CSOs’ to-do lists expanding as new ASD security guidelines herald breach-notification revival

The Australian Signals Directorate (ASD) is so confident of the efficacy of expanded cybersecurity guidance that it is offering to engage with businesses if the measures fail to stop a security breach – which will offer them support before, during, and after the mandatory notification that would be triggered under breach-notification laws that were revived in Parliament this week.

Debuted this week, the organisation’s ‘Essential Eight’ security strategies outline eight core areas of practice that it says can, if properly followed, almost completely block compromises by malware and ensure that the damage caused by any incident is limited.

Four of the protections – application whitelisting, patching of vulnerable applications, patching of operating systems, and enforcement of user-based privileges according to organisational role – have been mandatory for federal government agencies since April 2013 and can, according to the ASD, stop 85 percent of the techniques used by cybersecurity adversaries.

The four new protective strategies include two additional measures to prevent malware running – disabling untrusted Microsoft Office macros and user application hardening – as well as two additional measures, including use of multi-factor authentication (MFA) and daily backup of important data, designed to limit the extent of the damage that an incident can cause.

Incorporation of the four new measures reflects the broad recognition of the ASD’s Top 4 as a good starting point for securely locking down corporate and government environments. It also reflects security best practice in areas such as MFA, where a preponderance of options has left many businesses struggling to effectively implement consistent, policy-based frameworks.

It’s a battle that must be fought to improve overall security, says Ray Simpson, Asia-Pacific director of compliance and risk services with security consultancy Trustwave. Many of the ASD’s guidelines mirror criteria that have been added to the Payment Card Industry Data Security Standard (PCI DSS), a comprehensive and auditable framework for data protection with which Simpson has been involved for many years.

“We find companies often fall short from the expectations of the standards, and in all honesty from the expectations of best-practice security,” he told CSO Australia. “People often refer to this as best practice – but I think it’s actually essential practice. Even for smaller companies that may not have security knowledge internally, it gives them the framework to implement some really good security.”

Implementation of MFA was an area of particular importance, Simpson said, because many companies “still struggle with” implementing a regime with two completely separate factors. “There needs to be independence between the two factors,” he explained. “For example, if I log onto the environment with my phone, I can’t also use the phone for a one-time password to be sent: if the phone is compromised, both factors are compromised.”

The revision of the ASD guidelines coincides with the government’s ramp-up towards long-awaited breach disclosure laws – which were flagged as important back in 2012 by Australian Information Commissioner Timothy Pilgrim, whose office recently released a visualisation tool that includes scope to monitor breach volumes.

The enabling legislation for the breach-notification regime – the Privacy Amendment (Notifiable Data Breaches) Bill 2016 – this week received support for a third reading, bringing the regime closer.

The business community has been broadly supportive of the notification, with the majority of the 47 submissions received on the subject supporting it. And while the consequences of a reported breach will vary widely, the legislation reinforces the expectation that companies will make best efforts to secure personally identifiable information.

“It is possible that, despite having taken reasonable steps to secure personal information it holds, an entity may nonetheless experience a data breach due to human error or other circumstances that are not reasonably foreseeable,” minister for justice Michael Keenan said in introducing the bill last October. “An exception will also apply where an entity can determine with a high degree of confidence that it has taken action to remediate the harm arising from an eligible data breach before that harm has occurred.”