Shining a light on data breaches

By on
Shining a light on data breaches

It is becoming increasingly difficult for Australian companies to maintain a cone of silence over data security breaches. There are a number of factors driving this situation.

The first is the most obvious. In this new age of hacktivism, companies who become victims can expect a victory lap to be taken on their behalf. This type of disclosure can be very embarrassing for an organisation and immediately places them in a defensive position.

The second factor is legislative pressure and the discussions here in Australia are not unique internationally. The Bill introduced into the Federal Parliament last May adds mandatory data breach notification to the numerous requirements that organisations and agencies will need to address before changes to the Privacy Act 1988 take effect in March of next year.

The Privacy Alerts Bill will, if passed in its current form, impose new requirements on agencies and organisations to notify the Australian Information Commissioner and affected individuals where there has been a “serious data breach”.

Legislatures are discussing this issue from Australia to Europe to the United States. In the US, for example, data breach notification legislation has been debated, but never passed for years at the Federal government level, while more than 44 state governments currently have data breach disclosure laws on the books.

Beyond the legislative efforts, organisations are beginning to proactively disclose this information. The unfortunate reality is that cybercrime and data breaches are so widespread that the stigma of being a victim has been reduced, if not the pain.  According to the Verizon 2013 Data Breach Report, there were 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records.

In this hacktivism, legislative and threat environment, the trend is toward disclosure, whether mandated by law or best practices, or in the worst case scenario, forced upon a business from a position of weakness. 

What should you do?

The average tenure of a Chief Information Security Officer (CISO) is now just 18 months. Having the ability to see and understand the threat environment, incidence response, attack forensics and audits are the things that are sometimes taken for granted and are becoming front line issues for the CISO and organisations in general.

The CISO and their internal security teams need robust understanding of attacks; they need the ability to pull both high level summaries and deep forensic dives. Why? For their own job security, number one. Number two, the reporting requirements as discussed above are fluid. There is a distinct possibility that mandatory data breach notification will become law in Australia either in 2014 or in the next few years; and with it the responsibility to inform the Australian Information Commissioner. However, organisations should also be informing other key stakeholders including their customers, partners and shareholders about a serious data breach.

If the most important objective is to protect information – not only its privacy, but also its availability – risk management needs to be managed at the appropriate level, so that both business and technology strategies can still be achieved.  One of the keys to success is getting the leadership team to internalise the issues associated with protecting the organisation’s information, the impact their involvement has and what their role is in the security program.

Engaging with management

Data protection has to be a priority well beyond the CISO’s office. It must be understood and supported from the board of directors to the CEO and down throughout the entire organisation. 

Most information security executives believe that the executive team and board need to learn the information security vocabulary.  While leadership teams do need to understand the basic principles, the information security executive has to communicate in terms the leadership team understands.

Conclusion and next steps

The executive team sets the tone for the organisation. If the executive team communicates that protecting information is important to them and makes the right investment, the rest of the organisation will take it seriously. It is important to communicate to the executive team what their role is and the message needs to be in language they understand. This will ultimately lead to creating a resilient, secure infrastructure and the ability for the business to defend itself from unplanned attacks increases greatly.

With this communications process in place and the security risks and challenges understood from the top down, organisations will be in a position to better protect critical data and assets, as well as meet any emerging legislative requirements for disclosure.

Security vendors need to focus not only on identification and mitigation of attacks, but workflow, reporting and forensics in order to arm Australian organisations with the understanding and information they need to meet these emerging legislative requirements.

Nick Race is country manager, Arbor Networks Australia

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
breach data security

Partner Content

Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?