Guest blog post by emt Distribution. emt Distribution is a specialised value added distributor (VAD) with a focus on information security and Microsoft configuration manager technologies.
According to The Australian Strategic Policy Institutes’ report on Cyber Maturity in the Asia-Pacific Region (2016), Australia is ranked at 4th place, one up from the weighted scores in 2015. Who’s doing better? The US, South Korea, and Japan, followed by Singapore, then New Zealand.
So why are we not higher? This in part may be due to the current lack of legislation, forcing Australian business to report data breaches. Since 2002, breach notification laws have been enacted in most states within the US, with the EU enacting breach notification in 2009. Contrastingly, South Korea has had breach notification laws in place for over 4 years. Whereas, Japan has regulation for operators regulated by the JFSA to immediately report leakage of personal information.
Recently, a question was posed to me which made me stop and think, “I’ve searched for data breaches in Australia but generally turn out empty handed. Is Australian business really that good at protecting themselves?”. The answer is no, they’re not. This is, in part, because Australian businesses don’t have to report the breaches. While Australia may look great on the surface, when it comes to securing data, what is happening behind the scenes may be very different.
However, things are about to change. In February 2017, the Australian senate passed legislation of ‘The Privacy Amendment Bill 2016′ (Notifiable Data Breaches Bill), enacting mandatory data breach notification. The Amendment applies to government agencies and organizations governed by the Privacy Act. While these new rules will take up to 12 months to come into effect, it will significantly increase the cyber security discussion in the boardroom and action on the ground.
Breach notification allows data breach victims to take steps to protect their data and identities. This leaves one question to ask, what are the repercussions when they discover how frequently these breaches occur? Australian companies with poor data security practices that are breached will have to report openly. Currently, the size and scope of breaches are generally unknown to all, except those suffering them or responding to them. For those companies that should have been strengthening their security policies and procedures, the mandate to report incidents will significantly impact their reputations and brand loyalty if breached.
The financial implications alone, should lead to refined organizational security structures within these companies. The consequences of not taking action could be debilitating.
Australian businesses falling under the Privacy Act are obligated to ensure they are mitigating majority of cyber threats. The Australian Signals Directorate list 4 main strategies that are effective against 85% of cyber intrusions. Therefore, companies should have at least implemented comprehensive application whitelisting, patch management for applications and operating systems and restrict privileged accounts. This will ensure they have at the very least implemented strategies to mitigate the majority of cyber security threats.
Without mandatory reporting, Australia has matured significantly in cyber security and is placed well above other countries in the region. However, the advent of mandatory data breach notification should see Australia improve its position on the maturity rung, yet again.