[BreachExchange] Are you ready for data breach notification laws?

Inga Goddijn inga at riskbasedsecurity.com
Fri Feb 9 19:20:01 EST 2018


Australia’s Notifiable Data Breach legislation comes into force on 22
February 2018, so time is running out to comply with the new laws – yet
more than half the small businesses subject to the legislation say they are
not prepared for the changes, according to a new study by ACA Research for

The new laws make it mandatory for certain organisations to disclose data
breaches. As we have pointed out previously
many small businesses aren’t affected by the legislation – it only applies
to organisations with an annual turnover of more than $3 million or that
are covered by one of several other criteria

However, even if your company isn’t subject to the privacy laws, it’s still
worthwhile learning what is now best practice in data security. After all,
it’s in every business’s interests to be able to quickly detect and respond
to data breaches to minimise the potential damage.
Most SMBs aren’t ready

According to the Notifiable Data Breach
laws, a data breach is reportable to the Office of the Australian
Information Commissioner (OAIC) and the individuals affected if “a
reasonable person would conclude that there is a likely risk of serious
harm to any of the affected individuals as a result of the unauthorised
access or unauthorised disclosure”, and if that reasonable person would
conclude serious harm is “more probable than not”.

But according to ACA’s research, 57 percent of the 528 small and mid-sized
business respondents said they had not conducted any sort of IT security
risk assessment during the preceding 12 months.

Despite that, common concerns included risks around remote working
(including the possibility that someone might see sensitive data on an
employee's screen), the lack of BYOD security policies (nearly two-thirds
fail to put any restrictions on data access), and an apparent reluctance to
include networked printers (which are increasingly used as the entry point
by hackers, according to HP) in risk assessments.

Not surprisingly, HP draws attention to the ways its products can help SMBs
maintain a secure environment. These include Sure Start
(a mechanism to protect PC and printer firmware from illicit modification),
and Sure View <http://www8.hp.com/us/en/solutions/computer-security.html>
(an integrated privacy screen for notebooks that greatly narrows the
viewing angle, concealing the display from the person in the adjacent seat
on an airliner, for example).

Worryingly, another survey – this time by digital security company Gemalto
and the Ponemon Institute – found that only “46 percent of Australian
respondents agree their organisation is careful about sharing confidential
or sensitive information with third parties, such as business partners,
contractors and providers in the cloud environment.”

Other vendors have things to say on the matter of preparing for the new
data breach regime.
Start with data discovery

Secure collaboration provider Covata suggests starting with a program to
discover sensitive data.

“They know they have sensitive data and they have a desire to protect it.
But, before they can get to this point, they need to discover it. And
that's where they're getting stuck,” says chief commercial officer Derek

Possible locations include paper-based records within physical storage
facilities, or legacy digitally-stored data, and the various local and
cloud storage locations used by the business. Data discovery and
classification software can help this process, he suggests, and Covata
offers a free trial of its CipherPoint data discovery tool

“Getting a handle on where and how data is stored allows organisations to
understand what data they accumulate, generate and collect; what proportion
is sensitive; and its value to their organisation and to someone who might
misuse it,” says Covata.
Don’t forget prevention

Email security provider Mailguard CEO Craig McDonald agrees
with data discovery being the first step, but says it should be followed by
determining how the data is used, and then locating and eliminating any
redundant data.

If you don't need it, get rid of it – then digital intruders won't be able
to access it.

McDonald makes a very good general point: while the legislation is about
what must be done if a breach occurs, the real question is “is your company
taking proactive steps to prevent data breaches?”

“That's the bigger question we should all be tackling because if your
company suffers a ‘serious data breach’, your compliance responsibilities
to the OAIC will only be one of your problems,” he points out.
Reduce the risk

Identity service provider Centrify is promoting its Zero Trust security
model <https://www.centrify.com/solutions/zero-trust-security-model/> as a
way of avoiding breaches. This model treats internal and external users
equally, reducing reliance on perimeter defences through the rigorous
management of user identities, along with providing the convenience of
single sign-on.

“This identity-centric rethink of security can directly address the more
than 80 per cent of data breaches that arise from compromised identities,
which dramatically reduces the risk of having to report a data breach,”
says senior APAC sales director Niall King.
Back up, detect and respond

There are, of course, other security measures that you should consider,
many of which we have covered previously

A good place to start is the Australian Signals Directorate’s highly
regarded ‘Essential Eight’ cyber security strategies

No cybersecurity defence is impregnable, so you need to have strategies and
processes in place to respond to a breach. That starts with a bulletproof
backup system for your business

In addition, there are detection and response tools
available that can help organisations act quickly to minimise the damage
from a cyber attack – and comply with the new privacy laws if needed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/8f3f10d0/attachment.html>

More information about the BreachExchange mailing list