Story image

Looking at what lies ahead in a Post-NDB world

16 Mar 18

Article written by Fortinet A/NZ senior regional director Jon McGettigan

After months of waiting, last month the Notifiable Data Breach (NDB) legislation came into effect in Australia, bringing us in line with many nations across the world who have similar laws in place. After the long anticipation, however, the question now is ‘what’s next?’.

GDPR too is just around the corner, with a whole range of new implications for organisations which are active in the EU. The new reality is that NDB is going to help organisations realise there are unknown threats out there. With the legislation in place, non-compliance is no longer an option.

Because of NDB, businesses with lax security will now be put in the spotlight and must notify both authorities and affected individuals once they have reasonable grounds to believe there is an eligible data breach. Businesses who don’t commit to protecting their customer’s data will finally have to face the consequences, and for many, this will be a big wake-up call.

According to data from the Attorney General’s Office (Identity Crime and Misuse in Australia 2016), 5% of Australians, in other words, almost one million people, were exposed to a breach of their private information in 2016 bringing the total economic impact of identity crime in Australia to approximately $2.6b per year.

Non-compliance with the legislation is only set to see the number of reported breaches rise and consumers exposed, as organisations who previously kept breaches under wraps now have to come clean. The repercussions for non-compliant organisations are also steep and we are yet to see the full spectrum of how this will be managed when a large-scale breach occurs.

But compliance is more than just meeting regulation commitments, it’s about adapting to a threat-aware, risk-based approach. There’s a broad scope of readiness among Australian businesses; some have encrypted and properly stored their data well and truly ahead of the legislation coming into effect. Others may not have even started their NDB readiness journey, too overwhelmed or not sure where to start.

NDB will hopefully shift the dial on the way organisations think about the threats they face and the necessary steps to mitigate risks before a breach occurs.

So, how can organisations adopt this threat-aware, risk-based approach?

Time Sensitivity

The challenge is to detect when a qualifying breach has taken place and determine which assets might be at risk within the 30-day specified timeframe of NDB. The organisations, therefore, need to have data security as an integral part of all systems from the outset, rather than something applied in retrospect.

Minimising Exposure

Taking the approach to always anticipate and avoid risks where possible, it is necessary to minimise both the number of network intrusions and their time to detection. This reduces exposure to the potentially crippling implications of a serious data breach. A new approach to security in which all key components of the security infrastructure are woven together into a seamless fabric is the way forward.

Risk Assessment

Running a full risk assessment is a useful exercise too. This highlights any potential issues and helps you avoid further problems down the track by managing risks before they become a big problem. It also helps your organisation be quick to identify when breaches have happened and report in line with NDB’s requirements.

If your organisation doesn’t have the correct processes and systems in place, it’s not too late to adopt a threat-aware, risk-based approach. Taking the proper steps to manage issues before they arise will help keep you on the right side of compliance and your organisations’ wellbeing intact.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.