A Reflection on Notifiable Data Breach: Year One
- 20 February, 2019 14:00
How much trust should the Australian people put into businesses when it comes to storing their data? When the Notifiable Data Breach legislation was implemented this time last year, it represented government telling businesses they had to take great responsibility for the Australian public’s data. Little did they know the Facebook-Cambridge Analytica scandal would shine a giant spotlight on data privacy in the months to come.
It should come as no surprise that governmental privacy laws, like Australia’s Notifiable Data Breach Scheme (NDBS) and the EU’s General Data Protection Regulation (GDPR) – which also applies to Australians - has changed data privacy and the requirements of businesses to protect data. In theory, the punishments for a breach are now much higher than a simple warning behind closed doors. Now businesses must ensure they are being responsible and following data protection policies. Through the first year of the NDBS being implemented, 812 breaches have been reported, cumulatively affecting millions of Australians.
So what learnings can be taken away from one year of NDBS? The Office of the Australian Information Commissioner’s quarterly reports on Notifiable Data Breaches are quite damning in that there are consistent rises in issues, when they should be falling. What it tells us is, no organisation or industry is immune from a data breach, and the attackers are evolving.
Malicious or criminal attacks continue to remain the most common breach cause. Across the four quarters of NDBS reporting, from February 2018 to December 2018, malicious or criminal attacks have made up at least 50% of reported breaches. While one typically imagines malware and ransomware attacks as a common method for threat actors to breach organisations, it’s credential compromise and phishing, that takes the top prize.
Following malicious attacks, breaches caused by human error continue to plague businesses. Human error breaches were the result of about a third of reported breaches, but for the top five industry sectors it is closer to 50 percent or higher.
Most concerning to Australians should be the sources of data breaches. Health service providers (21 percent in Q4) have consistently been the top industry sector responsible for reporting data breaches. That figure does not include any notifications made under the My Health Records legislation. In an era when Australians are being encouraged to share their health data with the cloud, the health sector must do more to prevent breaches.
Australian businesses are realising data privacy should be a priority, as they are placed under greater scrutiny world-wide to be compassionate about how they use and store data about employees and customers. When data privacy is made a priority, businesses focus on strengthening identity management and eliminating human error.
Strengthen Identity & Access Management
If businesses deploy stronger identity & access management practices, then they can have better protection from credential compromise. When employees are sharing information over digital channels, they can be confident knowing who they are communicating with. Multi-factor authentication is an effective approach to mitigate compromised credential attacks. The added layer of security from multi-factor authentication makes password theft less damaging because cyber criminals will be required to have a physical token to access a business’ network, like a one-time access code or mobile application.
Likewise, a strong password management platform is essential for all organisations. Enforcing policies which require employees to reset their passwords regularly will reduce the risk of threat actors working out their password, and automatically identify any inconsistencies. Adding password management and vaulting capability for the privileged accounts then ensures that the keys to the kingdom are not left in a text file on user’s desktops (or under keyboards).
Strong identity & access management practices won’t prevent an attack, but it will make it harder for threat actors to breach the walls of a business.
Fix human error
While identity management can mitigate the chances of a malicious attack, it can’t do much against human error. It may seem like preaching to the choir, but employee education is extremely important in every organisation. Just as executives understand the importance of protecting customer data, the same standards must be instilled in employees and any party who accesses the systems.
Regular employee training should be implemented by businesses to remind employees about the importance of securely handling personal information. After all, employees are an extension of an organisation, and their actions can have real financial and reputational impacts across a business.
With that said, logging, recording and monitoring solutions can make employees more accountable by tracking their actions. Using session recording solutions for privileged access, businesses can track employee actions, which can be reviewed if a data breach is suspected. Not only will it enhance organisations’ awareness about the causes of a breach, it will help in the future as employees are more aware about past actions which have led to a breach.
One year on from the Notifiable Data Breach Scheme and most Australian businesses still have a long way to go before they can be satisfied their data protection solutions are satisfactory. In a world where cyberattacks on organisations are inevitable, businesses must make them as difficult as possible for threat actors. By reducing the simplest threats, such as human error breaches, and making it more difficult for hackers to compromise accounts, organisations will be less likely to represent a figure on year two of the NDBS and create a more secure digital environment.