Smaller companies could get leeway in security breaches

By on
Smaller companies could get leeway in security breaches
Privacy Commissioner Timothy Pilgrim
Page 2 of 2  |  Single page

Distribution Central managing director Nick Verykios said resellers will remain trusted advisors.

"The reseller, regardless of chosen pathway to market, is and will remain the trusted advisor to all organisations," Verykios said. "They will continue to look to their vendor partners and distribution partners to make sure that they are presenting the latest strategies to ensure their customers do not get effected by the latest threats."

He said channel partners when discussing the effects of the Privacy Act should focus on solutions around security and operations, not only compliance.

"Because security problems, any kind and inclusive of data leakage and those associated to privacy legislation, can bring an entire organisation to a standstill or down for good. That is the historic truth."

That regulation should be seen as incentive to build strong security and privacy controls was a point echoed by David Sykes, sales director for  Sophos Australia and New Zealand. He said security controls should be built according to an organisation's reputation, not according to laws.

However, the way in which an organisation approaches security and privacy, including the outlay of cost and resources, should not be dictated by legislation," Sykes said.

"Instead the best approach for costing compliance should be proportionate to the value that the company places on its reputation, and how heavily the business relies on the Internet in serving that business."

The coming months may not herald a flurry of activity from organisations racing to comply with the Act. During this time, the channel should keep an eye out for any enforcement moves the Office takes under the Act which may generate a shakeup within particular industries, according to IPSec director of operations Ben Robson.

"What this means for the channel and organisations themselves is ... there will not be a sudden rush between now and when the law becomes actively enforced," Robson said.

"Organisations will take their time, they will wait to examine rulings against organisations of a similar size to their own, and will then implement solutions based on the expectations of the courts."

He said organisations will likely take "modest steps towards privacy protections" without being entirely committed to compliance until sufficient rulings occur against organisations of a similar size.

It appears unlikely that the office will be making an example of the first company to be breached. The initial months following March 12 will see the office "working with entities to ensure" organisations and agencies "understand the new requirements and have the systems in place to meet them".

It would according to a joint statement by Pilgrim and Australian Information Commissioner Professor John McMillan adopt "an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements".

Large Australian organisations including banks, telcos, retail chains and insurers along with government agencies have implemented privacy reform and review schemes with some fingering plans to rip and replace customer database management systems.

But tech representatives for the small end of town have warned those businesses were unaware or uninterested in investing to comply with the reforms.

Sense of Security southern region business manager Aarron Spinley said the first point of difference between how large and small organisations comply to the new Act will be in the execution of policies.

"In regard to the potential or perceived disparity between the assessment of large versus small organisations, the first real measure is likely to be the presence or absence of any overriding governance arrangements," Spinley said.

"Policy statements may be differ between large and small organisations, but the way that policy is implemented will."

The Commissioner may seek out the intent of organisations to govern data and then look to technical and process controls, he said. "An organisation might attempt to argue about the make-up of specific technical controls, but the absence of any governance arrangements would seem to be less defensible."

Pilgrim said organisations voluntarily confessing breaches to the office and alerting compromised users – in lieu of the scuppered mandatory reporting scheme – would be considered to have taken at least one 'reasonable step' to comply with the Act. The office received about 30 voluntary data breach notifications from organisations in the current financial year.

He advocates organisations initiate privacy and impact assessments to determine where sensitive customer information lies, who could access it, and what were the risks of holding that information.

Smaller organisations unsure of where to start in terms of compliance should look to ISO security and risk standards, Pilgrim said.

Previous Page
1 2 Single page
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
infosec privacy privacy act security

Partner Content

Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets

Sponsored Whitepapers

Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Australian MSP Index launched

Australian MSP Index launched
Ingram Micro Ushers in the Age of Ultra

Ingram Micro Ushers in the Age of Ultra
Announcing Pipeline 2025 tickets, theme & initial speakers

Announcing Pipeline 2025 tickets, theme & initial speakers
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?