Time is running out, yet many businesses aren’t ready, according to a new study. Here’s what you need to know.
Australia’s Notifiable Data Breach legislation comes into force on 22 February 2018, so time is running out to comply with the new laws – yet more than half the small businesses subject to the legislation say they are not prepared for the changes, according to a new study by ACA Research for HP.
The new laws make it mandatory for certain organisations to disclose data breaches. As we have pointed out previously, many small businesses aren’t affected by the legislation – it only applies to organisations with an annual turnover of more than $3 million or that are covered by one of several other criteria.
However, even if your company isn’t subject to the privacy laws, it’s still worthwhile learning what is now best practice in data security. After all, it’s in every business’s interests to be able to quickly detect and respond to data breaches to minimise the potential damage.
Most SMBs aren’t ready
According to the Notifiable Data Breach laws, a data breach is reportable to the Office of the Australian Information Commissioner (OAIC) and the individuals affected if “a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure”, and if that reasonable person would conclude serious harm is “more probable than not”.
But according to ACA’s research, 57 percent of the 528 small and mid-sized business respondents said they had not conducted any sort of IT security risk assessment during the preceding 12 months.
Despite that, common concerns included risks around remote working (including the possibility that someone might see sensitive data on an employee's screen), the lack of BYOD security policies (nearly two-thirds fail to put any restrictions on data access), and an apparent reluctance to include networked printers (which are increasingly used as the entry point by hackers, according to HP) in risk assessments.
Not surprisingly, HP draws attention to the ways its products can help SMBs maintain a secure environment. These include Sure Start (a mechanism to protect PC and printer firmware from illicit modification), and Sure View (an integrated privacy screen for notebooks that greatly narrows the viewing angle, concealing the display from the person in the adjacent seat on an airliner, for example).
Worryingly, another survey – this time by digital security company Gemalto and the Ponemon Institute – found that only “46 percent of Australian respondents agree their organisation is careful about sharing confidential or sensitive information with third parties, such as business partners, contractors and providers in the cloud environment.”
Other vendors have things to say on the matter of preparing for the new data breach regime.
Start with data discovery
Secure collaboration provider Covata suggests starting with a program to discover sensitive data.
“They know they have sensitive data and they have a desire to protect it. But, before they can get to this point, they need to discover it. And that's where they're getting stuck,” says chief commercial officer Derek Brown.
Possible locations include paper-based records within physical storage facilities, or legacy digitally-stored data, and the various local and cloud storage locations used by the business. Data discovery and classification software can help this process, he suggests, and Covata offers a free trial of its CipherPoint data discovery tool.
“Getting a handle on where and how data is stored allows organisations to understand what data they accumulate, generate and collect; what proportion is sensitive; and its value to their organisation and to someone who might misuse it,” says Covata.
Don’t forget prevention
Email security provider Mailguard CEO Craig McDonald agrees with data discovery being the first step, but says it should be followed by determining how the data is used, and then locating and eliminating any redundant data.
If you don't need it, get rid of it – then digital intruders won't be able to access it.
McDonald makes a very good general point: while the legislation is about what must be done if a breach occurs, the real question is “is your company taking proactive steps to prevent data breaches?”
“That's the bigger question we should all be tackling because if your company suffers a ‘serious data breach’, your compliance responsibilities to the OAIC will only be one of your problems,” he points out.
Reduce the risk
Identity service provider Centrify is promoting its Zero Trust security model as a way of avoiding breaches. This model treats internal and external users equally, reducing reliance on perimeter defences through the rigorous management of user identities, along with providing the convenience of single sign-on.
“This identity-centric rethink of security can directly address the more than 80 per cent of data breaches that arise from compromised identities, which dramatically reduces the risk of having to report a data breach,” says senior APAC sales director Niall King.
Back up, detect and respond
There are, of course, other security measures that you should consider, many of which we have covered previously.
A good place to start is the Australian Signals Directorate’s highly regarded ‘Essential Eight’ cyber security strategies.
No cybersecurity defence is impregnable, so you need to have strategies and processes in place to respond to a breach. That starts with a bulletproof backup system for your business.
In addition, there are detection and response tools available that can help organisations act quickly to minimise the damage from a cyber attack – and comply with the new privacy laws if needed.