation, expect actions to be taken across businesses in Australia to limit the potential for credential based attacks – including partnering with companies like Okta to ensure credentials are air-tight and secure between the various cloud networks.
Security Testing: Crowd Sourced or Accredited -
Australia’s best tech success story, Atlassian, held its first bug bounty in 2017 in partnership with Bugcrowd. Locally, companies have only just started to experiment with this style of security testing, partnering with third party ‘white hat’ hackers to test apps and products with any bugs found given rewards. It’s a fast way to level up the security aspects of apps and services and help with speed to market for Australia’s growing interest in apps and devices. More qualitative penetration testing with credible partners will still continue to grow in its usage, but we’ll see bug bounties start to play a regular role in securing connected products and apps from businesses in Australia.
Data Ownership: Just who owns what?
With momentum gathering behind the widest changes to privacy this year – the GDPR in the EU – the question of who owns what data has been thrown around. The EU citizen will now be the owner of their data once this new framework kicks in, which raises a number of challenges for organisations around consent, access rights, portability and the right to remove data.
The impact of this is likely to spread to other regions beyond the EU as various countries determine the concept of who owns their general data – and open a conversation to whether or not the concerns should lie in data ownership, or data access. With the volume of data increasing exponentially and the traditional boundaries of ownership eroding thanks to the rise of intelligent and connected devices, we expect to see the conversation shift to focus on which entities are allowed access to information.
About the author:
Graham is Okta's first Vice President of Australia Pacific, bringing with him more than 22 years of enterprise software sales experience, specialising in identity management. He is responsible for establishing and growing Okta's operations in the region. Prior to joining Okta, Graham spent several years working in distribution and channel marketing throughout Europe before serving as Regional Sales Director for Oracle in Australia. In this role, Graham was responsible for establishing the identity management and security divisions for Oracle in Asia Pacific.