Mandatory data breach reporting legislation and your Australian organisation: BAU?

Australia now joins the list of states and countries which have implemented – or are in the process of  enacting – mandatory data breach legislation.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size or stewardship over specific categories of personal data (e.g. children). The laws will take effect early 2018.

My focus in this article is to look at what this means for organisations in broad terms terms. Feel free to share this article with your Board and C-Suite – it may help shape their approach to compliance with the new legislation.

Fact is, the glacial pace of legislative and regulatory change stands in stark contrast to the fast paced, volatile and comparatively uncertain world of digital and information technologies.

The legislative tortoise is struggling to keep up with the digital hare in this instance – however in this race, there is no finishing line. It’s what happens on the journey that determines the real winners.

Irrespective whether your organisation’s efforts on cyber security  are driven by (i) compliance to mandatory data breach reporting legislation, or (ii) minimising the adverse business impacts of a cyber security event – or both, how best to proceed?

If this was MY business…..

Put yourself in your organisation’s Boardroom for a moment. What would you do if this was your business?

On the one hand,  evidence is compelling that data breaches continue to occur with impunity. Organisations that may have implemented demonstrated ‘best-practice’ and have much deeper pockets than you when it comes to cyber security measures are also impacted by data breaches.

Fact remains, to date, the list of data breaches is impressive and getting longer by the day.

The recent Ponemon Institute study based on over 1,000 respondents from within United Kingdom and North American organisations offer some useful insights into the challenge facing the ‘C-suite’.  Among the key findings were that critical cyber threat information was frequently not provided to the C-Suite and “70 percent of security industry professionals believe threat intelligence is often too voluminous and/or complex to provide actionable insights”  Makes for sobering reading.

On the other hand, the ‘do nothing’ option is not an option.  Problem is – what is the does doing ‘something’ look like for you and your organisation?

… what should or could I do?

So, what steps would you look at putting in place to protect your organisation’s information assets? Beef up your own internal cybersecurity capabilities by throwing technology at the problem? Employ a consultant to do an independent assessment of your cyber vulnerabilities? Outsource it to someone who really has the right credentials and reputation?

How would you – as a executive who is (potentially)  not an expert in IT or cyber-security, ensure that a sustainable and effective cybersecurity protection regime exists for your whole organisation?

Cyber security – the game of probability.

Conventional approaches to enterprise information security certification and compliance largely revolve around the establishment and maintenance of an ‘information asset’ register.  The business risks to a specific ‘information asset’ typically follow the logic of:

Business risk associated with a specific event for that asset (or asset group) = (Impact on the organisation  x Probability of that event occurring) + Risk Adjustment

This approach underpins information security certification and compliance  models such as IISO/IEC 27001. This approach often does not account for the inter-dependencies and interaction between risks.

Certification may be a necessary but certainly is an insufficient prerequisite for ensuring an effective, sustainable, adaptable and cost effective cyber security regime for your entire organisation.

Added to this assessment should be the probability of your organisation falling foul of any mandatory data breach reporting legislation, and the likelihood of prosecution with the resulting bad press and reputational damage..

Apply the 80/20 rule – to your advantage

The first step in addressing this unpredictable and rapidly evolving challenge is to recognise the source of the majority of adverse cyber events (such as data breaches). Not focusing exclusively on the technical aspects would be a good start.

Fact is, people are the weakest link in cyber security, and make a substantial contribution to data breaches.

Industry reports vary, however it is safe to say that between 40% and 60% are showing that organisations are their own worst enemy when it comes to cyber security and data breaches.

To cite one example, according to the Verizon 2016 Data Breach Investigation Report, insider and privileged misuse played its part in confirmed data breaches:

  • Use of legitimate user credentials associated with most data breaches. [63% using weak, default, or stolen passwords]
  • 33% by end users with access to sensitive data to do their jobs
  • Equal 14% were Executives and privileged IT staff (Administrators, Developers, etc)

Consider these 5 suggestions in addressing the threat from within your own organisation – whether accidental or otherwise.

Mandatory Data Breach?  What? Where? When? How?

At the heart of the effectiveness of any data breach countermeasures lies the early (hopefully, real-time) detection of a suspicious activity, or  the occurrence of an actual data breach.

Many data breaches are often not discovered for months — or even years. Additionally, in many instances the breach is first detected not by the organisation itself. This presents a real challenge for organisations where the breach may have occurred and the perpetrator has long since moved on.

To minimise the time lag between a breach occurring and you first hearing about it, harness the collective insights and observations of your key staff and managers across the organisation in a timely and efficient manner through a process that works for your business.

