Two experts explain where the ABS went wrong and how your business can avoid making similar mistakes.
Tuesday August 9 was supposed to be Census day. For the first time, millions of Australians were to fill out the Australian Bureau of Statistics’ national survey online rather than on a paper form.
Of course, as anyone who tried to log on the website on the night will attest, things didn’t quite go to plan.
While your business is unlikely to suffer from the same notoriety as the Census meltdown, every organisation faces the risk of online disaster.
Fortunately, there are ways to mitigate these risks. BIT spoke to security experts to get some insights into what went wrong with the Census website and how businesses can learn from the mistakes that were made.
Where the ABS went wrong
And according to former Australian Privacy Commissioner Malcolm Crompton, the ABS made two significant errors long before Census night.
Unlike in previous years, the ABS decided that for the 2016 Census it would collect and retain identifying details such as names for a period of four years. Having made this decision, the first error the ABS made was it was not entirely transparent with the public about what it intended to do with the additional information.
“Because it was going to be collecting and retaining the additional information, the anonymity of the completed census forms would be gone,” said Crompton, now managing director of data protection and privacy consultancy, Information Integrity Solutions.
“The issues there were pure privacy issues, in that there was a sense that the ABS wasn’t being sufficiently transparent about what it was doing. That ABS was doing things on the quiet.
“There was also not enough assurance that anything it said it was doing was what it said it was actually doing. That debate had gone on all of this year.”
The ABS’s lack of transparency led to privacy concerns being raised by technology advocates, privacy advocates, civil libertarians and members of the general public.
This lack of transparency possibly led to the ABS making its second error: attempting to calm the concerns by making unrealistic claims about security.
“The problem was that amidst that privacy debate, the ABS was giving unrealistic assurances as to the security of the information and that it wouldn’t be hacked,” Crompton said.
“That’s an assurance you can’t give anymore in this day and age. All data is vulnerable, but there are steps you can take to reduce the vulnerability and respond to it.”
The problem with claiming a system is invulnerable is that it’s a sure-fire way of attracting malicious hackers who are looking for a challenge.
“In effect, the ABS was effectively saying ‘we dare you to hack me’. And there are plenty of people out there in the world who are looking for opportunities like that,” Crompton said.
What caused the meltdown?
The other interesting question, according to Crompton – one that is likely to be thoroughly investigated in the weeks ahead – is how well the ABS tested the resilience of its systems.
“They do appear to have had a resilience advisor of some sort in addition to IBM. But how well that worked out – it’s too early to tell,” Crompton said.
“Was there failure of some sort in terms of predicting what was likely to happen? Or was it predicted but they didn’t properly manage for it, I don’t think anyone knows yet.”
Richard Metcalfe, Australian and New Zealand regional director at security service provider FireEye, said two possible culprits were a distributed denial of service (DDoS) attack or the Census servers simply became overloaded.
“The fact that the Prime Minister has promised a review signals that this could be a live question for some time. However, a DDoS attack leverages a large amount of traffic to overflow a server and could be the culprit,” Metcalfe said.
“These attacks are quite trivial to launch, well-understood by the cyber-defence community and relatively easy to defend against.
“It is also possible that the traffic that overwhelmed the Census servers was organic traffic from Australians trying to fill out their forms."
Three ways to avoid making the same mistakes
Want to avoid something similar happening to your business? Here are three steps you can take:
1. Be transparent about what data you’re collecting and why
According to Crompton, any business that collects personal information – be it as part of a service, on a website or for an app – needs to be transparent about why it collects customer information and what it intends to do with it.
“Don’t make wobbly statements that you’re going to collect everything, keep it forever and then on sell that information to anyone you like.”
Crompton warns that it is important to be aware of what your organisation’s obligations are under privacy law, and to have evidence that you’ve kept your promises.
“Under Australian privacy law – in Australian privacy principle 1.2 – there’s now a rule that says the Australian privacy commissioner is able to call an organisation to account for having evidence that it’s doing the right thing,” he said.
2. Don’t promise absolute security
While it is natural for anyone in business and sales to want to talk up their product, you should never promise perfect security.
“On the security side, any organisation that says your information is totally secure has probably told an untruth. It’s just not possible,” Crompton said.
“Instead, an organisation should say ‘this is the ways in which we keep your information highly secure, and this is what we’ll do if anything goes wrong’.
“The world is now becoming mature enough to understand that’s what organisations should be saying.”
On a related note, Metcalfe warns that it is a mistake to assume that cyber criminals won’t target your business because you’re too small.
“If a business has an online presence, accepts credit card payments on its website, has a BYOD [bring-your-own-device] policy for staff or uses third-party services such as payroll processing, it could just as easily be targeted by cyber attackers as larger businesses," he said.
“It is important for these businesses to understand that competitors or activists can disable poorly defended websites relatively easily.”
3. Test your security – and act on it
While it’s too early say for certain if the ABS made any mistakes in this regard, it’s clear that not every business properly assesses the security risks it faces.
It’s vital for your business perform a thorough risk assessment, and to have plans in place with processes and measures to mitigate your security risks.
“I’m on the board of a company where ethical hackers – ‘white hat hackers’ – were bought in to test systems from top to bottom,” Crompton said.
“Another thing you can do is to put in place good mechanisms for telling if you’ve been hacked, and then having mechanisms in place to deal with the hack if it happens.”