InfoGovANZ

Information Governance Think Tank

Cyber & Info Security

Questions for boards to ask about cybersecurity

by

The Australian Cyber Security Centre  (ACSC) has released a guide for boards and executives that discusses high-level topics to know about cyber security within organisations.  Boards need to proactively build an understanding of their organisation’s specific cyber threat and risk environment.

The Guide sets out how the board can understand as much as possible about cyber security risks, how they can stay informed and the questions they should be asking to mitigate cyber risks.

Read the ACSC Guide here.

Optus Data Breach – the risks of data over – retention

by

optus data breach

The Optus Data Breach incident has shed some much-needed light on the need for robust, top-down board governance over organisational data and information. It is evident that this attack has demonstrated the need for organisations to sufficiently invest in cyber-attack prevention, detection and response. While the Optus data breach is still under investigation, the consensus from government statements and external experts seems to be that that human error played a significant part in this data breach. It is not uncommon for human factors to either cause or amplify technical weaknesses resulting in a data breach, about one-third of all reported personal data breaches from OAIC’s Notifiable Data Breaches Reports are attributed to human error as the primary factor.

Whether data breaches are caused by human error or technical fault, security experts widely agreed that organisations should consider data breaches a question of ‘when’ rather than ‘if’. This in turn means that senior executives and board members should ensure they have a good grasp of the ‘what’ and ‘where’ of data within their organisation. These are important factors not only for general information governance, but key elements for implementing an effective data collection, use and disposal lifecycle which is crucial for mitigating the impact of future data breaches.

The causes of over-retention

Most organisations – businesses and government agencies alike – are collecting and generating exponentially increasing volumes of data each year.   Fewer organisations are successfully disposing of data that is no longer needed for regulatory retention requirements or for business purposes, as required under Australian Privacy Principle 11.3.  This may be due to a desire to retain data for commercial purposes, misunderstanding of regulatory requirements, low costs of data storage, difficulties in implementing data disposal policies in complex technical environments or a combination of all these factors.

Optus has indicated it was keeping identity information obtained from new customers for up to six years as per the requirements of the Telecommunications Consumer Protections Code.  However much of the significant personal information apparently lost in this breach, such as passport, licence or Medicare details, would not seem to be required for compliance with this Code. It would appear that a telecommunication provider would only need to retain this level of information to meet requirements under the Telecommunications (Interception and Access) Act 1979 which requires them to retain specific communication metadata and customer identification information for two years.

As the Attorney- General, Mark Dreyfus said, “They don’t seem to me to have a valid reason for saying we need to keep that for the next decade.”  The challenge for governments and regulators is to ensure that regulations clearly set out the retention periods for specific categories of data, along with sufficient penalties for compliance failure. As it stands it is common for organisations to have a default retention period of 6 or 7 years for all categories of documents, and it is also less common for organisations to have implemented robust data retention lifecycle regimes which ensure that data and information is permanently deleted when it is no longer required.

The risks of over-retention

Until an organisation has faced a significant data breach it is difficult to comprehend the resources needed to respond, contain and remediate a significant data breach, along with the stress and costs involved in responding to stakeholders, media and regulators.  The extensive media coverage of the Optus data breach and associated reputational damage, provides an opportunity for boards and senior executives to consider how effectively data and information is, or perhaps is not, governed within their organisations.

While the EU General Data Protection Regulation (GDPR) set the global benchmark for privacy regulations in 2016, the long awaited overhaul of Australia’s Privacy Act is still pending.   The updated Privacy Act is likely to substantially increase fines meaning Australian organisations will have an increased regulatory incentive to improve personal information lifecycle management and training of staff to protect personal information.

Failure to properly govern and protect information assets and implement a robust data lifecycle management program poses significant risks for all organisations.

How organisations can respond

Rather than focusing solely on cybersecurity, a more holistic top-down governance model is needed to manage data as part of the information assets across the enterprise.  This coordinated approach is both more effective in managing risks and enables organisations to maximise the value of data and information in accordance with the organisation’s overarching strategic objectives.

