Applying best practice identification to prepare for Notifiable Data Breaches
With amendments to the Privacy Act coming into effect from February 2018, Australian organisations need to be ready. Although the Notifiable Data Breach scheme focuses on an organisation’s ability to comply with their response obligations, those organisations with a comprehensive cyber security program that addresses incident identification will put them in a good position to also understand "what happened?" in the case of a breach.
While data breach impacts vary across organisations, the latest Ponemon ‘Cost of a Data Breach’ report found that the average total cost of a data breach to an Australian organisation reached $2.51 million, with the average cost per lost or stolen record at $139.
From February, this risk will be even more quantifiable for organisations, as penalties loom and organisations are required to disclose, and therefore investigate, breaches.
The Notifiable Data Breach (NDB) scheme will mean businesses could be facing penalties of up to $360,000 for individuals and $1.8 million for body corporates, if they are not compliant with the legislation, not to mention the additional risk of reputational damage to both businesses and individuals.
Although the prominence of breaches are at an all-time high, the average time for an Australian organisation to identify a breach is still 175 days. However, to meet the requirements of the NDB scheme, if an organisation is aware that there are reasonable grounds to suspect that it may have suffered an eligible data breach, it must carry out a reasonable and expeditious assessment of that suspected breach within 30 days.
With this in mind, it is clear that organisations need to focus on bringing down the number of days it takes to identify a breach, so each can be efficiently investigated and contained.
As speed of detection and response is critical, organisations ultimately need technologies and processes to help identify a breach as soon as possible.
This includes deployment of cyber security analytics technologies to collect information that help to both detect incidents as well as quantify the scope of damage. While the NDB may be new, many mature organisations already have a range of technologies in place to help address these requirements.
However, the NDB amendments to the Privacy Act is likely to drive those organisations to assess and adjust, or simply reinforce the need to fund or establish new practices which will better secure and protect consumer data.
Best practices for identifying a breach
1. Data is critical for analysis
If the first challenge is to identify a breach event, the next is to understand the scope of damage. A comprehensive cyber security capability that governs and monitors access to personal identifiable data will provide the best opportunity to gain attack insights.
Armed with the data, analytical processes can be applied to help understand the breach impact, and therefore the scope of notification required. Such insight can then be used to prioritise new cyber security practices that specifically address the vulnerability.
In addition, mature cyber security analytics tools draw on global threat intelligence to understand whether an attack is related to others. If an orchestrated response process is initiated, it is the data discovered during this phase that will help to drive the incident response process toward a timely conclusion, and thereby minimise the impact to the organisation’s reputation.
2. Learn from the experiences of others
They say there’s no such thing as a new idea, and the same is arguably true of a cyberattack. Most attacks make use of exploits that other organisations have been subjected to in the past.
By being aware of common attacks, organisations can be on the front foot to identify any weaknesses in the capacity to detect or protect against such issues.
Like assessing software vulnerabilities, and putting in place remediation activities to avoid exploitation, the same can be said for ensuring that cyber security teams are aware of those common, public exploitations that may expose your organisation to threats.
3. Evaluate the value in what you have, and what you might have lost
Given the average time it takes to discover a breach, investigation relies on historical data that may have been archived. This will make it difficult for organisations to understand whether a serious breach occurred, and subsequently the scope of damage.
Organisations should focus on the identification of the repositories that store and transmit customer data. Refining collection down to a distinct set of systems will help to manage the data that’s needed to ensure efficient investigation for when an incident becomes known. Such an approach ultimately leads to improved detection and containment times.
NDB covers the steps required to be completed as part of the aftermath of a breach. While it’s true organisations should do everything within their power to ensure their organisation, and their customers' data is secure, they should also be mindful of the “what if’s”.
Having the means to identify a breach may give organisations a chance to quantify and may even prevent serious damage. Containing a breach as quickly as possible will also help to reduce the cost.
Following not only the best practice of defence, but also of detection, helps organisations approach their cybersecurity set up holistically. Where a hacker has successfully taken advantage of a vulnerability, the saving grace may be in detecting and identifying those activities as soon as possible to best contain the damage.
Article by IBM Security Australia CTO Chris Hockings.