Most organisations are now aware of the federal government’s mandatory notifiable data breach (NDB) legislation and the penalties associated with failing to comply. Essentially, the scheme aims to give individuals more control over their personal data, so it requires certain businesses to report breaches of that data to the individual concerned as well as to the Office of the Australian Information Commissioner (OAIC). Failing to report a breach can result in financial and civil penalties.
The OAIC’s first quarterly report on notifiable data breaches revealed that health service providers reported the most breaches (15 out of 63 since 22 February 2018). Fifty-five breaches in total were reported in March alone, which is almost two per day.1
Health service providers include any organisation that provides a health service and holds health information. Information breaches at a health service provider have a significant likelihood of causing serious harm to the affected individuals because of the inherently sensitive nature of medical information. People could potentially suffer psychological distress or even trauma from having the details of their health shared publicly. Depending on the nature of their health problem, they could experience social stigma and it could affect their job prospects and earning potential.
Furthermore, the combination of personal details available via health records makes victims vulnerable to identity theft, which can cause ongoing problems. While it is relatively easy to change credit card details, it can be harder for victims to secure a new Medicare number, for example. Cybercriminals can use that information to fraudulently open bank accounts and loans in the victim’s name, racking up significant debts in the process.
The NDB scheme applies to all government agencies and businesses already required to comply with the Privacy Act, which includes businesses and not-for-profit organisations with an annual turnover of more than $3 million. It also covers any business that collects and stores personal information such as education records, tax file numbers or health records.
The Australian scheme is being mirrored around the world. For example, Europe’s General Data Protection Regulation (GDPR) includes similarly stringent requirements for businesses to take all reasonable steps to keep confidential information secure. The GDPR regulation extends to any business interacting with businesses or individuals in Europe, so Australian businesses need to be aware of their responsibilities under this regulation. In New Zealand, data breach notification is expected to become mandatory at some point, but no details are confirmed yet.
While this need to be aware of and comply with regulations from around the world can seem overwhelming, there is one sure way to avoid falling foul of the regulations. Businesses need to put all of their cybersecurity efforts towards preventing breaches from happening in the first place, rather than only looking to mitigate breaches after they’ve happened.
There are five key steps businesses should take now that the NDB scheme is in full effect:
1 Understand and map out what data the business holds
Companies collect and store data across any number of locations, so auditing the data held within the business is an important step towards complying with the scheme. It’s essential to know where the data resides (on-premise or in the cloud), who has access to it, what protections are in place, and whether there are any vulnerabilities that need to be addressed.
2 Implement security controls, including educating employees
Securing individuals’ data is at the nub of NDB legislation, so it’s incredibly important to select and implement the strongest possible security controls to prevent unauthorised access to data from both within the organisation and by external parties.
With such a large proportion of data breaches caused by human error, this highlights the ongoing need to ensure all team members are well educated about their responsibilities when it comes to securing data. There are many basic steps people can take to protect the organisation’s data, including not clicking on suspicious email links, not plugging unknown devices into the network, and keeping passwords secret. However, team members don’t necessarily know about these fundamentals of security unless they’re told explicitly and reminded regularly.
3 Develop data breach prevention measures
Preventing data breaches is crucial, so proper cybersecurity measures are essential. This involves four key elements:
- Gain complete visibility into all traffic across the network, endpoint and the cloud, classified by application, user and content. Complete visibility provides the context to enforce dynamic security policy.
- Reduce the attack surface, which is expanding rapidly as companies’ use of applications and devices proliferates through SaaS (software as a service), cloud and IoT (the internet of things). A positive security model reduces the attack surface by enabling only specific, allowed applications for the right users while denying everything else.
- Prevent known threats such as commodity information-stealing Trojans, malware and application exploits. Look for security offerings that control threat vectors through granular management of all types of applications. This immediately reduces the attack surface of the network, after which all allowed traffic is analysed for exploits, malware, malicious URLs, and dangerous or restricted files or content.
- Prevent unknown threats through collective threat intelligence. Global information sharing makes unknown threats quickly known and therefore preventable. Automated responses are ideal because manually responding takes too long and increases the risk of exposure, whereas an automated response can outrun the threat.
4 Test, review and improve
Because cyberthreats are constantly evolving, it’s essential that any security measures and plans evolve just as rapidly. Businesses must regularly test security systems and processes to ensure they are still relevant and active, and must ensure team members are well aware of their responsibilities regarding information security.
5 Develop a response plan
Despite an organisation’s best efforts, cyberbreaches can still happen, so it’s important to have a plan in place to deal with these incidents as swiftly and effectively as possible. A plan should outline the roles and responsibilities of people in the organisation, the processes for notifying affected individuals and the OAIC, and the steps that need to be taken to mitigate the attack. Being well prepared will make the difference between handling a data breach effectively and minimising the damage or being caught in a crisis.
Regardless of whether an organisation is officially subject to the NDB scheme, it makes good business sense to demonstrate to customers that the business is committed to keeping their information secure.
Sean Duca is vice president and regional chief security officer, Palo Alto Networks.
Email [email protected]