Data breach notification: not just IT’s business

With data breach notification soon to become mandatory, many Australian businesses have ramped up their cybersecurity monitoring and defences. But data breach notification and awareness isn’t just the responsibility of IT—it’s a business issue and should be treated as such. At any level, businesses are only as good as their weakest link.

Everything is becoming digitised and connected, and customers now expect transparency with the organisations they trust their data with. Couple these facts with our new data notification laws and it’s easy to see why this is a cross-business responsibility.

Let’s consider the reasons why Parliament may have ended up passing this legislation. First of all, the costs of cyberattacks have grown far too big to ignore: we’re talking about up to $16 billion in damages over the next 10 years, enough to put a significant dent in Australia’s economic growth. More importantly, however, is that every successful cyberattack causes Australians to lose faith in the integrity of their digital services. That’s something neither businesses nor governments can afford after placing big bets on digital innovation.

Questionable loyalties

In other words, data breach notification is as much about trust as it is technology. And that makes it a responsibility for all businesses in their entirety, not just the IT departments of those with $3 million or more in turnover (the ones required, by law, to report any breaches).

In fact, a strong data breach policy can function as a great customer retention tactic. Businesses that clearly communicate their commitment to breach notification—and prove that they’ll deliver on it—are much more likely to gain the loyalty and trust of customers than companies that avoid doing so, or only achieve the bare minimum of what the law requires. That’s particularly true for SMEs, which aren’t required by law to be transparent about data breaches. Doing so is akin to flashing Batman’s signal over Gotham: you’re sending a clear message that you’ll stick up for what’s right, even if it comes with a cost.

Despite what many business decision-makers think, I’ve always said that cybersecurity is a business issue more than an IT one, and data breach notification legislation reinforces this. The consequences of a breach have as much to do with reputation and brand as anything else, which are business elements that IT can’t and shouldn’t be expected to lead on. Depending on how you approach it, data breach notification can either pose financial risks or trust-building opportunities. Just like Batman, IT takes responsibility for doing the work and saving the day, but it’s up to the business to point them to where they’re most needed and make their efforts known to customers.

Once more unto the breach

That begs the question: if data breach notification is everyone’s responsibility (and it is), what’s the most practical way to make it a reality? Months after the data breach legislation passed, many organisations are still struggling to identify when a cyberattack occurs and how much data it’s compromised, even with a 30-day notification window. Often, they’re overcomplicating the situation.

First, plan before you buy. I’ve seen countless businesses rush in and purchase “best-of-breed” or “bleeding-edge” defences without knowing what to use them for. Do that, and the only thing bleeding will be your budget. Focus on understanding how the new legislation’s requirements apply to your business, identify your most sensitive or vulnerable data, and decide who’s responsible for its protection before you even look at a vendor’s website. You’ll find that doing so leads to much faster and more stable implementation than a “shoot first, ask questions later” approach.

Invest in monitoring before erecting your defences. Data breach notification requires you to know when a breach occurs, and you can’t know what you don’t monitor. SIEM (Security Information and Event Management) software will tell the business when an attack has occurred, what it may have compromised, and whether other systems may still be at risk. Apart from the usual suspects—event logs, Active Directory^®, USBs, and other external devices—map your monitoring and reporting strategy to business priorities. These will change over time, so ensure your SIEM tools are agile enough to keep up.

Finally, don’t stop testing. It’s likely that as you implement your monitoring, automated reporting, and response systems, you’ll discover that your initial priorities and strategy aren’t 100% accurate. When that happens, ditch unneeded defences—the digital equivalent of shark repellent—as quickly as possible and refocus efforts on areas that prove to be either weaker or more critical. And don’t forget to update the rest of the business when you adjust your defences. Failing to do so may result in a false sense of security for both them and your customers.

Most IT teams already have the skills and experience to make data breach notification happen. For it to work effectively or become a source of competitive advantage, however, the business needs to step in and say what needs defending and why. When it does so, data breach notification can earn back customers’ trust in a time when consumer loyalty is rarer than ever before. That makes IT the hero every business leader needs—though not necessarily the one they deserve.