[BreachExchange] A Reflection on Notifiable Data Breach: Year One

Wed Feb 20 09:10:53 EST 2019

https://www.cso.com.au/article/657950/reflection-notifiable-data-breach-year-one/

How much trust should the Australian people put into businesses when
it comes to storing their data? When the Notifiable Data Breach
legislation was implemented this time last year, it represented
government telling businesses they had to take great responsibility
for the Australian public’s data. Little did they know the
Facebook-Cambridge Analytica scandal would shine a giant spotlight on
data privacy in the months to come.

It should come as no surprise that governmental privacy laws, like
Australia’s Notifiable Data Breach Scheme (NDBS) and the EU’s General
Data Protection Regulation (GDPR) – which also applies to Australians
- has changed data privacy and the requirements of businesses to
protect data. In theory, the punishments for a breach are now much
higher than a simple warning behind closed doors. Now businesses must
ensure they are being responsible and following data protection
policies. Through the first year of the NDBS being implemented, 812
breaches have been reported, cumulatively affecting millions of
Australians.

So what learnings can be taken away from one year of NDBS? The Office
of the Australian Information Commissioner’s quarterly reports on
Notifiable Data Breaches are quite damning in that there are
consistent rises in issues, when they should be falling. What it tells
us is, no organisation or industry is immune from a data breach, and
the attackers are evolving.

Malicious or criminal attacks continue to remain the most common
breach cause. Across the four quarters of NDBS reporting, from
February 2018 to December 2018, malicious or criminal attacks have
made up at least 50% of reported breaches. While one typically
imagines malware and ransomware attacks as a common method for threat
actors to breach organisations, it’s credential compromise and
phishing, that takes the top prize.

Following malicious attacks, breaches caused by human error continue
to plague businesses. Human error breaches were the result of about a
third of reported breaches, but for the top five industry sectors it
is closer to 50 percent or higher.

Most concerning to Australians should be the sources of data breaches.
Health service providers (21 percent in Q4) have consistently been the
top industry sector responsible for reporting data breaches. That
figure does not include any notifications made under the My Health
Records legislation. In an era when Australians are being encouraged
to share their health data with the cloud, the health sector must do
more to prevent breaches.

Australian businesses are realising data privacy should be a priority,
as they are placed under greater scrutiny world-wide to be
compassionate about how they use and store data about employees and
customers. When data privacy is made a priority, businesses focus on
strengthening identity management and eliminating human error.

Strengthen Identity & Access Management

If businesses deploy stronger identity & access management practices,
then they can have better protection from credential compromise. When
employees are sharing information over digital channels, they can be
confident knowing who they are communicating with. Multi-factor
authentication is an effective approach to mitigate compromised
credential attacks. The added layer of security from multi-factor
authentication makes password theft less damaging because cyber
criminals will be required to have a physical token to access a
business’ network, like a one-time access code or mobile application.

Likewise, a strong password management platform is essential for all
organisations. Enforcing policies which require employees to reset
their passwords regularly will reduce the risk of threat actors
working out their password, and automatically identify any
inconsistencies. Adding password management and vaulting capability
for the privileged accounts then ensures that the keys to the kingdom
are not left in a text file on user’s desktops (or under keyboards).

Strong identity & access management practices won’t prevent an attack,
but it will make it harder for threat actors to breach the walls of a
business.

Fix human error

While identity management can mitigate the chances of a malicious
attack, it can’t do much against human error. It may seem like
preaching to the choir, but employee education is extremely important
in every organisation. Just as executives understand the importance of
protecting customer data, the same standards must be instilled in
employees and any party who accesses the systems.

Regular employee training should be implemented by businesses to
remind employees about the importance of securely handling personal
information. After all, employees are an extension of an organisation,
and their actions can have real financial and reputational impacts
across a business.

With that said, logging, recording and monitoring solutions can make
employees more accountable by tracking their actions. Using session
recording solutions for privileged access, businesses can track
employee actions, which can be reviewed if a data breach is suspected.
Not only will it enhance organisations’ awareness about the causes of
a breach, it will help in the future as employees are more aware about
past actions which have led to a breach.

One year on from the Notifiable Data Breach Scheme and most Australian
businesses still have a long way to go before they can be satisfied
their data protection solutions are satisfactory. In a world where
cyberattacks on organisations are inevitable, businesses must make
them as difficult as possible for threat actors. By reducing the
simplest threats, such as human error breaches, and making it more
difficult for hackers to compromise accounts, organisations will be
less likely to represent a figure on year two of the NDBS and create a
more secure digital environment.