It seems to be an on-going complaint from many in our industry that data breach disclosure laws are a must have if businesses are ever going to take security seriously. In Australia, this has been talked about for a long time and I cringe every time I hear it, let me clarify why. (I borrow some of the following from my own blog posts.)
Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place. If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (I’ll leave you to consider the potential business and reputational implications to the organisation when this happens).
If your business’s practices and controls around information protection are weak, you’re probably clueless about whether a breach has occurred or not, so what you don’t know can’t get reported. The three monkeys approach to Information Security—see nothing, hear nothing speak nothing—and the proposed disclosure laws will have little impact upon you.
Unfortunately, under this structure a better, more secure company is in more danger of being negatively impacted than a less conscientious company! Now is that really what we want? Of course not! Blanket statements espousing the benefits of such legislation are naïve. The introduction of such legislation could have the opposite effect to what it’s trying to do!
These laws will never be successful without supporting legislation/regulation around basic and minimum security practices and controls. See a previous post on this topic.
Regulation does not need to be considered bad. See this discussion of regulation in an interview I did with David Rice (Author of Geekonomics: The Real Cost of Insecure Software) a few years back.
We can debate whether high-level statements of requirements in the Privacy Act cut it, but in my opinion, they don’t, and they haven’t so far, so what would change things now?
Of course, it is all a moot point if someone hacks you and does your Data Breach Disclosure for you, and as we’ve seen in recent years, it’s becoming quite popular.
If your last access-control update was even a few years ago, you’re probably more exposed to fraud and exploitation than you’d like to be.
It’s not hard to understand why bot management is critical to maintaining business availability and customer satisfaction – but do you know how to properly deal with bots?
Increasing use of encryption has created new challenges for enterprise security managers. Ever more-sophisticated encryption such as Perfect Forward Secrecy (PFS) protects data and may even boost your Google ranking – but it also provides a haven for malicious code that may use encryption to bypass enterprise security controls.
Why nation-state attacks are everyone’s problem
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.