Last month, the Australian Government implemented Privacy Amendment (Notifiable Data Breaches) Bill 2016 legislation. It is a huge move on the Australian Government’s part - but in the end, does it change anything?
Analysts applauded the move but many are asking if it is the whole answer, especially exempting business with less than $3 million in turnover. They rightly ask, “Will this legislation solve the security problems – will it ensure all companies take precautions and implement top grade security?”
iTWire asked Alex Tilley, Senior Security Researcher, Counter Threat Unit at SecureWorks (a public company spun out of Dell) to explain the issues in his own words. Alex is a former Australian Federal Police Senior Technical Analyst and prominent commenter on enterprise security matters.
The answer is, unfortunately, not a chance! The IT systems of organisations affected by this legislation are often incredibly complex and even with tremendous support, budget and resourcing, securing them 100% is a pipe dream.
{loadposition ray}
The legislation – Do as I say!
This legislation only provides a call to action - a reason for an increased focus on security.
Even though this legislation won’t solve the cyber security issues facing all Australian businesses, it will have many consequences, including forcing businesses to better protect themselves.
Benefits of the legislation
The greatest benefit ultimately is having better-protected data. Unfortunately, this will not happen overnight. It will take many years and a few more public breaches before most organisations take or finalise action.
Comprehensive, enterprise-level cyber security programs are expensive to implement and difficult to maintain. For some organisations, security is low on the priority list until the fear of going public, due to a large-scale breach, creeps up.
Those costly breaches will ultimately force companies to act, as well as notify their clients. With this new legislation in place, the public will now be alerted efficiently when an organisation they trust with their private information has been compromised.
Impact on businesses in Australia
When a business, having over $3 million in turnover, gets breached, they must go public, alerting the government, as well as all parties that may have been affected.
There is no monetary penalty for a business that has been breached, however, the legislation does put into action a civil consequence of a maximum penalty of $360,000 for individuals and $1,800,000 for corporate bodies. These fines are imposed on serious or repeat offenders.
Organisations that are breached could also take a substantial hit to their reputation. Customers will now be informed and may decide to take their business elsewhere or even look for compensation from damages suffered. This impact on Australian businesses can be lasting and financially hard.
There is, however, a silver lining. Businesses who are worried they must report a breach may spend a little more thought on securing the data they hold, and this can only be good for businesses and consumers alike. Luckily, there are also certain steps organisations can take towards a more strategic cyber protection plan.
The Importance of Protection
Effective security is extremely difficult and it’s often hard to know where to begin.
Start with secure coding, perform real-world tests of systems to try and find vulnerabilities (patching them straight away) and making sure the design and monitoring of the systems are working effectively.
Keep in mind that often security initiatives like application whitelisting are put in the “Too Hard Basket”. In 2017 there is no more “Too Hard Basket”. Cyber protection is an essential part of running a successful business, shortcuts cannot be accepted.
The Way Forward
Cyber security issues cannot be solved overnight just because of the new legislation. At best, we can expect a change in how businesses conduct themselves and how the public is protected.
Larger organisations cannot afford to ignore the continued publicised breaches and real-world security advice from experienced professionals and expect the public to be forgiving when they get breached through a web server that hadn’t been patched in two years. Security must be a forefront topic and mature discussions must be held to allow for security measures to be put in place so that one day we can prevent breaches.
Tilley has written a three-part blog covering this legislation in more detail.
SecureWorks has written a white paper titled “4 Key Preparation Strategies for Eligible Breach Notification Laws” and it is a good place to start.