Story image

Looking at what lies ahead in a Post-NDB world

16 Mar 2018

Article written by Fortinet A/NZ senior regional director Jon McGettigan

After months of waiting, last month the Notifiable Data Breach (NDB) legislation came into effect in Australia, bringing us in line with many nations across the world who have similar laws in place. After the long anticipation, however, the question now is ‘what’s next?’.

GDPR too is just around the corner, with a whole range of new implications for organisations which are active in the EU. The new reality is that NDB is going to help organisations realise there are unknown threats out there. With the legislation in place, non-compliance is no longer an option.

Because of NDB, businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. Businesses who don’t commit to protecting their customer’s data will finally have to face the consequences, and for many, this will be a big wake-up call.

According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), 5% of Australians, in other words, almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.

Non-compliance with the legislation is only set to see the number of reported breaches rise and consumers exposed, as organisations who previously kept breaches under wraps now have to come clean. The repercussions for non-compliant organisations are also steep and we are yet to see the full spectrum of how this will be managed when a large-scale breach occurs.

But compliance is more than just meeting regulation commitments, it’s about adapting to a threat-aware, risk-based approach. There’s a broad scope of readiness among Australian businesses; some have encrypted and properly stored their data well and truly ahead of the legislation coming into effect. Others may not have even started their NDB readiness journey, too overwhelmed or not sure where to start.

NDB will hopefully shift the dial on the way organisations think about the threats they face and the necessary steps to mitigate risks before a breach occurs.

So, how can organisations adopt this threat-aware, risk-based approach?

Time Sensitivity

The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within the 30-day specified timeframe of NDB. The organisations, therefore, need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.

Minimising Exposure

Taking the approach to always anticipate and avoid risks where possible, it is necessary to minimise both the number of network intrusions and their time to detection. This reduces exposure to the potentially crippling implications of a serious data breach. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.

Risk Assessment

Running a full risk assessment is a useful exercise too. This highlights any potential issues and helps you avoid further problems down the track by managing risks before they become a big problem. It also helps your organisation be quick to identify when breaches have happened and report in line with NDB’s requirements.

If your organisation doesn’t have the correct processes and systems in place, it’s not too late to adopt a threat-aware, risk-based approach. Taking the proper steps to manage issues before they arise will help keep you on the right side of compliance and your organisations’ wellbeing intact.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.