Security & The New Data Breach Laws
The Current Threat Environment
On February 22nd 2018 the government released new far reaching Data Breach laws designed to address some of the fundamental issues that companies face today – ie. Cyber attacks.
In 2017, half of all US companies were hacked.
Source – https://www.insurancejournal.com/news/national/2017/09/29/465954.htm
That is not a misprint. Actually it is even more than that. 53% according to the article.
Cyber Resilience Best Practices
Cyber Resilience is a discipline whose major tenet is not how to prevent a hacking attempt but an admission of fact that you will be hacked and how to make sure that you have the processes and procedures in place to not only recover quickly from it but to minimise damage. Such is the likelihood of hacking that most companies, large and small have been involved in some sort of data breach in the last few years.
Even small companies that have any sort internet presence are likely to have tens if not hundreds of port scans a day. Companies and individuals are bombarded daily by Root kits, phishing, Spear Phishing, Ransomware, malware, spyware, adware – the list goes on and on.
If it is on the internet it IS A TARGET.
“Half of US companies in 2017 were hacked.”
The New Data Breach Laws
Enter the New Data Breach Laws, brought in by the Australian Government earlier this year to address data breaches and more importantly how companies notify their customers of a breach.
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
Further, the Business Readiness Index found “only 40% of Australian businesses had implemented six or more of the Australian Signals Directorate essential eight (ASD8) strategies to mitigate cyber security incidents.”
When it came to small business, this figure dropped to 12%.
Source: https://ia.acs.org.au/article/2018/what-data-breach-laws-.html
“The Maximum Fine is $2.1 million”
Why do we need these Laws?
In the last few years we have had multiple instances where companies hid data breaches from the public and their customers. This could lead to further customer exploits and meant that those customers were vulnerable and didn’t even know it.
It is clear that businesses can not be trusted to do the right thing without the threat of strict penalties being imposed on them.
Notable examples are Uber who hid a data breach of 57 MILLION users:
https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/
Or what about Yahoo who hid a breach of all 3 BILLION users!?!!
https://en.wikipedia.org/wiki/Yahoo!_data_breaches
If you have an email address then the likelihood is that you have already have hacked. You can check here:
Mitigating Data Breach Risks
As explained above, although your company is likely to hacked at some point there are best practices to mitigate this risk as much as possible.
This is where the Australian Signal Directorate’s Essential Eight come in.
These are:
1. Application Whitelisting
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Daily backups
More details can be found in this ASD webpage:
https://www.asd.gov.au/publications/protect/essential-eight-explained.htm
Next Steps
In essence you need a unified security policy that addresses these best practice policies with a mixture of overall security, email security, Endpoint security, Anti-Malware, Mobile Device Management – this must be both for BYOD and on premises / company owned devices, Multi Factor authentication, automated software updates implemented centrally and specialist cloud security best practices. You also need advanced monitoring with Intrusion Detection software so you can swiftly identify and resolve any potential breaches, alerting your customers quickly and safely.
Exxa can help with all aspects of designing and implementing these policies. Contact us now for more information.
Exxa is Axelos Resilia Cyber Resilience certified.
Further Reading
http://www.abc.net.au/news/2018-02-02/data-breach-notification-laws-coming-on-february-22/9391504
https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification
https://www.wombatsecurity.com/blog/scary-data-breach-statistics-of-2017