The Information Commissioner’s quarterly reports under the Notifiable Data Breaches scheme makes for some sobering reading - as do the results from recent research conducted by Brennan IT.
The number of reported data breaches has increased in each of the OAIC’s reports (up to 265 in the Oct-Dec 2018 report) and that’s not surprising given that, according to survey commissioned by Brennan IT of Australian IT professionals within medium-sized organisations (100-1,000 employees), 1 in 5 (18%) businesses don’t have a security policy aligned to the organisation’s strategy, more than a third (37%) never conduct security training for their people, and only half (51%) have a nominated person responsible for owning security policies and controls.
Furthermore, the results from the survey also show that 47% of Australian organisations have holes in their practices that need to be closed in order to align to the Notifiable Data Breaches legislation i.e. the reality is that there are likely to be significantly more breaches occurring that simply aren’t being picked-up and reported.
Whatever the situation, this is something that organisations need to fix - and fast. Not only are cyber threats growing more frequent and sophisticated, as well as increasingly targeting businesses, but the fines associated with breaches and poor practices are set to grow (up to $10m for frequent offenders according to proposed federal legislation published this month - up from the current, still rather weighty, $2.1m ceiling).
With the NDB affecting any commercial entity with a turnover exceeding $3m, few escape its shadow, so what can organisations do to prevent becoming a part of the OAIC’s next report?
How to establish your current security footing
At Brennan IT, we advocate following the Fun4, or the fundamental 4 actions that you need to complete in order to identify your current security posture and establish and grade the work needed to fill your security gaps:
Step 1: Conduct a vulnerability assessment
This is a review of your systems to define, identify, and then classify the security holes that you have in your computers, network, and communications infrastructure. During it, you should forecast how important they are to fix as well as what would need to be done to do so. The process involves an active analysis of your systems for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, or operational weaknesses.
WHY? Many cyber incidents involve the exploitation of vulnerabilities. Since Australia’s Notifiable Data Breaches Scheme began, there have been an average of 2.6 breaches reported every single day and 139 data breaches were the result of a malicious or criminal attack, and of these, 69% involved cyber incidents.
Step 2: Review your technical security configuration
Review and update your technical security configuration so as to harden your overall resilience and remove common exploits typically used during internal penetration testing. When your next internal penetration test is conducted, the tester will need to find other methods to exploit the network, resulting in increased value from the testing and an improved security posture.
WHY? Your security settings play an essential role in safeguarding your organisation against external threats. Yet many organisations are using dated or inappropriate settings, which can be easily exploited.
Step 3: Conduct a user-access review and password audit
Conduct an account review and password exposure audit against your active directory domain. The audit analyses active directory to look for different failure types which can leave your organisation vulnerable to an attack.
WHY? Unnecessary access rights and obsolete accounts are among the most common causes of security compromise. The issue and risks are amplified when combined with weak and poor password practices. Verizon's recent Data Breach Report showed the use of stolen credentials (hacking) is the number one threat action in confirmed data breaches.
Step 4: Undertake a security maturity assessment
A fundamental requirement of the Australian Privacy Act is that you’re regularly assessing your organisation’s risk. Assess yourself against the latest security threats, understand your organisation’s overall security posture in multiple areas (including how well informed and trained your staff are), and then evaluate the associated risks that might come from them at any given time. You can use this as a roadmap for mitigating cyber security threats, as a blueprint for future assessments, and basis to develop a step-by-step plan on how you can improve your overall security level.
WHY? As IT environments become increasingly complex and technology changes constantly, it can be difficult to stay on top of your organisation’s security or even know where potential issues exist.
Undertaking this alone can be something of a challenge and won’t necessarily provide you with a brilliant cyber security schema immediately. However, it is critical to know where you stand first before you can improve and it’s clear that most mid-sized organisations surveyed for the study are aware that they need to do something - they just don’t know where or how start. For many IT managers, keeping the lights on day-to-day is a constant challenge, which makes proper training and planning of any sort difficult to achieve.
Surviving and prospering in today’s challenging digital landscape requires an integrated approach led by qualified persons - whether inhouse or externally - who understand the cyber security and data privacy needs of organisations in Australia, and who can advise and help you to build-in and update your protections as you go.
In an ideal world it may well be that your existing Managed Services Provider is evolved and able to fill that gap. Why? Because they should already know you IT environment inside-out and be able to help you to quickly identify what needs to occur.
To get you started, there are four things you can do immediately that will improve your security footing almost overnight:
1) Improve people’s security awareness
People are almost always identified as the weakest link in the security chain during assessments.
Frequently, this is because staff lack awareness of what an organisation’s security expectations are. As such, frequent security training needs to be carried out to update and remind staff of their security responsibilities and the organisation’s expectations when they’re performing their everyday tasks.
It might seem obvious, but increasing awareness of security threats and the consequences of succumbing to them takes time and vigilance. That’s because there are so many different types of threats around today, of particular note is spear phishing/whaling and malware, all of which threaten to pop-up at any time and wreak havoc.
Educating staff on how to spot unusual or suspicious activity can greatly reduce the risk of attack - create your ’human firewall’ as soon as you possibly can.
2) Security policy documentation
This step can be as detailed and thorough as you like, but the first line of business should be establishing clear guidelines and practises around passwords.
Obviously, simple passwords like ‘password’ or ‘welcome123’ should be avoided, likewise first names or birth dates as these can be easily discovered by resourceful hackers.
Password guidelines should also be shared with trusted suppliers and other third parties, as weak security links often exist at these touch-points at the edge of your company’s network.
And none of this is of any use unless companies produce clear documentation outlining security policies and procedures, which is then able to be shared in a secure manner with only the intended recipients.
3) Security governance
In order for security to get its due, it needs to be encapsulated within a proper ‘governance’ framework. This means identifying and allocating responsibility and accountability at key points in the chain.
These people need to meet at regular intervals to provide updates, discuss and allocate budget, human and other resources to stay ahead of the threats.
A good security implementation is incomplete without a dedicated drive from the senior executives of the organisation. It is expected that a security governance structure is formalised, have representation from key heads of business verticals, that the governance committee meets periodically to discuss security issues; and that the governance committee drives security enhancement within the organisation.
4) Security event management
Many environments have no centralised logging or log management solution and, due to this, critical events often go unnoticed until it’s too late.
Whilst it might seem that you can rely on individual systems, when access to log data is required to investigate a security incident or data breach, it’s often not available because key events aren’t recorded or the logs roll too quickly and previous records aren’t retrievable.
Security Information and Event Management (SIEM) technology supports threat detection, security incident response, and compliance through the real-time collection and analysis of security events from a wide variety of event sources, so setting one up for your organisation really is a key step in improving your security footing and meeting NDB demands.
Key challenges many businesses face with SIEM technology implementation, however, include the ongoing tuning of the events that needed, as well as the further development of it to leverage its full capabilities. These difficult tasks are made even more complicated when there is an increasing volume of threats across an expanding attack surface, evolving compliance demands, talent shortages, and tight budgets.
Escaping the shadow of the NDB is simple: Plan. Do. Check. Act. Now.