Data Breach Reporting Laws Hit Australia with Serious Implications for Businesses

Mandatory Data Breach Notification Laws will kick in on 22 February, but businesses remain unprepared. How is yours tracking?

February 22 marks the date Australia finally rolls out its long-awaited data breach notification laws. After years of back-and-forth, handballed from minister to minister, Australia has reached a point of maturity when it comes to lawfully disclosing serious breaches of personal and business data.

The news is likely to be music to the ears of consumers, who have been left in the dark by businesses sweeping breaches of sensitive information under the carpet.

Under the new laws, all organisations covered by the Australian Privacy Act will be accountable to the Notifiable Data Breaches (NDB) scheme. If an unauthorised person or entity accesses personal information, where it is likely to cause serious harm to that individual, the data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individuals affected.

But, in 2018, it’s shocking to hear reports that Australian businesses still feel unprepared for the rollout of these laws. Businesses will soon be responsible for instant reporting of compromised data, incurring fines of up to AU$360,000 for individuals and AU$1.8 million for organisations. There are huge financial and brand risks at stake.

Cybersecurity is as imperative to businesses as the internet connection that helps them get their work done. If you’re one of those businesses feeling a bit shaky and unprepared for this change, here’s what you need to do.

Don’t get complacent

For businesses, one of the hardest things to measure is preventative costs against an unknown benefit — you don’t know what you might lose until you lose it.

It may seem obvious that data breaches occur when data is hacked, but breaches aren’t limited to malicious activities. Human error can also be at play within an organisation — for example, not following proper internal protocols that cause accidental loss or disclosure of information.

Other ways data breaches may occur:

  • Lost or stolen laptops, tablets, smartphones
  • Removable hard drives or USBs containing privileged information being passed on to other users without proper clearance or having these devices stolen
  • Hacked cloud and physical databases that contain personal and private information
  • Paper records stolen from unsecured bins/filing cabinets
  • Employees sharing privileged information outside of an organisation without the proper authority

What businesses should do to prepare (at the very least)

The Australian Signals Directorate (ASD) has published a cybersecurity baseline known as the
“Strategies to Mitigate Cyber Security Incidents” aka the “Essential Eight,” a prioritised list of initiatives to enhance computer security. The Essential Eight are the most fundamental elements of this list, ensuring good security habits are employed throughout the organisation. The guidelines are best used as a baseline, to sense check the current security protocols, then adapted to the specific needs of the business.

Here are the eight guidelines at a glance:

  1. Whitelist applications: Whitelisting applications allows only trusted applications to run
    on your network.
  2. Patch applications: Patching known security vulnerabilities in a timely manner is one of
    the most simple and effective steps an organisation can take to ensure the security of
    their network and environment.
  3. Disable untrusted Microsoft Office macros: Automating routine tasks with Microsoft
    Office is convenient. However, macros can contain malware or malicious packet
    commands and often result in unauthorized access to sensitive information or the
    manipulation of critical data. The use of macros should be restricted to signed and
    trusted macros. Macros should also be routinely audited to determine if the macro is still
  4. Harden user applications: In environments where web browsing is allowed, common places for attack include: malicious websites, advertisements and emails with infected
    attachments. The ASD recommends that administrators block web browser access to Adobe Flash and untrusted Oracle Java applications,
  5. Restrict administrative privileges: Due to staff turnover, overlooked default accounts
    or ease-of-use, there may be administrator accounts that provide far too much privilege
    that can be used to make significant changes or bypass critical security settings.
    Administrator privileges should be restricted to only those users who need privileges.
  6. Patch operating systems: Operating system vendors are continually issuing patches to
    remedy security vulnerabilities. Applying patches in a timely manner is essential to
    ensuring both the security of a system and the security of data within the system.
  7. Multifactor authentication: Strong access controls, like multifactor authentication, can
    prevent an attack from compromising a system.
  8. Daily backup of important data: The daily backup of important data has never been
    more critical, as attackers develop increasingly sophisticated ransomware tools like
    Petya and WannaCry. Daily backups of important data, and the secure storage of that
    data offline, ensure that your organisation can recover data in the event of a
    cybersecurity incident.

Following each of these steps is a good starting point to creating a secure environment for your organisation. For a deep dive into The Essential Eight, read the ASD 8 whitepaper.

Read the ASD 8 whitepaper

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Bede Hackney. Read the original post at: