Logan Daley (Data#3)
Information assurance has always been important to those with ownership of critical data, but as each day passes, it becomes more complex.
Virtually all organisations maintain an online presence that contains a wealth of information about the people they interact with.
This data is a priceless asset to those who own and use it, and the responsibility for its security cannot be taken lightly.
For the most part, customers are aware of the new Notifiable Data Breaches (NDB) scheme requirements, but are not yet fully aware of how it impacts them specifically.
Customers must also understand what constitutes a breach and if it’s eligible for notification by objectively deciding if serious harm is likely.
When a breach meets the criteria for notification, the individuals whose information has been breached and the Office of the Australian Information Commissioner must be notified.
While many customers have been actively preparing for the NDB scheme to come into effect, there is an effort that remains.
We have been engaging with customers to ensure they understand their obligations, prepare for the scheme, and improve their security posture.
An important step in readiness is possessing the capability to reasonably ascertain that a breach may have occurred.
Many organisations have inadequate visibility over their data transactions and insufficient resources, including people, technology and budget. This could mean a breach occurred unbeknownst to the business.
Without doubt, the introduction of the NDB scheme will trigger an increase in information assurance investments including hardware, software and consulting services.
Growth has already been occurring across the cyber security industry and will further increase as customers bolster their defences, operational readiness and incident response capabilities.
The ability to determine if a breach has occurred through technical controls and to take remedial action must be a budgetary consideration for eligible entities. Even if exempt, all organisations should consider their customer obligations.
Some challenges facing our customers today include an outdated mindset that security is exclusively an IT problem and not a problem for the business.
Information assurance conversations must be about risks and business impacts; not just technology. All employees of an organisation must understand they bear responsibility in safeguarding the business’ data, and with the rise of mobile and cloud computing, the traditional workspace extends the office to the home and public spaces.
Limited resources, human, technical, and budget, means customers may be trying to do their best, but may need assistance to improve.
Our security practice leads with an assessment-based approach to help customers first understand their present security posture, which will enable informed decision-making.
By using both a shorter-term tactical approach and a longer-term strategic vision, we work with customers to develop an information assurance roadmap that evolves with them, adapting to the threat landscape and contextualised to their business and industry.
In 2018 and beyond, we will continue to work with customers to discuss how to manage their information assurance risk and how they can implement a cyber security strategy to prepare, protect, detect, and respond to threats.
As a leading security services provider, we will assist customers in implementing risk controls to managing issues arising from people, process, environment, and technology — well beyond just the NDB scheme.
Logan Daley is an information assurance specialist at Data#3. This article originally appeared in a special edition of ARN magazine, focusing on the data breach notification laws in Australia.
