Experts weigh in on Australia's Notifiable Data Breaches scheme
Australia’s new mandatory data breach disclosure law has already shown just how regularly organisations are experiencing data breaches.
More than thirty data breach notifications were submitted by Australian businesses in the first three weeks following the enforcement of the Notifiable Data Breaches (NDB) law.
HP Australia’s recent IT Security Study finds that nearly half of the Australian SMBs who would be impacted by the mandatory legislation lacked suitable IT security policies.
A staggering 57% of respondents hadn’t completed any sort of IT risk assessment in the past year.
There are too many Australian organisations open to attack. But, how do organisations even know where to start?
To shed some light on preparing for and mitigating a data breach, executives from SOTI, Seagate and Envisian weigh in with their advice.
The Stakes are Higher, and Business-Critical
SOTI’s Asia Pacific managing director Adele Beachley, says that as companies deepen and broaden their mobility programs and adopt the Internet of Things (IoT), they are becoming more attractive targets.
“Protecting personal information collected and stored within the big data of any business means paying attention to whatever mobile and IoT program your business is running, implementing or even planning for.”
Beachley lists the following as some of the crucial measures to be taken to protect the personal information of employees, customers, users, partners and other stakeholders:
- Prevention of communication interception e.g. man in the middle attacks, via public unsecured WiFi, Bluetooth, even fake cell phone towers (aka stingrays) which spoof 2G/3G/4G connections.
- Preventing physical device access through tactics such as strong password policies, enforced encryption, geo tracking and geo fencing.
- Ensuring device compliance with policies that are suited for your organisation, industry, and types of device usage. This may include enforced separation of work and personal data and apps, to reduce the risk and liability of the business.
Beachley adds, “I mean, 87% of the adult population in Australia use a smartphone - what is everyone doing with it? The short answer is apps, apps and more apps.”
“Five hours, 34 minutes spent on the internet per day and one hour, 39 minutes on social media. In fact, 15 million Australians access social media from a smartphone. That’s 61% of the population, according to IDC’s Data Age 2025 study.”
“The reality is that free apps aren’t really free,” continues Beachley.
“Both apps and social tools collect a surprising amount of data about their users. For example, have you ever done research on a hotel, holiday destination or property online and then suddenly your social feed is full of ‘suggested’ posts specifically related to your search?”
“You are being targeted based on your smartphone habits and data that has been collected and stored about you.”
“The user is generally totally unaware of the extent of the information collated, its intended use or how it is to be monetised – just look at what is happening right now with Cambridge Analytica and Facebook.”
According to SOTI, enterprises are collecting, storing and failing to adequately secure a growing amount of this kind of data, thanks to BYO and BYOA programs without robust, modernised corporate mobility policies and sufficient enforcement of such policies.“
Mobile device and IoT management is already less about the table-stakes tasks of sending out patches, rolling out apps and even tracking devices, and must be focused on integration, data leakage prevention and security,” concludes Beachley.
Protecting Personal Data is now an Enterprise-level Responsibility
Seagate’s regional sales VP for Asia Pacific, Robert Yang, comments: “Thanks to an increase in cross-platform integration, regardless of where the data is created – a smartphone, an autonomous car, via WiFi at the coffee shop, from the transactions of a global financial services company – the challenge of managing more than 97% of the global datasphere falls to enterprises.”
According to IDC’s Data Age 2025 report, the percentage of data requiring security will grow to nearly 90% by 2025, and will encompass five categories:
- Lockdown: Information requiring the highest security e.g. financial transactions, personnel files, medical records, military intelligence.
- Confidential: Business intelligence to be protected e.g. trade secrets, customer lists, memos.
- Custodial: Account information that, if breached, could lead to or aid in identity theft.
- Compliance-driven: Information such as emails that might be discoverable in litigation or subject to a retention rule.
- Private: Information such as an email address on a YouTube upload
“Security and privacy challenges cannot be underplayed,” adds Yang.
“It is no surprise that the Australian government is enacting measures to encourage greater protection of data and personal information.”
“Our world will be awash with data by 2025 – 163 zettabytes, a startling ten-fold increase over what was created in 2016. And yet an IDC study also reveals that by 2025 less than half of the data requiring security will actually be secured.”
On this, the experts agree: there is an increasing need for improved security, systems, policies and processes to handle the deluge of data and protect the private information of individuals and organisations, alike.
But, therein lies the rub, says Envisian IT’s consulting director and co-founder, David Robinson.
“Encouraging security and process improvements is essential,” says Robinson.
“However, in today’s world of online markets, collaboration and digital economies, data must be accessible.”
“The evolution of automobile braking systems design happened because we wanted to go faster and mitigate the risks of going faster, not because we wanted to be safer. Otherwise we’d prevent high speed driving altogether.”
“It should be similar with data. Protection improvements should be driven by the desire for better accessibility, not by the fear of contravention.”
Robinson advocates for putting the right security measures in place, but he says this must not compromise an organisation and its stakeholder’s access to necessary data, the organisation’s capabilities, the functionality with which it provides its employees to do their jobs.
“Striking the right balance is a challenge that organisations must tackle,” adds Robinson.
“The objective of the NDB scheme is to hold Australian businesses and government agencies to a high standard of personal information security.”
Yang agrees that were the data flow to stop for any reason, not only would our business operations cease but also the smooth operation of our daily lives.
“IDC estimates that by 2025, nearly 20% of the data in the global datasphere will be critical to our daily lives and nearly 10% of that will be hypercritical. It isn’t enough to get your house in order to comply with mandatory data breach reporting,” explains Yang.
“To handle the emergence of hypercritical data, a business must develop and deploy data capture, analytics, and infrastructure that delivers extremely high reliability, bandwidth, and availability.”
“This calls for more secure systems, new business practices and yes - new legal and legislative infrastructures around shifting and potentially debilitating liabilities,” says Yang.
Beachley cautions organisations against setting and forgetting solutions and policies for another few years.
“No single initiative will guarantee mobile security, and you will always be trying to hit a moving target,” adds Beachley.
“An effective enterprise mobile and data security strategy involves multiple approaches and continuous improvement.”