<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><a href="https://www.bit.com.au/guide/are-you-ready-for-data-breach-notification-laws-484823">https://www.bit.com.au/guide/are-you-ready-for-data-breach-notification-laws-484823</a></div><div dir="ltr"><br></div><div dir="ltr">Australia’s Notifiable
Data Breach legislation comes into force on 22 February 2018, so time is
running out to comply with the new laws – yet more than half the small
businesses subject to the legislation say they are not prepared for the
changes, according to a new study by ACA Research for HP.<br></div><div dir="ltr"><div id="gmail-article-body">
<p>The new laws make it mandatory for certain organisations to disclose data breaches. As <a href="https://www.bit.com.au/guide/what-do-the-data-breach-notification-laws-mean-451500" target="_blank">we have pointed out previously</a>,
many small businesses aren’t affected by the legislation – it only
applies to organisations with an annual turnover of more than $3 million
or that are covered by one of <a href="https://www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/businesses/small-business" target="_blank">several other criteria</a>.</p>
<p>However, even if your company isn’t subject to the privacy laws, it’s
still worthwhile learning what is now best practice in data security.
After all, it’s in every business’s interests to be able to quickly
detect and respond to data breaches to minimise the potential damage.</p>
<h4>Most SMBs aren’t ready</h4>
<p>According to the <a href="https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme" target="_blank">Notifiable Data Breach</a>
laws, a data breach is reportable to the Office of the Australian
Information Commissioner (OAIC) and the individuals affected if “a
reasonable person would conclude that there is a likely risk of serious
harm to any of the affected individuals as a result of the unauthorised
access or unauthorised disclosure”, and if that reasonable person would
conclude serious harm is “more probable than not”.</p>
<p>But according to ACA’s research, 57 percent of the 528 small and
mid-sized business respondents said they had not conducted any sort of
IT security risk assessment during the preceding 12 months.</p>
<p>Despite that, common concerns included risks around remote working
(including the possibility that someone might see sensitive data on an
employee's screen), the lack of BYOD security policies (nearly
two-thirds fail to put any restrictions on data access), and an apparent
reluctance to include networked printers (which are increasingly used
as the entry point by hackers, according to HP) in risk assessments.</p>
<p>Not surprisingly, HP draws attention to the ways its products can help SMBs maintain a secure environment. These include <a href="http://www8.hp.com/au/en/solutions/business-solutions/printingsolutions/devicesecurity.html" target="_blank">Sure Start</a> (a mechanism to protect PC and printer firmware from illicit modification), and <a href="http://www8.hp.com/us/en/solutions/computer-security.html" target="_blank">Sure View</a>
(an integrated privacy screen for notebooks that greatly narrows the
viewing angle, concealing the display from the person in the adjacent
seat on an airliner, for example).</p>
<p>Worryingly, another survey – this time by digital security company
Gemalto and the Ponemon Institute – found that only “46 percent of
Australian respondents agree their organisation is careful about sharing
confidential or sensitive information with third parties, such as
business partners, contractors and providers in the cloud environment.”</p>
<p>Other vendors have things to say on the matter of preparing for the new data breach regime.</p>
<h4>Start with data discovery</h4>
<p>Secure collaboration provider Covata suggests starting with a program to discover sensitive data.</p>
<div class="gmail-ArticleImage"></div>
<p>“They know they have sensitive data and they have a desire to protect
it. But, before they can get to this point, they need to discover it.
And that's where they're getting stuck,” says chief commercial officer
Derek Brown.</p>
<p>Possible locations include paper-based records within physical
storage facilities, or legacy digitally-stored data, and the various
local and cloud storage locations used by the business. Data discovery
and classification software can help this process, he suggests, and
Covata offers a free trial of its <a href="https://covata.com/products/datadiscovery/" target="_blank">CipherPoint data discovery tool</a>.</p>
<p>“Getting a handle on where and how data is stored allows
organisations to understand what data they accumulate, generate and
collect; what proportion is sensitive; and its value to their
organisation and to someone who might misuse it,” says Covata.</p>
<h4>Don’t forget prevention</h4>
<p>Email security provider Mailguard CEO <a href="https://www.mailguard.com.au/blog/legislation-cybersecurity-business-180201" target="_blank">Craig McDonald agrees</a>
with data discovery being the first step, but says it should be
followed by determining how the data is used, and then locating and
eliminating any redundant data.</p>
<p>If you don't need it, get rid of it – then digital intruders won't be able to access it.</p>
<p>McDonald makes a very good general point: while the legislation is
about what must be done if a breach occurs, the real question is “is
your company taking proactive steps to prevent data breaches?”</p>
<p>“That's the bigger question we should all be tackling because if your
company suffers a ‘serious data breach’, your compliance
responsibilities to the OAIC will only be one of your problems,” he
points out.</p>
<h4>Reduce the risk</h4>
<p>Identity service provider Centrify is promoting its <a href="https://www.centrify.com/solutions/zero-trust-security-model/" target="_blank">Zero Trust security model</a>
as a way of avoiding breaches. This model treats internal and external
users equally, reducing reliance on perimeter defences through the
rigorous management of user identities, along with providing the
convenience of single sign-on.</p>
<div class="gmail-ArticleImage"></div>
<p>“This identity-centric rethink of security can directly address the
more than 80 per cent of data breaches that arise from compromised
identities, which dramatically reduces the risk of having to report a
data breach,” says senior APAC sales director Niall King.</p>
<h4>Back up, detect and respond</h4>
<p>There are, of course, other security measures that you should consider, many of which <a href="https://www.bit.com.au/topic/security-455554" target="_blank">we have covered previously</a>.</p>
<p>A good place to start is the Australian Signals Directorate’s highly regarded <a href="https://www.bit.com.au/guide/your-guide-to-the-essential-eight-security-strategies-451152" target="_blank">‘Essential Eight’ cyber security strategies</a>.</p>
<p>No cybersecurity defence is impregnable, so you need to have
strategies and processes in place to respond to a breach. That starts
with a <a href="https://www.bit.com.au/guide/building-a-malware-proof-backup-system-430338" target="_blank">bulletproof backup system for your business</a>.</p>
<p>In addition, there are <a href="https://www.bit.com.au/guide/five-next-generation-security-solutions-478031" target="_blank">detection and response tools</a>
available that can help organisations act quickly to minimise the
damage from a cyber attack – and comply with the new privacy laws if
needed.</p></div><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>