Story image

Looking at what lies ahead in a Post-NDB world

16 Mar 18

Article written by Fortinet A/NZ senior regional director Jon McGettigan

After months of waiting, last month the Notifiable Data Breach (NDB) legislation came into effect in Australia, bringing us in line with many nations across the world who have similar laws in place. After the long anticipation, however, the question now is ‘what’s next?’.

GDPR too is just around the corner, with a whole range of new implications for organisations which are active in the EU. The new reality is that NDB is going to help organisations realise there are unknown threats out there. With the legislation in place, non-compliance is no longer an option.

Because of NDB, businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. Businesses who don’t commit to protecting their customer’s data will finally have to face the consequences, and for many, this will be a big wake-up call.

According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), 5% of Australians, in other words, almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.

Non-compliance with the legislation is only set to see the number of reported breaches rise and consumers exposed, as organisations who previously kept breaches under wraps now have to come clean. The repercussions for non-compliant organisations are also steep and we are yet to see the full spectrum of how this will be managed when a large-scale breach occurs.

But compliance is more than just meeting regulation commitments, it’s about adapting to a threat-aware, risk-based approach. There’s a broad scope of readiness among Australian businesses; some have encrypted and properly stored their data well and truly ahead of the legislation coming into effect. Others may not have even started their NDB readiness journey, too overwhelmed or not sure where to start.

NDB will hopefully shift the dial on the way organisations think about the threats they face and the necessary steps to mitigate risks before a breach occurs.

So, how can organisations adopt this threat-aware, risk-based approach?

Time Sensitivity

The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within the 30-day specified timeframe of NDB. The organisations, therefore, need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.

Minimising Exposure

Taking the approach to always anticipate and avoid risks where possible, it is necessary to minimise both the number of network intrusions and their time to detection. This reduces exposure to the potentially crippling implications of a serious data breach. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.

Risk Assessment

Running a full risk assessment is a useful exercise too. This highlights any potential issues and helps you avoid further problems down the track by managing risks before they become a big problem. It also helps your organisation be quick to identify when breaches have happened and report in line with NDB’s requirements.

If your organisation doesn’t have the correct processes and systems in place, it’s not too late to adopt a threat-aware, risk-based approach. Taking the proper steps to manage issues before they arise will help keep you on the right side of compliance and your organisations’ wellbeing intact.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.