Companies must be ready to learn from breach-notification exposure, not fear it

Australian boards, executives should view new laws as an opportunity, not just a threat

Australian businesses need to get over their fear of being singled out under looming breach notification laws and be prepared to use public shaming as a trigger for internal transformation, two security consultants have advised as the February 2018 implementation deadline for Australia’s new Notifiable Data Breaches (NDB) scheme draws ever nearer.

Implementation of the scheme – which languished in Parliamentary committees for most of a decade until finally being passed earlier this year – would rapidly improve visibility of a raging undercurrent of unreported breaches, Len Kleinman, APJ chief cyber security advisor with RSA Security, told CSO Australia in the wake of a seminar on the looming legislation’s implications.

Many outsiders were unaware of just how many breaches were occurring on a regular basis but “if you were involved in the management of security incidents, you would be aghast at how much is actually kept quiet or swept under the carpet,” said Kleinman, who expressed optimism that increasing visibility would feed centralised breach databases that could be drawn on by companies of all sizes to align their security programs with real-world threats.

“It seems such a tragic loss to not use those breaches to tease out nuggets of gold and use them to improve your posture and cyber resilience,” he added. “The gem of this all really is the post-event review. You can take lessons learnt and plunge back into your security hardening program to improve your posture so it doesn’t happen again next time.”

When engaging with clients around security, Kleinman – who spent 14 years working in governance and IT-security roles with the Australian Taxation Office – noted four key areas where he tends to focus their attention first.

These include identification of key information assets; conducting an assessment of both technical and non-technical policies around their security posture; better data classification to assist in triaging after a security breach; and the supporting “information apparatus” including penetration testing, security certifications, and other mechanisms that contribute to an organisation’s overall security posture.

Organisations needed to ensure their NDB preparations also include a clear understanding of ever-stricter privacy legislation of which many companies are still “completely unaware”, noted Helaine Leggat, director of Information Legal, who joined Kleinman to highlight some of the legal issues implicit in the new regime.

“Australia is very far behind in privacy law and electronic law,” she said. “There is a naiveté here that has protected us for a long time, and Australia really needs to wake up. People should be encouraged [to improve], not beaten up.”

The Australian legislation offered strict penalties but still fell short of that in some countries, she said, noting that she is she is “astounded” by the level of punitive threats contained within some countries’ mandatory breach notification legislation.

Such heavily punitive legislation – which includes personal jail time in some countries – might create productive fear amongst eyes of senior executives and board members worried about being held personally liable, but it could also hamper efforts to turn NDB schemes into productive learning tools.

“They shouldn’t be embarrassed to begin where they need to begin,” she continued. “You’re talking about high

value, high sensitivity information, and if you understand what the law requires, it’s very easy to rationalise its protection.”

“The mistake everyone is making is that they’re all now saying ‘ooh, a breach’ – while forgetting that it’s a very small part of an enormous [compliance] universe that everyone has been working within for years.”

Businesses are already at different levels of compliance around those guidelines, with many companies too focused on compliance without considering the technology needed to implement it.

Others have left NDB compliance to the IT function, allowing conversations about compliance to evolve far from the watchful eye of boards that are increasingly recognising that security and privacy have become fundamental corporate imperatives.

“One of the biggest problems I’ve seen is that people tend to buy point solutions to address a point problem because they’re coming from a compliance driven mindset,” Kleinman said. “But they really need to be thinking holistically and in a risk-based way.”

“They need to have a technology stack that is like your Swiss Army knife: it can be used to perform incident investigations and technical responses, but that same stack should be able to give you good monitoring, pervasive visibility, and help with identifying anomalous action that could signify a breach.”

Many organisations will turn to cloud-based services to help them rapidly add capabilities in the runup to the NDB implementation: Gartner, for one, recently forecasted that cloud-based security services would grow 21 percent this year to reach $US5.9 billion ($A7.85b), nearly tripling the overall growth rate of the overall information security market.

Investment in cloud-based security Information and event management (SIEM) platforms, which offer crucial visibility into growing volumes of security events, were forecasted to double between 2016 and 2020, when they would comprise some $US607.7m ($A808.3m) in revenues.

Tags notification lawsAustralian businessesNotifiable Data Breaches (NDB)Kleinman

Show Comments