Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
With 63 reported data breaches in the first six weeks, the OAIC has its work cut out. Australia’s Mandatory Data Breach Notification(MDBN) scheme came into force on 22nd February 2018, and in the first six weeks there have been 63 cases reported to the Office of the Australian Information Commissioner (OAIC).
This much-anticipated update to Australia’s Privacy Act is hailed as a foundational shift in our nation’s stance on information privacy and security matters, where the government now insists entities (companies and government departments that meet the applicability criteria) must notify the OAIC and affected individuals if there is a breach of personal information.
The OAIC has now released their first quarter’s report on notifiable data breaches (NDBs), and while the headline figure of 63 cases is interesting, in the report’s detail there are some incredibly telling statistics that Australian business should heed. Last year, OAIC reported 114 voluntary notifications across the entire year, but in March 2018 alone they have logged 55 individual breach notifications. If this trend continues for the rest of the year, and by all account it will likely grow, we could see a 12-month total of over 600 cases for the OAIC to manage.
The introduction of mandatory data breach notification doesn’t materially change the Privacy Act’s underlying principles, rather what has changed is what organisations are expected to do when a breach occurs. Until this legislation was pushed through, the mindset of breached companies was to bury the attack for fear of reputational damage. After all, in a highly competitive market, reputation is everything, and why should an organisation advertise the fact they were negligent with their customers’ information when it could cost them business. Yet it’s this mindset that mandatory notification is supposed to change. In other parts of the world, such as the United States, governments have already introduced more stringent legislation, with even tighter control in the European Union with the new General Data Protection Regulation (GDPR) coming in.
Under the Privacy Act 1988, Australian organisations have an obligation to secure any personal information they hold. This legislation has been in place for the last thirty years, yet our recent changes mean organisations now must notify those affected (and the OAIC) when personal information is involved in a breach that could cause “serious harm”. These data breaches are referred to as ‘eligible data breaches’ and in all cases, eligible data breaches must be reported to the OAIC.
A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.
Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk
The OAIC’s Privacy Commissioner, Angelene Falk, says our new mandatory data breach notification laws will help improve Australia’s understanding of the issues associated with cyber security and breaches and will “promote a proactive approach to addressing security risks.”
Several important points are raised in the OAIC’s report:
The clear majority of data breaches (73%) reported in this period affected less than 100 people, yet that leaves 27% affecting more than 100, and three specific breaches affecting more than 10,000 individuals..
What can businesses do to better prepare to deal with cyber security issues and ensure, when a breach occurs, they contain the threat and report appropriately to those affected and the OAIC?
A variety of factors can affect an organisation’s security posture, including how diligent they are in patching their computer systems and how well they keep their computers free of malware and viruses. Furthermore, the more mature organisations will instil an audit regime, whereby user actions are logged, and they can investigate unusual or suspicious behaviour. With human error as the largest cause of breaches reported to the OAIC, it’s incredibly important that organisations don’t only focus on addressing the threat of attackers. Human error is defined as an inadvertent disclosure, often caused by the user accidentally sending something containing personal information to the wrong recipient. Furthermore, a user might forward work-related documents to their personal email system – with the intent of working at home to finish a project – or take those files off the organisation’s network on removable media, all with good intentions.
Many of the breaches that get reported to the OAIC could have been avoided with the right assurance protocols introduced into the business. User training is the top control, making it clear to users what is acceptable and what is not. If users don’t know they shouldn’t email their work to their Gmail account, then you can’t blame them for being diligent and wanting to work extra hours.
Yet after all the user training, policy and procedure writing and expectations placed on users to do the right thing, there are still breaches that will occur as mistakes happen and criminals want your data. This is where security information and event monitoring (SIEM) systems and user entity behaviour analysis (UEBA) systems come in. A SIEM will ingest all the data produced by operating systems, application and network devices as users process and store data. Every action on a Windows operating system, for example, can be logged, and that audit trail can be used to investigate what happened, should you suffer a breach. However, that’s retrospective, so what’s really needed is a proactive approach to detecting breaches, where we can detect the attack as it begins, catching it before serious harm is caused.
UEBA systems ingest all those vociferous logs files, along with any other relevant security information, and mine the data for indicators of attack. Over a short period of time, the UEBA technology will learn what normal behaviour on your systems looks like, building a model that can then be correlated against the real-time flow of security information entering the SIEM. For example, if the normal ebb and flow of data through your Internet connection looks like a typical distribution curve, a sudden spike overnight will trigger the UEBA system to raise an alert. The alert won’t necessarily mean there is an attacker stealing data, but the change in what’s considered normal is worthy of investigation.
Every organisation that falls within the scope of the OAIC’s Mandatory Data Breach Notification legislation must consider how it can improve the security of its people, processes and technology. Hiring security professionals, those who are trained and experienced enough to understand how to fully protect an organisation, can be an extremely costly exercise, which is why as-a-service security models have appeared over the past few years. For the price of a junior security staffer you can now take on the services of a Managed Security Service Provider (MSSP), who provides the SIEM tool, the UEBA technology and team of experienced staff working around the clock to properly rebalance the security equation.
Huntsman Security can work with you to ensure you get the very best cyber security protections for your business, whether it’s insourced or outsourced, to ensure you stay on the right side of Mandatory Data Breach Notification legislation, keep your customer information safe and keep the bad guys out of your network.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.