Why NDB compliance starts with the “essential” security basics
It almost goes without saying that data breaches have become a headline-making daily occurrence. Locally there have been numerous high profile data breaches in the past few months, with both public sector and private sector organisations being targeted.
Just to name a few: the Department of Finance, the Australian Electoral Commission, the National Disability Insurance Agency, the Department of Defence, Medicare, AMP, UGL, the Australian Red Cross, Dominos and most recently Uber have all suffered breaches of Australian customer data over the last couple of months.
It's alarming that even Uber, a company commonly regarded as a major digital disrupter, seemingly forgot the cybersecurity basics and failed to provide proper governance. Moreover, what most of the breaches mentioned above have in common is that the hackers got in through security vulnerabilities that could have been avoided by following basic “cyber hygiene” procedures.
For instance, the recent hacking of an Adelaide defence industry contractor in which commercial details of military aircrafts were stolen, revealed that hackers had gained access by exploiting a 12-month-old vulnerability in the company's IT helpdesk portal. The ASD also found the contractor had not changed its default passwords on its internet facing services.
In just a few months no doubt it will be made known just how prevalent data breaches are, with the federal government's Notifiable Data Breaches Act (NDB) taking effect on 23 February.
This will require organisations with an annual turnover of more than $3 million (AUD) to notify affected customers and report the theft of personal information to the Office of the Australian Information Commissioner (OAIC).
Organisations that fail to meet the requirements will face fines that could reach more than $1 million. “Doing an Uber” will be unlawful so organisations need to be working even harder to get their technology, people and processes ready for compliance.
Getting the basics right
Most cyber attacks are successful because companies struggle with the security basics. Many organisations are focusing disproportionately on reactive tactics rather than preventative strategies outlined by the Australian Signals Directorate's “Essential 8” cybersecurity strategies, which help organisations achieve a baseline cybersecurity posture.
The eight recommendations are divided into two groups. Four intend to prevent malware from running and the other four intend to limit the extent of incidents and recover data.
A key recommendation is for organisations to be patching their operating systems and apps regularly. They also need to be implementing application control. For instance, the WannaCry ransomware attack could have been remediated against using application control and wouldn't have spread if the relevant vulnerability was patched.
In addition, all unnecessary admin privileges need to be removed. Such steps have been mandated by organisations like the Australian Signals Directorate (ASD) as key to preventing ransomware. In fact, according to the ASD, application whitelisting, application and operating system patching and administrative privilege restriction could mitigate 85% or more of cybersecurity threats.
Penetration tests should also be carried out regularly; it's even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities.
There are also other layers of your cybersecurity defences to consider. User education is vital to preventing phishing emails from getting in, which are often the gateway to cases of online fraud.It is also important to continuously back up data to avoid the risk of data loss and to correctly configure Windows firewalls, to help to stop the spread of ransomware.
However, patching and application control should be first on the list for all organisations looking to fortify their organisation against attack - and can go a long way toward reducing your attack surface.
If the “back to basics” approach is to succeed, organisations need to start viewing their security programmes proactively as opposed to reactively, to ensure that the necessary precautions are in place from the bottom up. Only then will we be on course to derail cybercrime in its tracks.
Ultimately, when it comes to security and IT, it's vital to get the basics right first - otherwise, your technological innovations will be built on incredibly weak foundations.