The key capability that should be developed is the ability to rapidly correlate and distil these insights and observations in such a way as to detect (and preempt) possible data breach events.

This is not as difficult as it sounds.

Lastly, develop a response plan then ingrain it within your organisation’s culture

Ensuring that your organisation has a proven and effective capability for promptly responding to a suspected or confirmed data breach is key. This will help to restore trust in your organisation’s ability to respond. It will also provide clear evidence that your breach notification, assessment, escalation and resolution capabilities are effective and efficient.

Of course, focusing on the factors within your organisation should not ignore the deliberate, real and persistent threats from outside operators.

The shadowy world of cyber crime, opportunistic hackers, state-sponsored cyber attacks, terrorism and those who inhabit the so-called dark web remain a real threat.

Wade Baker, principal author of the 2014 Data Breach Investigations Report from the US mobile communications company Verizon, summed up the situation more bluntly: “After analysing 10 years of data, we realise most organisations cannot keep up with cyber crime – and the bad guys are winning”.

The message could not be more compelling: Ensure that both your external and internal risks of a data breach are proactively and systematically identified, managed and controlled.

To do this requires an across-the-board input and engagement by all stakeholders within and outside of your organisation.  That includes actors such as staff, managers, contractors, the C-suite, customers, regulators, suppliers, cloud services providers, auditors and regulatory authorities, as the case may be.

Now that’s a task for leadership, and not solely a technology solution.

At the end of the day legislation should not define your minimum approach to dealing with a data breach.  Your business, staff and its customers deserve better.

Forget hackers – Look within to find your greatest cyber risk.

Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?

While …

Continue reading

Episode 11 – Addressing the cyber-security threat from within your business: Here are 5 takeaways

A rising proportion of data breaches and adverse cyber events are avoidable or self inflicted.  No longer are the majority of cyber threat have their origins coming from outside the organisation, and increasing proportion have their origins stemming from within the organisation – some say in excess of 60%. These …

Continue reading

Episode 10 – Cyber insurance for your business: Consider this when buying your ‘protection’

For business decision makers, striking the right balance between owning or transferring the risk – through cyber insurance – is not as straightforward as it may initially appear.

In this episode, Rob offers 6 key points to consider when taking on cyber insurance

or, Subscribe via iTunes

Continue reading

Episode 9 – IT and Digital vendor management strategies for change

The conventional approach to managing IT vendors may not be adequate in our rapidly changing business environments or in the adoption of your new, emerging and disruptive business technologies.

In this episode Rob explores contracts based on gain-share, vendor ecosystems, managing changing risk appetite over time, and more

 

or, …

Continue reading

Episode 8 – Redefine your SLA for sustainable business results: Strategy, Leadership and Adaptability | Thought Leadership Podcast Series

How do prescriptive SLAs help your organisation in changing environments?

This is especially relevant for IT supply contracts – outsourcing, service provisioning and the like – which may work well for both the vendor / service provider in relatively stable environments.

Problem is, in the digital / technology and IT …

Continue reading

Episode 7 – Is successful business transformation possible without IT’s involvement? | Thought Leadership Podcast Series

The fundamental question for most established organisations is to define what role your IT team are to play in the journey of business transformation.

How this role is defined could be the game changer needed to drive sustainable business value. In this episode Rob shares his perspectives and insights on …

Continue reading

Episode 6 – Actionable insights on how to build a business relevant and sustainable innovation capability within your organisation. | Thought Leadership Podcast Series

What are the critical success factors that determine any established organisation’s transition to developing a sustainable and value-driven innovation capability?

In this episode, Rob shares his insights and explores the topic of how best organisations can build their own innovation capability to deliver sustainable business results – while balancing the …

Continue reading

Episode 5 – Building organisational resilience through team and individual resilience | Thought Leadership Podcast Series

Resilient organisations thrive in the face of rapid and unexpected change. Fact is, versatile leaders and staff underpin versatile teams and organisations able to foster and sustain an innovation culture that translates into business value, not just marketing-speak about ‘innovation’.

In this episode, Rob explores this and offers 3 keys …

Continue reading

Episode 4: Exploring the effectiveness of legislation in our online world, the electronic contract, digital signatures and more | Thought Leadership Podcast Series

How effective is legislation in today’s fast paced digital world?  In many developed countries, there are specific laws governing Online agreements, the use of electronic signatures, your rights to online privacy and mandatory data breach reporting.

Question is: What protections are offered under such laws in our border-less online world …

Continue reading