The Australian Signals Directorate (ASD) and Australian Cybersecurity Centre have recently updated the Essential Eight Maturity Model (E8MM) to assist organisations in protecting their internet-connected information technology networks against common cyber threats. Key focus areas for this update include: balancing patching timeframes increasing adoption of phishing-resistant multifactor authentication supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure. View the Essential Eight Maturity Model here
Cyber & Info Security
Latest Data Breach Report and Trends
The latest Notifiable data breaches report was released last week, highlighting the need for organisations to strengthen data security and promptly respond to suspected breaches. The Australian Information Commissioner and Privacy Commissioner Angelene Falk said that ‘OAIC expects organisations to have robust and proactive procedures in place to protect the personal information they hold.’ The January to June 2023 period saw 409 data breaches reported to the OAIC. While that was a 16% decrease in the number of notifications compared to the previous period, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018. Cybersecurity incidents were the source of 42% of all breaches (172 notifications). The top three cyber-attack methods were ransomware (53 notifications), compromised or stolen credentials for which the method was unknown (50 notifications) and phishing (33 notifications). Contact, identity and financial information […]
US and Australian government issue joint Cyberseucrity Advisory on preventing Web Application Access Control Abuse
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) have recently released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks. These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of the personal, financial, and health information of millions of users […]
Third-Party Risk and Cybersecurity: Navigating Evolving Threats and Data Governance
High-profile data breaches in the last few years have not only resulted in increased regulatory attention but have also served to highlight the evolving set of cyber threats faced by organisations. Of particular note, there have been numerous incidents where cybercriminals have managed to obtain organisational data not through a direct attack on the organisation but rather by breaching a third-party IT supplier to the organisation. The sophistication of cybercriminal attacks is increasing both in terms of the attack methodology and the strategic intent behind the selection of their targets. When the first wave of ransomware attacks was launched in the early 2000s, these were largely indiscriminate, impacting whichever personal, business, or government system that the malware could gain access to. Following this initial wave, we have observed increased fine-tuning of malware attacks over time. From a code perspective, some examples of this evolution have included built-in checks in the […]
Questions for boards to ask about cybersecurity
The Australian Cyber Security Centre (ACSC) has released a guide for boards and executives that discusses high-level topics to know about cyber security within organisations. Boards need to proactively build an understanding of their organisation’s specific cyber threat and risk environment.
The Guide sets out how the board can understand as much as possible about cyber security risks, how they can stay informed and the questions they should be asking to mitigate cyber risks.
Read the ACSC Guide here.
Optus Data Breach – the risks of data over – retention
The Optus Data Breach incident has shed some much-needed light on the need for robust, top-down board governance over organisational data and information. It is evident that this attack has demonstrated the need for organisations to sufficiently invest in cyber-attack prevention, detection and response. While the Optus data breach is still under investigation, the consensus from government statements and external experts seems to be that that human error played a significant part in this data breach. It is not uncommon for human factors to either cause or amplify technical weaknesses resulting in a data breach, about one-third of all reported personal data breaches from OAIC’s Notifiable Data Breaches Reports are attributed to human error as the primary factor.
Whether data breaches are caused by human error or technical fault, security experts widely agreed that organisations should consider data breaches a question of ‘when’ rather than ‘if’. This in turn means that senior executives and board members should ensure they have a good grasp of the ‘what’ and ‘where’ of data within their organisation. These are important factors not only for general information governance, but key elements for implementing an effective data collection, use and disposal lifecycle which is crucial for mitigating the impact of future data breaches.
The causes of over-retention
Most organisations – businesses and government agencies alike – are collecting and generating exponentially increasing volumes of data each year. Fewer organisations are successfully disposing of data that is no longer needed for regulatory retention requirements or for business purposes, as required under Australian Privacy Principle 11.3. This may be due to a desire to retain data for commercial purposes, misunderstanding of regulatory requirements, low costs of data storage, difficulties in implementing data disposal policies in complex technical environments or a combination of all these factors.
Optus has indicated it was keeping identity information obtained from new customers for up to six years as per the requirements of the Telecommunications Consumer Protections Code. However much of the significant personal information apparently lost in this breach, such as passport, licence or Medicare details, would not seem to be required for compliance with this Code. It would appear that a telecommunication provider would only need to retain this level of information to meet requirements under the Telecommunications (Interception and Access) Act 1979 which requires them to retain specific communication metadata and customer identification information for two years.
As the Attorney- General, Mark Dreyfus said, “They don’t seem to me to have a valid reason for saying we need to keep that for the next decade.” The challenge for governments and regulators is to ensure that regulations clearly set out the retention periods for specific categories of data, along with sufficient penalties for compliance failure. As it stands it is common for organisations to have a default retention period of 6 or 7 years for all categories of documents, and it is also less common for organisations to have implemented robust data retention lifecycle regimes which ensure that data and information is permanently deleted when it is no longer required.
