With the Notifiable Data Breaches (NDB) scheme now in effect, organisations turning over $3 million or more – or any organisation handling health, credit reporting or Tax File Number data – may be feeling less comfortable about their information security.
Having to disclose serious data breaches should be making you feel a little bit nervous. Many breaches that were previously “contained” will now become public. That disclosure, or lack of timely disclosure, could damage or even destroy an organisation’s reputation.
With the NDB scheme, boards and C-level executives are paying more attention to an organisation’s security posture. The fewer breaches they have to disclose, the better. The buck no longer stops with the Chief Information Security Officer. That means more appetite and top level sponsorship for information protection initiatives.
For most organisations, implementing a Privileged Account Management (PAM) solution will be the quickest, easiest and most effective way to reduce exposure against both internal and external threats. Organisations with existing PAM solutions should also find quick wins by scaling up their defences.
I would even go a step further. With the NDB scheme, having a PAM solution will quickly become an expectation of the general community and the Office of the Australian Information Commissioner (OAIC) responsible for the scheme.
“Reasonable steps” to secure personal information
The NDB scheme requires all organisations covered by the Australian Privacy Act to “take reasonable steps” to ensure the security of personal information. Those that fail to take reasonable steps to stop breaches, or to mitigate the harm they cause, face penalties and the potential for substantial reputational damage.
The OAIC’s Guide to securing personal information details a wide array of security practices. Organisations don’t have to take all possible steps to secure personal information, however, just reasonable ones. They can take into account the time and cost involved – factors the general community and the OAIC may also consider when breaches are notified.
With one solution, PAM implements many of the most effective measures in the OAIC Guide, including password management, multi-factor authentication, control of administrative privileges, limiting access to private information, early detection of a breach, and damage mitigation.
Privileged accounts are often referred to as the “keys to the kingdom”. Many high-profile data breaches have resulted from stolen and weak passwords that initially give hackers a foot in the door which is exploited further by gaining access to privileged accounts.
80% of breaches involve privileged accounts
Forrester estimates that 80 percent of data breaches involve privileged accounts that have been compromised or abused. A survey of hackers attending the 2017 Black Hat conference in Las Vegas revealed that compromised privileged accounts and email accounts were the preferred methods for gaining access to sensitive data.
Compromised privileged accounts give attackers elevated permissions, letting them move through an organisation’s network and systems to steal, poison and/or remove critical information. Because the attackers appear to be legitimate users of privileged accounts, they can carry out malicious activities for weeks or months without being detected.
With a PAM solution, organisations can quickly and easily discover all their human and non-human privileged accounts, who has access to them, and restrict access on a need-to-use basis. On top of that, you can take control of account passwords, enforce password policies, track their usage to alert organisations of potential abuse, and automatically trigger a password rotation based on an adverse event.
All of this is transparent to users, who no longer have direct access to account passwords, instead logging in through the PAM solution via multi-factor authentication. Without knowing passwords, users cannot lose them through social engineering attacks. Instead of having to remember multiple account passwords, they have one easy and secure access method to do their jobs. This improves user productivity, reduces the burden on support staff, and saves organisations money.
Privileged Account Management now expected
Reinforcing the effectiveness of this approach, the Australian Signals Directorate (ASD) ranks PAM amongst its Top Four strategies to mitigate targeted cyber intrusions in the Australian Government Information Security Manual (ISM). A recent audit by the federal Auditor-General criticised key federal agencies that failed to effectively implement the Top Four, which are a mandatory requirement for those handling sensitive data.
The NSW Auditor-General was also critical of state government agencies in its recent Report on Internal Controls & Governance 2017, finding that 68% of agencies did not adequately managed privileged access to their systems, exposing personal data to potential misuse.
Under sustained pressure to protect personal information, PAM is becoming the norm in federal government, with state agencies now following their lead. With the NDB scheme, other organisations covered by the Privacy Act will also be forced to follow suit.
Given the effectiveness and maturity of today’s solutions, with productivity benefits far outweighing their cost, PAM is almost the definition of a “reasonable step” organisations should take to secure personal information. With the NDB scheme, it will also become something that boards, senior executives, the OAIC and the general public come to expect.
About the author
Andrew McAllister is the APAC Regional Director at Thycotic, responsible for the market strategy for the region and delivering end-to-end Privileged Account Management solutions to customers via a network of channel partners managed by master distributor, emt Distribution.