The Major Tool Missing From Australia’s Efforts to Stem Rising Data Breaches

In May, the Office of the Australian Information Commissioner (OAIC) revealed that it received 215 data breach notifications during the first quarter of 2019, which was down 18 percent from the previous quarter.

At first glance, this might come as a relief due to the long-held fears around cyber security. But upon realising that 10 million individuals, or half of the Australian population, had their information compromised in just one reported incident, we realise that’s clearly not the case.

Particularly in the context of broader efforts by both government and industry to encourage and ensure best practice by organisations, the sheer number of people being impacted by data breaches is alarming, especially in the context of information security and data handling.

Having said that, it’s not as though the government isn’t trying to put the right actions in place to reduce breach rates. The introduction of the Notifiable Data Breaches (NBD) scheme is certainly a step in the right direction. The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, has extensively spoken about the important work government entities have been implementing with each other and the private sector to identify and promote ways to combat the common causes of data breaches, including working with the Australian Cyber Security Centre [ACSC] to provide prevention strategies for organisations.

While Falk’s comments indicate both the government and private sector are employing a mix of common sense and more complex solutions, the jury is still out on whether these approaches are proving effective. Indeed, Australian organisations are still reporting an alarming number of breach notifications as they battle against a fast-moving community of criminals who are thirsty for valuable data. Meanwhile individual employees continue to make simple mistakes that have the potential to expose sensitive data.

The government must consider new ways to protect data and create a means of ensuring the implementation of the most effective solutions currently available. This should go beyond simple control frameworks but instead extend to specific real-world solutions.

The one big feature missing from the government’s regulatory approach is - data masking.

Data masking, or data obfuscation, is not a new idea. It is a method of protecting sensitive data by replacing the original value with a fictitious but realistic equivalent. Unlike reversible cryptographic coding, the best data masking techniques are irreversible, so sensitive data can’t be restored to an unsafe state. Because masked data looks, feels, and operates just like real data would, it can still be used to develop and test software without putting sensitive data at risk during the development process.

Oftentimes, enterprises resort to lock down their data, but that’s not a viable security technique. Rather, it’s becoming increasingly important to provide secure access to data that flows across an organisation to innovate faster and at scale. Digital transformation success rates remain dismally low, as only 8 percent of companies say their current business model would remain economically viable if their industry keeps digitising at its current course and speed. With this in mind – it’s clear nobody can afford the lag that results from an inability to share data.

If a company is building a new application, for example, they will experience delays if they’re unable to share their data externally with a developer due to security concerns. Data masking sidesteps this problem by simply replacing it with fictitious data that is still usable. In this sense – data masking not only serves to protect data, but also fuels digital innovation and faster development cycles by enabling real-time access to company data to those who need it most.

If the government wants to support continued innovation in Australia while simultaneously maintaining a strong data protection mandate across the industry and in the public sector, embarking on a data masking regime is a good first step. The government would greatly benefit from adopting data masking to the broader regulatory frameworks that dictate how sensitive information is stored, handled, and used.

This way, no matter what other controls or technologies are being employed to protect data, there will be a blanket regime in effect that has the real potential to turn the tide on Australia’s rising surge of data breach reporting.