The risks of over-retention
Until an organisation has faced a significant data breach it is difficult to comprehend the resources needed to respond, contain and remediate a significant data breach, along with the stress and costs involved in responding to stakeholders, media and regulators. The extensive media coverage of the Optus data breach and associated reputational damage, provides an opportunity for boards and senior executives to consider how effectively data and information is, or perhaps is not, governed within their organisations.
While the EU General Data Protection Regulation (GDPR) set the global benchmark for privacy regulations in 2016, the long awaited overhaul of Australia’s Privacy Act is still pending. The updated Privacy Act is likely to substantially increase fines meaning Australian organisations will have an increased regulatory incentive to improve personal information lifecycle management and training of staff to protect personal information.
Failure to properly govern and protect information assets and implement a robust data lifecycle management program poses significant risks for all organisations.
How organisations can respond
Rather than focusing solely on cybersecurity, a more holistic top-down governance model is needed to manage data as part of the information assets across the enterprise. This coordinated approach is both more effective in managing risks and enables organisations to maximise the value of data and information in accordance with the organisation’s overarching strategic objectives.
A key challenge facing boards and senior executives is ensuring their organisation understands where sensitive data and information resides and that it is adequately secured and protected including appropriate classification, controls around use, re-use and storage, and permanent disposal of data in accordance with regulatory requirements. While responsibility for these activities have often been separated into differing organisation silos, effective information governance requires that each aspect is coordinated and aligned holistically across the organisation.
To achieve this aim, organisations should be allocating sufficient budget investment into internal governance of data and information activities including: alignment of internal policies and procedures to adequately secure and protect data; continual training and upskilling of staff; and internal auditing to ensure the policies and procedures are being adhered to along with identification and remediation of gaps.
Author
Susan Bennett, LLM(Hons), MBA, CIPP/E, FGIA, GAICD
Founder and Executive Director InfoGovANZ
2022 Information Awareness Month One Day Seminar
This year’s Information Awareness Month One Day Seminar took place at the iconic Institute Building (1861), the first public cultural building in South Australia and was also livestreamed. The theme was “Building Trust in Information” and discussions revolved around facets that we need to trust in order to have trust in information. These included trust in people, process, technology and government. The seminar opened with remarks from Geoff Strempel, Director, State Library of South Australia. As a society we are “drowning in data” and in a knowledge economy IM practitioners are the trustees of information. A huge challenge is the massive data sets that need computers and machine learning to extract patterns and interpretations, but human intellect is still required to assess the outcomes and ultimately arrive at wisdom. ML and AI also raise ethical and privacy dilemmas as technology enable computers to essentially have free reign across the data. […]
OAIC Data Breach Notification Report
The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report highlights how OAIC expects entities to prevent and respond to data breaches caused by ransomware and impersonation fraud. The OAIC received 446 data breach notifications from January to June 2021, with 43% of these breaches resulting from cyber security incidents. Data breaches arising from ransomware incidents increased by 24%, from 37 notifications in the last reporting period to 46. Read the latest report here.
Cyber Risk Management and the Value of Cyber Insurance
The technology revolution has created unprecedented developments in the way that business is transacted, how information is obtained, how we communicate with each other and how data is sourced and stored. The reality of these developments has also lead to unparalleled increases in the ability of criminals to act in a digital environment rather than in the physical world and cyber crime has never been more financially rewarding. Cyber risk and cyber exposure exists for every business that uses technology and connects to any form of information systems and networks. Size of business, industry factors and reliance on technology for critical operations can increase cyber risk vulnerability, but no business is immune. Managers are faced with the challenge of protecting against cyber risk and implementing strategies and procedures to safeguard against the potential loss and damage suffered in a cyber event. Cyber risk management is a holistic approach to evaluating […]
OAIC Data Breach report: January – June 2020
The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020. Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia. Commissioner Angelene Falk said, ‘this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.’ In other findings: Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time. The number of notifications resulting from social engineering or impersonation has increased by 47%. Actions taken by […]
Information Security Risk Management Practitioner Guide – OVIC
The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS). This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.
Information Governance + COVID-19 Roundtable Report
To celebrate Information Awareness Month (IAM2020) and Privacy Awareness Week (PAW2020), we kicked off with an online panel discussion on the myriad of Information Governance issues arising from the COVID-19 pandemic. Our panellists included – Melanie Marks, Christopher Colwell, Sonya Sherman, Dr Peter Chapman, Matthew Golab and the discussion was facilitated by Susan Bennett. The importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period were all highlighted. Discussion around the COVIDSafeApp emphasised that privacy by design and governance of data are key for user trust. A key focus of the discussion were increased information security and cybersecurity risks with the move to working from home. These include the risks of data leakage, data breach, shadow IT and cyber-crimes. In summary, the discussion emphasised that the myriad of information, records, […]
Broken Trust – The Information Security Dangers of Insider Threats
The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat. The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded. While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider […]
Information Security & Information Governance – how they work together
Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation. A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical […]
Cyber Insurance: how it works and the benefits of Information Governance
As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to the Ponemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research. As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach. This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them. What […]