Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Data Breach Reporting Laws Hit Australia with Serious Implications for Businesses

February 22 marks the date Australia finally rolls out its long-awaited data breach notification laws. After years of back-and-forth, handballed from minister to minister, Australia has reached a point of maturity when it comes to lawfully disclosing serious breaches of personal and business data.

The news is likely to be music to the ears of consumers, who have been left in the dark by businesses sweeping breaches of sensitive information under the carpet.

Under the new laws, all organisations covered by the Australian Privacy Act will be accountable to the Notifiable Data Breaches (NDB) scheme. If an unauthorised person or entity accesses personal information, where it is likely to cause serious harm to that individual, the data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individuals affected.

But, in 2018, it’s shocking to hear reports that Australian businesses still feel unprepared for the rollout of these laws. Businesses will soon be responsible for instant reporting of compromised data, incurring fines of up to AU$360,000 for individuals and AU$1.8 million for organisations. There are huge financial and brand risks at stake.

Cybersecurity is as imperative to businesses as the internet connection that helps them get their work done. If you’re one of those businesses feeling a bit shaky and unprepared for this change, here’s what you need to do.

Don’t get complacent

For businesses, one of the hardest things to measure is preventative costs against an unknown benefit — you don’t know what you might lose until you lose it.

It may seem obvious that data breaches occur when data is hacked, but breaches aren’t limited to malicious activities. Human error can also be at play within an organisation — for example, not following proper internal protocols that cause accidental loss or disclosure of information.

Other ways data breaches may occur:

  • Lost or stolen laptops, tablets, smartphones
  • Removable hard drives or USBs containing privileged information being passed on to other users without proper clearance or having these devices stolen
  • Hacked cloud and physical databases that contain personal and private information
  • Paper records stolen from unsecured bins/filing cabinets
  • Employees sharing privileged information outside of an organisation without the proper authority

What businesses should do to prepare (at the very least)

The Australian Signals Directorate (ASD) has published a cybersecurity baseline known as the
“Strategies to Mitigate Cyber Security Incidents” aka the “Essential Eight,” a prioritised list of initiatives to enhance computer security. The Essential Eight are the most fundamental elements of this list, ensuring good security habits are employed throughout the organisation. The guidelines are best used as a baseline, to sense check the current security protocols, then adapted to the specific needs of the business.

Here are the eight guidelines at a glance:

  1. Whitelist applications: Whitelisting applications allows only trusted applications to run
    on your network.
  2. Patch applications: Patching known security vulnerabilities in a timely manner is one of
    the most simple and effective steps an organisation can take to ensure the security of
    their network and environment.
  3. Disable untrusted Microsoft Office macros: Automating routine tasks with Microsoft
    Office is convenient. However, macros can contain malware or malicious packet
    commands and often result in unauthorized access to sensitive information or the
    manipulation of critical data. The use of macros should be restricted to signed and
    trusted macros. Macros should also be routinely audited to determine if the macro is still
    needed.
  4. Harden user applications: In environments where web browsing is allowed, common places for attack include: malicious websites, advertisements and emails with infected
    attachments. The ASD recommends that administrators block web browser access to Adobe Flash and untrusted Oracle Java applications,
  5. Restrict administrative privileges: Due to staff turnover, overlooked default accounts
    or ease-of-use, there may be administrator accounts that provide far too much privilege
    that can be used to make significant changes or bypass critical security settings.
    Administrator privileges should be restricted to only those users who need privileges.
  6. Patch operating systems: Operating system vendors are continually issuing patches to
    remedy security vulnerabilities. Applying patches in a timely manner is essential to
    ensuring both the security of a system and the security of data within the system.
  7. Multifactor authentication: Strong access controls, like multifactor authentication, can
    prevent an attack from compromising a system.
  8. Daily backup of important data: The daily backup of important data has never been
    more critical, as attackers develop increasingly sophisticated ransomware tools like
    Petya and WannaCry. Daily backups of important data, and the secure storage of that
    data offline, ensure that your organisation can recover data in the event of a
    cybersecurity incident.

Following each of these steps is a good starting point to creating a secure environment for your organisation. For a deep dive into The Essential Eight, read the ASD 8 whitepaper.

Read the ASD 8 whitepaper

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security