The Australian Notifiable Data Breach Legislation – What it means after a year.

Author: Fergus Brooks, CTRL Group Chief Risk

The Office of the Australian Information Commissioner (OAIC) released a report after the end of March this year to summarise the results of their findings since the inception of mandatory breach notification (Notifiable Data Breach – NDB) in February 2018.

Here is link to the report: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-scheme-12-month-insights-report

The findings are very interesting as Australian organisations come to terms with regulation around cyber privacy breaches.

As a security consultant who has been working with organisations on cyber security since the early days of the internet, I have some key takeaways from the report:

  • 964 eligible data breaches were notified to the OAIC in this period
  • This is a 712% increase in notifications from the previous year, pre-NDB
  • Majority (60%) were due to malicious intent
  • 35% of the reported breaches were due to human error
  • Australian organisations are woefully unprepared to deal with this risk

Everyone that knows me will agree that I bang on about cyber incident response planning and testing constantly. That is because the only way to reduce the damage of an inevitable cyber incident is to handle it well.

I have had many conversations with organisations who are focussed on building castles to secure their customer data. I haven’t had many satisfactory conversations. Even with organisations that hold my sensitive data.

I will go as far to say that Australian organisations are woefully undefeated and unprepared for being targeted by organised criminals that make a profit from stealing people’s personal details.

The key things that are missing and thereby not good enough are:

  • Organisational understanding of employee cyber risk culture
  • Security awareness training
  • Board, executive leadership and risk committee understating of the gravity of the issue
  • Incident response planning and testing

Also to those organisations that tell me they have the best firewalls and the best endpoint security, look at the stat above – 35% of reported eligible breaches are the result of human error! 60% of the breaches are due to malicious intent.

Organised criminals are coming after the data that you hold. They are committed and they will get in.

We have a 100% success rate for paid red-teaming and capture-the-flag exercises for our customers. If we can do it then so can the crooks. But also at any time Dave the IT guy can lose his laptop. (Sorry Daves.)

A bit of a rant I know, however I am consistently frustrated, here is some advice:

  • Profile your cyber risks into a register
  • Prepare for the worst – cyber incident response planning
  • Integrate your cyber incident response plan with your crisis management and crisis communications plans; you may find there is not too much work to do
  • Escalate concerns and strategy to the highest levels of management; seek their support and sponsorship
  • Embark on an advanced cyber security awareness program
  • Build/modify your response plans and TEST THEM! Your plans are only as good as their last test
  • If it is all a bit much engage with consultants (like us); Also consider cyber insurance. All the good cyber insurers have incident response capabilities built in to their policies
  • Have experts monitor your security; third part Security Operations Centres will greatly improve your peace of mind

The CTRL Group team are always available to have a chat and discuss how our services can help your organisation. Please get in touch with us via [email protected]