Breach-notification laws will expose Australian businesses as unprepared

As the introduction of Australia’s mandatory Notifiable Data Breaches (NDB) legislation looms ever larger, many companies are limiting their ability to comply with the new rules by erroneously reassigning data-security budget to conventional governance, risk and compliance (GRC) activities.

That’s the warning from LogRhythm Asia-Pacific vice president Bill Taylor, who has seen a surge in interest in the new legislation amongst the companies he’s working with but says that many are tipping the scales too far towards GRC and too far away from the technology they need to enable it.

“We’re seeing in some cases that security budget is being sectioned out or partitioned out, in a small number of cases, more towards GRC,” he explained. “But many of them don’t have the tools, relationships, or compliance-orientated programs in place to really measure what is at risk and how exposed they are.”

Measuring that exposure remains a challenge for any organisation, with the growing number of attack vectors requiring increasingly complicated monitoring regimes to account for both on-premises and cloud-based infrastructure as well as users entering the company network through conventional devices, mobile devices, cloud applications, from third-party partners, and more.

The diversity of ways that modern businesses electronically engage with their users has created an imperative to centralise monitoring of their activity, then monitor all of that activity using integrated analytics tools that monitor user behaviour, network traffic, endpoint performance, threat-intelligence feeds, and more.

“At the moment we have this opportunistic and reactive response with mandatory disclosure,” Taylor said. “Having the tools to ensure that you are capturing as much as you can in terms of detection and response, and capturing as much as possible, can’t be done if you don’t have the systems in place to capture potential breaches. It’s important to fill the gap between what you have today and what is required for mandatory disclosure.”

Surveys of Australian businesses suggest that many are still a long way from filling this gap. The Australian Cyber Security Centre’s (ACSC’s) Cyber Security Report 2017, for one, found that while 70 percent of respondents appeared to display a high level of resilience to cybersecurity, fully 43 percent of those organisations said they don’t generally identify cybersecurity threats or vulnerabilities until after they have been compromised. And 51 percent said they were generally alerted to possible breaches by external parties before they notice the incidents themselves.

This isn’t the kind of posture that will serve businesses well once they are governed by the NDB scheme, which will come into effect on 22 February 2018. The legislation lays down expectations around protection of personally identifiable information (PII) and requires rapid notification – of the Office of the Australian Information Commissioner (OAIC), as well as affected individuals – in the event that such a breach is discovered.

“Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm,” the OAIC has advised in guidelines that also include a guide to securing personal information. “We strongly recommend that all organisations review their practices, procedures and systems for securing personal information.”

Fundamentally, the Australian legislation – like comparable legislation in other countries – has been designed to both increase information about the existing cybersecurity threat, and to increase companies’ sense of responsibility around being honest about their experiences and the protections they should be putting in place.

The recent ACSC figures suggest compliance is a significant driver for cybersecurity investments, with 43 percent of surveyed companies naming legal and regulatory compliance as a top motivator. Yet this is well behind broader goals such as protecting company data (76 percent) or protecting customer data (73 percent).

Introduction of the NDB scheme is likely to significantly increase the motivation of those companies to invest in cybersecurity for compliance. But the gap between proactivity and reactivity remains large, according to the ACSC figures. Just 11 percent of recent board-level discussions were prompted by an actual cybersecurity incident, that organisation’s research showed, and 31 percent said their senior management is only updated on cybersecurity after an incident or breach has occurred.

Elevating cybersecurity processes to the level of conventional GRC processes can be a real challenge for business executives that are often still working to implement conventional GRC processes based on relatively predictable financial, HR, shareholder expectations, information management and other known quantities. But as the ongoing global WannaCry ransomware attack demonstrates, throwing such an unpredictable field as cybersecurity into the GRC mix – and backing it with a reactive rather than a proactive cybersecurity stance – can dramatically change those processes and put the whole organisation on an uneven footing.

“Businesses are realising that they need to increase a number of things in the organisation to ensure that they have coverage for full mandatory disclosure with a predictive, professional, and optimised environment,” Taylor said.

Building such an environment requires management of every point in the threat lifecycle, and their integration into a coherent and effective whole. This includes elements addressing planning, people, systems, processes, and governance – yet the ACSC figures suggest that Australian companies remain woefully underprepared in most of these areas.

Just 64 percent reported regular cybersecurity risk reporting to the board or senior executives, and 19 percent pursued external certification to cybersecurity standards. Only 56 percent had processes in place to identify critical systems and data, just 53 percent were using a security information and event management (SIEM) system, and only 54 percent had developed a cybersecurity incident response team or similar capability.

Not only are these figures well below the optimal level to ensure rapid response, but they are skewed upwards because the 113 organisations involved in the ACSC’s survey are generally larger businesses and government agencies with significant cybersecurity resources and investments. Extrapolated to general businesses and smaller companies, anecdotal reports suggest the real figures would be lower – which bodes poorly for compliance in a strict NDB environment that will require companies to be intimately aware of their current exposure and compromises at all times.

“At the very least,” Taylor said, “companies that get hit should be able to turn around and say ‘we got hit and this is what happened; none of our customers were breached in any way; and we managed to secure it’. But in reality you’ve often got this mostly reactive to semi-compliant approach that says ‘we’ve been hit and in such a big way that we’d better disclose it’. We need to close the gap.”