Like deer caught in the headlights, many Australian organisations are likely to be somewhat startled or confused by the new mandatory data breach laws coming into effect in just a few weeks. While some may be unclear as to whether the laws will apply to them, others may be uncertain of the steps they should take to ensure compliance.
From February 22, all organisations presently covered by the Australian Privacy Act will also be covered by the Notifiable Data Breaches (NDB) scheme. This means that, should personal information held by an organisation be involved in an eligible breach that’s likely to result in serious harm, it must notify every individual involved.
The new requirements will affect every organisation with an annual turnover of more than $3 million. Exemptions include health services providers, not-for-profits, credit agencies and political parties.
Planning and preparation are key
Faced with such requirements, it is crucial for all organisations who are affected by the NDB scheme to prepare – and the best time to start doing so is right now.
Based on my experience in helping a wide range of organisations build a solid cyber security foundation, there are 10 key steps all organisations should be considering when it comes to IT and data security. These steps are:
- Understand what data is being held: Ensuring effective protection of data must begin with knowing what is being held, where and how it's being stored. Undertake a full audit of all data across your organisation and determine their locations, content and criticality. Where possible, consider combining or reducing these stores to reduce the potential attack surface for criminals.
- Review existing security measures: Once all data – particularly personal data – has been located, do a full review of any protective measures already in place. Consider who has access to the data and by what means, identify any security gaps and obtain expert advice on how these can be closed.
- Undertake remediation: Move quickly to deploy necessary tools and processes to ensure the stored data is as protected as possible. This could involve upgrading existing security tools or deploying new technologies (such as encryption). There is no 'one-size-fits-all' approach that can be taken here, so ensure the measures match your organisation's particular security requirements.
- Develop and test a breach response plan: Despite having solid security defences in place, organisations still need to have a plan in place for what needs to happen should a data breach occur. Consider how those affected will be notified and what steps will be taken to remediate the data store. Once in place, the plans should be tested on a regular basis to ensure they will work when it's required.
- Undertake staff training: All too often data breaches occur, not due to the failure of security technology, but through the actions of staff. It could be the opening of an infected email attachment, insertion of a rogue USB drive, the loss of a laptop in a taxi or the inadvertent distribution of personal information to external parties. Regular training sessions should be held for all staff so that they understand the risks being faced and their roles in ensuring data remains secure at all times.
- Deploy two-factor authentication: One of the best ways to strengthen secure access to personal information is through the use of two-factor authentication. This means that, should passwords or log-in credentials be compromised, unauthorised access to data is still prevented.
- Properly manage patches and updates: Cyber criminals often leverage weaknesses in IT systems that occur when software patches and updates have not been properly deployed. Have processes in place to ensure your operating systems are up to date patches for operating systems and applications are rolled out as soon as they become available. This should happen both on the central servers housing the data as well as the client devices used to access it.
- Adopt a policy of 'least privilege: Restricting access to data can help to strengthen protection. Ensure all staff have access only to the data they require to complete their role. Unfettered access to all data should be restricted to those who actually require it.
- Ensure senior management buy-in: Perhaps the most important step to take is to ensure senior management are on board and seen to be leading the organisation's data security strategy. A top-down approach will encourage all staff to view the issue seriously and undertake anything they can to reduce the likelihood of a breach.
- Consult an expert: IT security is a complex and constantly changing field. If an organisation doesn't have the required security skills and experience in house, it should turn to an external party to provide guidance and advice.
By following these steps, organisations can be as well placed as possible to reduce their chances of experiencing a data breach. Should one occur, they will also have the necessary processes in place to quickly overcome the setback and minimise any potential fallout.
Australia's new mandatory data breach laws may seem daunting. However, through proper preparation and ongoing monitoring, the likelihood of falling foul of them will be significantly reduced. And, while staying on top of your organisations’ cyber security may seem like a never-ending loop, there are many trained cyber security experts out there – such as the team at Aura Information Security – to help make sense of what your organisation needs to do in order to stay one step ahead.