A key challenge facing boards and senior executives is ensuring their organisation understands where sensitive data and information resides and that it is adequately secured and protected including appropriate classification, controls around use, re-use and storage, and permanent disposal of data in accordance with regulatory requirements. While responsibility for these activities have often been separated into differing organisation silos, effective information governance requires that each aspect is coordinated and aligned holistically across the organisation.

To achieve this aim, organisations should be allocating sufficient budget investment into internal governance of data and information activities including: alignment of internal policies and procedures to adequately secure and protect data; continual training and upskilling of staff; and internal auditing to ensure the policies and procedures are being adhered to along with identification and remediation of gaps.

Author

Susan Bennett, LLM(Hons), MBA, CIPP/E, FGIA, GAICD

Founder and Executive Director InfoGovANZ

2022 Information Awareness Month One Day Seminar

by

This year’s Information Awareness Month One Day Seminar took place at the iconic Institute Building (1861), the first public cultural building in South Australia and was also livestreamed. The theme was “Building Trust in Information” and discussions revolved around facets that we need to trust in order to have trust in information. These included trust in people, process, technology and government. The seminar opened with remarks from Geoff Strempel, Director, State Library of South Australia. As a society we are “drowning in data” and in a knowledge economy IM practitioners are the trustees of information. A huge challenge is the massive data sets that need computers and machine learning to extract patterns and interpretations, but human intellect is still required to assess the outcomes and ultimately arrive at wisdom. ML and AI also raise ethical and privacy dilemmas as technology enable computers to essentially have free reign across the data. […]
Member only content (join now or login)

OAIC Data Breach Notification Report

by

The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report highlights how OAIC expects entities to prevent and respond to data breaches caused by ransomware and impersonation fraud. The OAIC received 446 data breach notifications from January to June 2021, with 43% of these breaches resulting from cyber security incidents. Data breaches arising from ransomware incidents increased by 24%, from 37 notifications in the last reporting period to 46. Read the latest report here.
Member only content (join now or login)

Cyber Risk Management and the Value of Cyber Insurance

by

The technology revolution has created unprecedented developments in the way that business is transacted, how information is obtained, how we communicate with each other and how data is sourced and stored. The reality of these developments has also lead to unparalleled increases in the ability of criminals to act in a digital environment rather than in the physical world and cyber crime has never been more financially rewarding. Cyber risk and cyber exposure exists for every business that uses technology and connects to any form of information systems and networks. Size of business, industry factors and reliance on technology for critical operations can increase cyber risk vulnerability, but no business is immune.  Managers are faced with the challenge of protecting against cyber risk and implementing strategies and procedures to safeguard against the potential loss and damage suffered in a cyber event. Cyber risk management is a holistic approach to evaluating […]
Member only content (join now or login)

OAIC Data Breach report: January – June 2020

by

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020. Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia.    Commissioner Angelene Falk said,  'this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.' In other findings: Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time. The number of notifications resulting from social engineering or impersonation has increased by 47%. Actions taken by […]
Member only content (join now or login)

Information Security Risk Management Practitioner Guide – OVIC

by

The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS). This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.
Member only content (join now or login)

Information Governance + COVID-19 Roundtable Report

by

To celebrate Information Awareness Month (IAM2020) and Privacy Awareness Week (PAW2020), we kicked off with an online panel discussion on the myriad of Information Governance issues arising from the COVID-19 pandemic. Our panellists included – Melanie Marks, Christopher Colwell,  Sonya Sherman, Dr Peter Chapman, Matthew Golab and the discussion was facilitated by Susan Bennett.  The importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period were all highlighted. Discussion around the COVIDSafeApp emphasised that privacy by design and governance of data are key for user trust.  A key focus of the discussion were increased information security and cybersecurity risks with the move to working from home.  These include the risks of data leakage, data breach, shadow IT and cyber-crimes. In summary, the discussion emphasised that the myriad of information, records, […]
Member only content (join now or login)

Broken Trust – The Information Security Dangers of Insider Threats

by

  The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat. The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded. While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider […]
Member only content (join now or login)

Information Security & Information Governance – how they work together

by

Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation. A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical […]
Member only content (join now or login)

Cyber Insurance: how it works and the benefits of Information Governance

by

  As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to the Ponemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research. As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach. This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them. What […]
Member only content (join now or login)