Australia’s notifiable data breaches (NDB) scheme will have forced the disclosure of around 950 data breaches in its first year of operation, but experts warn that many companies still lack the internal capabilities to comply with breach-reporting requirements around evaluating the extent of any incident.
Growing numbers of disclosures “indicates agencies and organisations are complying with their notification obligations,” Australian information commissioner and privacy commissioner Angelene Falk said in commemorating the first anniversary of the scheme.
That anniversary “is an opportunity for regulated entities to reflect on the causes of breaches that put personal data at risk and how they are managing their privacy obligations,” Falk added.
“We expect organisations and agencies to act on the risks highlighted by these reports – whether or not they were directly affected – and take steps to prevent a similar breach of Australians’ personal data.”
Quarterly reporting by the Office of the Australian Information Commissioner (OAIC) reported 812 breaches to the end of 2018; extrapolating from the average rate of around 2.66 breaches per day suggests that another 140 incidents will have occurred between the beginning of 2019 and the 22 February anniversary.
That’s a considerable volume of breaches that remained largely constant during the course of 2018 – suggesting that Australia’s businesses have been struggling with breaches as background noise for many years before they were required to disclose them.
“As we’ve seen since the introduction of the NDB scheme, organisations continue to struggle with the increased presence of new cyber threats,” said Cisco vice president and chief privacy officer Michelle Dennedy, one of numerous speakers at next month’s Cisco Live! conference in Melbourne.
Stronger reporting requirements are “pushing businesses to innovate to do a better job of protecting data,” she said, “prompting the need for organisations to take a proactive cyber defence posture with all their tech strategies, and have access to timely accurate threat intelligence data and processes that allow for that data to be incorporated into security monitoring.”
Visibility a challenge for CISOs
Despite clarity and acceptance around the visibility requirements of NDB – and similar legislation like the EU general data protection regulation (GDPR) – many companies continue to struggle in achieving that visibility.
Businesses may think they have the visibility they need and only find out they’re lacking when it’s too late; conversely, others may have over-invested and end up functionally paralysed because they have over-instrumented their work.
Walking this fine line has proven to be a real challenge for CISOs, warns Barbara Kay, senior director of security product marketing with threat-visibility firm ExtraHop.
Once a breach happens, CISOs “move quickly into impact assessment, trying to draw some viable boundaries around how big the problem is,” Kay explains. “If they don’t get it right, they go into serial disclosure mode and have to correct themselves.”
“You triangulate on faith, and every time you make a misstep people think you’re crying wolf. But as CISO, you’re forced into this kind of difficult decision because you don’t know enough, with enough conviction, to pick something that is closer to accurate.”
The recently-released Oracle and KPMG Cloud Threat Report 2019 shed some light on the extent of the problem and the challenges posed by increasing adoption of cloud solutions: just 1 in 10 respondents, for example, said they can analyse 75 percent or more of their security events.
Visibility of key information assets, particularly in increasingly heavily-used cloud environments, was named as the top challenge by 38 percent of respondents, with 30 percent noting the challenges posed by trying to get visibility into cloud-based server workloads.
Informing an industry response
The security market has also been watching the operation of the NDB scheme with interest, Dennedy said, noting that the breach reports “give a more realistic sense of the market. We now understand what we really do need to protect customers. We don’t have unlimited time and resources – and a year on, this gives us a schema.”
Vendors have been realigning themselves to better suit the growing need for visibility and control over enterprise data assets.
This week, for example, saw BlackBerry finalising its acquisition of AI-based security stalwart Cylance, which will improve security visibility across a range of endpoints.
Dimension Data owner NTT Group, which also owns NTT Security, for its part, refurbished and expanded that company’s Sydney facility into a 49-seat security operations centre (SOC) that expands NTT’s global SOC network to 10 sites serving a considerable global customer base.
“The level of analytics and automation we have in the SOC, and the instantaneous access we have to threat intelligence globally is a clear differentiator for us in the Australian market,” Dimension Data’s Australian director of cybersecurity, John Karabin, said in a statement.
“We also now have access to highly specialised security skills and resources from geographies where particular technologies and applications are already in more widespread use, such as IoT deployments in manufacturing industries and critical infrastructure.”