The Australian Government must learn from US data breaches

Data breaches are inevitable — what’s important is how quickly we react and the steps we take to minimise the damage.

In the past 18 months, the personal details of more than 27 million US citizens have been compromised in various cyber attacks against government departments; it is the equivalent of every Australian and New Zealand resident combined having their data breached. To put this into perspective, an average of 49,000 people have had their personal data exposed every day for the past 18 months as a result of these attacks.

As cyber attacks against US Government agencies continue to make headlines across the globe, the Australian Government should consider its own cybersecurity or risk becoming the follow-up story.

Prime Minister Tony Abbott recently held a roundtable summit on tackling cybersecurity, where it is understood calls were made for private and public agencies to share more information about cyberthreats.

However, the government needs to go even further to improve Australia’s cybersecurity. It should legislate that certain data breaches affecting citizens must be disclosed to the public.

The truth is, breaches are inevitable. What we can control, however, is how quickly we react and the steps we take to minimise the damage.

In an assessment of 1200 organisations last year, we observed that more than 95% were breached and the vast majority were unaware. More than a third were actively compromised; someone was sitting at a keyboard somewhere else in the world in control of their computers and the victims had no idea.

Today, if someone wants to break into your network, they will. Methods such as email spear phishing — where a malicious attachment or a link to a weaponised website will cause the victim to unknowingly download malware — give the attacker control of the target computer by exploiting security’s weakest link: people. The attacker can then take steps to maintain their presence and compromise additional machines to hunt around the environment for the data they’re after.

But in Australia, we compound the problem because organisations are not obliged to disclose the fact they have been breached to the public. If a breach isn’t made public, there is no way for the business impact to be assessed. For example, if a government contractor is breached and the agencies it deals with are unaware of it, attackers can easily turn their attention to government systems.

One of the best weapons in our arsenal for defending against attacks is shared intelligence. If an attack isn’t made public, those affected don’t even know that they need to take steps to avoid having bank accounts drained or their identities stolen.

When a breach occurs, there is a window of opportunity for that intelligence to be shared with other organisations so they can take measures to defend themselves against similar attacks. This can’t happen if companies keep the information private.

Without breach disclosures, we can be lulled into a false sense of security and, consequently, we’ll continue to let most breaches go undetected.

Image courtesy Dennis Skley under CC