ARTICLES

Security & The New Data Breach Laws  

The Current Threat Environment

On February 22nd 2018 the government released new far reaching Data Breach laws designed to address some of the fundamental issues that companies face today - ie. Cyber attacks.

In 2017, half of all US companies were hacked.

Source - https://www.insurancejournal.com/news/national/2017/09/29/465954.htm

That is not a misprint. Actually it is even more than that. 53% according to the article.

 


Cyber Resilience Best Practices 

Cyber Resilience is a discipline whose major tenet is not how to prevent a hacking attempt but an admission of fact that you will be hacked and how to make sure that you have the processes and procedures in place to not only recover quickly from it but to minimise damage. Such is the likelihood of hacking that most companies, large and small have been involved in some sort of data breach in the last few years.

Even small companies that have any sort internet presence are likely to have tens if not hundreds of port scans a day. Companies and individuals are bombarded daily by Root kits, phishing, Spear Phishing, Ransomware, malware, spyware, adware - the list goes on and on. 

If it is on the internet it IS A TARGET.

 

"Half of US companies in 2017 were hacked."

 

 

The New Data Breach Laws

Enter the New Data Breach Laws, brought in by the Australian Government earlier this year to address data breaches and more importantly how companies notify their customers of a breach.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

 
The ‘civil penalty provisions’ in the Privacy Act include:
 
• A serious or repeated interference with privacy (s 13G) – 2000 penalty units (current total is $420,000)
• The maximum penalty that the court can order for a body corporate is five times the amount listed in the civil penalty provision (current maximum $2.1 million).
 
So a maximum fine of $2.1 million. This is a lot of money and meant to be a serious deterrent to companies simply hiding their data breaches.
 
The new scheme applies to all businesses, Government agencies, and not-for-profits with an annual turnover of more than $3 million, as well as health service providers, credit reporting bodies, and any entity which receives and handles tax file numbers.
 

Further, the Business Readiness Index found “only 40% of Australian businesses had implemented six or more of the Australian Signals Directorate essential eight (ASD8) strategies to mitigate cyber security incidents.”

When it came to small business, this figure dropped to 12%.

Source: https://ia.acs.org.au/article/2018/what-data-breach-laws-.html

 

"The Maximum Fine is $2.1 million" 

 

 

Why do we need these Laws?

In the last few years we have had multiple instances where companies hid data breaches from the public and their customers. This could lead to further customer exploits and meant that those customers were vulnerable and didn't even know it.

It is clear that businesses can not be trusted to do the right thing without the threat of strict penalties being imposed on them.

Notable examples are Uber who hid a data breach of 57 MILLION users:

https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/

Or what about Yahoo who hid a breach of all 3 BILLION users!?!!

https://en.wikipedia.org/wiki/Yahoo!_data_breaches

If you have an email address then the likelihood is that you have already have hacked. You can check here:

https://haveibeenpwned.com/

 

 

Mitigating Data Breach Risks

As explained above, although your company is likely to hacked at some point there are best practices to mitigate this risk as much as possible.

This is where the Australian Signal Directorate's Essential Eight come in.

 

These are:

1. Application Whitelisting

2. Patch applications

3. Configure Microsoft Office macro settings

4. User application hardening

5. Restrict administrative privileges

6. Patch operating systems

7. Multi-factor authentication

8. Daily backups 

More details can be found in this ASD webpage:

https://www.asd.gov.au/publications/protect/essential-eight-explained.htm

 

 

Next Steps

In essence you need a unified security policy that addresses these best practice policies with a mixture of overall security, email security, Endpoint security, Anti-Malware, Mobile Device Management - this must be both for BYOD and on premises / company owned devices, Multi Factor authentication, automated software updates implemented centrally and specialist cloud security best practices. You also need advanced monitoring with Intrusion Detection software so you can swiftly identify and resolve any potential breaches, alerting your customers quickly and safely.

Arche-type can help with all aspects of designing and implementing these policies. Contact us now for more information.

Arche-type is Axelos Resilia Cyber Resilience certified.

 

 

 

Further Reading

http://www.abc.net.au/news/2018-02-02/data-breach-notification-laws-coming-on-february-22/9391504

https://www.bizcover.com.au/turn-spotlight-hackers-protect-data/?&gclid=EAIaIQobChMIhrOs8cGf2gIVgZa9Ch0v4AHyEAAYASAAEgKIU_D_BwE

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.wombatsecurity.com/blog/scary-data-breach-statistics-of-2017

 

Arche-type Security Articles

Arche-type Becomes Proofpoint Reseller

https://arche-type.com.au/articles/8021x-wired-security-w2k12-dell

https://arche-type.com.au/articles/install-lets-encrypt-ssl-certs

https://arche-type.com.au/articles/8021x-wireless-with-sophos-utm-aps

https://arche-type.com.au/articles/setting-up-site-to-site-vpn-to-aws-vpc