The inevitable breach — what you need to know

Traditional data security methods don’t work anymore, so it’s time to move towards a ‘secure breach’ approach.

The federal government’s plan to implement mandatory data breach notifications speaks to the inherent value of personal information and the rights of individuals to be alerted when the control of that information has been taken from them — from home addresses and phone and banking numbers, to images and videos, shopping behaviours and even health card and passport numbers.

The recent momentum for the Bill, currently making its way through parliament, has been driven by relentless news of security breaches and loss of personal information.

If we’ve learned anything from recent events, it’s that we have a growing data security crisis and Australia is a primary target. As we watch hackers hone in on data critical to our lives and our businesses, we need to develop a mindset that accepts attackers will find a way in — but that our critical data is protected so it doesn’t make its way out.

National regulations — in the form of mandatory breach notifications — support encryption strategy by holding accountable those that fail to protect the most sensitive information through robust encryption solutions.

Under the draft Bill, organisations will be required to alert people affected by a compromise of their personal data if there were a risk of serious harm posed by the release of the information. Companies currently report breaches to the Privacy Commissioner on a voluntary basis.

The Bill offers an opportunity for government to provide clear guidance, so long as the legislation applies to all and signals to both government agencies and commercial organisations that they cannot afford to take an isolated view of information security mapped to budget allocations.

All stakeholders must be confident they can trust the digital infrastructure and that their transactions and information are ultimately safe — even in the event of a successful cyber attack. This confidence requires a combination of government and business initiatives, with government setting the regulatory framework for everyone — including government agencies.

Avoid the spotlight

But why is regulation being introduced? What does it mean for decision-makers across all levels of government and suppliers to government? What do you need to know?

The new regulation will have major implications on the way in which data is collected, stored, accessed and secured. Most importantly, it will require an entirely new mindset when it comes to securing data, what is considered a serious breach and the steps an organisation must take in response to one. These steps cannot be actioned overnight and require careful planning by IT departments, security teams and those in charge of mitigating business risk across public and private sector organisations.

The word data often appears insignificant but when you define data as personal information it’s not difficult to understand why some details should be guarded more closely. Those with lax security will be put in the spotlight with the requirement to notify both authorities and affected individuals when a data breach occurs. And being breached is not a question of ‘if’ but ‘when’.

Current legislation does not yet give clarity to what is considered sensitive information and what constitutes a ‘notifiable data breach’. But you can bet if you hold identifiable information on individuals you will be held liable — and the penalties for a data breach could involve not only monetary loss and legal proceedings but also irreparable reputation damage.

The Bill offers an opportunity for decision-makers to act now in order to be compliant when legislation passes, to implement robust security measures and signal that government agencies and suppliers to government won’t risk the loss of citizens’ sensitive information by taking a relaxed approach to information security.

Responsibility and engagement

So where can you start? Let’s face it — traditional data security methods don’t work anymore, so it’s time to move away from breach prevention and towards a ‘secure breach’ approach.

Here are four recommendations for IT and security professionals:

1. Out with the old, in with the new. Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, threat detection and monitoring. But if history has taught us anything, it is that walls are eventually breached and made obsolete. The next and last layers of defence need to focus on both the data and the individuals that access the data, by surrounding them with end-to-end encryption, authentication and access controls that provide the additional measures necessary to protect citizen data.

2. Protect citizen data as if it were your own. If you want to help your department or agency earn and retain trust, you have to view the protection of sensitive customer data not just as a regulatory mandate but as a responsibility essential to your success. Being a better steward of customer data is not just good public relations, it is good business sense, too.

3. Transparency is the road to trust. Put security front and centre and tell stakeholders about the security measures your department or agency has put in place to protect its data. The industry is much more open about what they are doing to protect customer data following the most recent breaches. If you’re doing something better than the rest of the industry, like encrypting data end to end, then you might be seen as a trusted innovator.

4. Security is a two-way street. Just as you tell customers what you are doing to protect them, tell them what they need to do in order to protect themselves. If a customer experiences identity theft or a data breach while doing business with your department or agency, your reputation suffers. A better-educated consumer is a safer consumer of your services.

IT and security teams need to adopt a data-centric view of digital threats and start with better identity and access control techniques such as multifactor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.

Image courtesy Quinn Dombrowski under CC BY-SA 2.0