Australian organisations must be aware of their responsibilities surrounding data breach legislation – and that includes making sure any Internet of Things (IoT) devices are properly secured.
Networks need to be fully compliant – and that includes devices and applications used by contractors, third parties, and guest that plug into the network, says Wavelink.
“Organisations must also realise the value of the data they possess. Contractors, third parties, and guests plugging into the company’s Wi-Fi network must be limited to accessing only the data they require. Everyone, including third parties, must comply with company security policies and practices,” comments Wavelink’s national business developer for Fortinet, Hugo Hutchinson.
“Security breaches affect a company’s reputation and may result in significant consequences, with the cost and ramifications following a security breach potentially far more than the cost of initial investment in adequate protection measures.”
Eligible Australian businesses must now report notifiable data breaches (NDB) to the Office of the Australian Information Commissioner (OAIC). The OAIC’s first published quarterly report found 63 breach notifications were received in the first six weeks alone, the company says.
With the introduction of Europe’s General Data Protection Regulation (GDPR) in May and other countries, including New Zealand, expected to introduce similar legislation, organisations need to comply with more regulations than ever. For example, GDPR affects companies in any country that does business with customers in Europe, which means many Australian companies could be subject to the legislation and some might not even know it.
IoT devices are of particular concern, the company notes. They include wearable technology, voice-activated devices, and smart appliances. Because they don’t generally come with inbuilt security, they are vulnerable to unauthorised access.
“Schools and hospitals are subject to NDB requirements and they tend to be prolific users of IoT devices, as well as having hundreds of users, including guests, accessing their networks. These organisations must operate an appropriate security and compliance system otherwise they may held liable for any breaches that may occur,” Hutchinson says.
Businesses must be able to see IoT devices on a network, authenticate, and classify them so they can be protected. That requires visibility, segmentation, and protection through an entire infrastructure.
“Businesses shouldn’t assume that IoT devices are inherently secure because they’re not. Before connecting any IoT device to the network, businesses must change the default usernames and passwords at a minimum. From there, it’s still crucial to implement a security solution that delivers visibility and control into what devices are connected and how they’re being used,” Hutchinson concludes.