SYDNEY, October 16, 2017. While Australia’s privacy law has made a good start in encouraging better security hygiene, it may not go far enough to get all Australian and partner businesses in line, according to Chris Strand, Carbon Black’s global senior director of compliance.
The privacy act will pressure most Australian business to provide information on sensitive data breaches since it mandates the law on commonwealth government agencies, private sector organisations and relevant businesses.
“Its one downside is that the penalties are far below those of many recent privacy mandates. The Australian maximum penalties of $360,000 for individuals or $1.8 million for organisations – and breach disclosure applies only to organisations that exceed $3 million annual turnover,” said Strand.
“This is a far cry from the European Union General Data Protection Regulation (EU GDPR) which applies penalties of up to 4 per cent GDP or up to 20 million euros ($A30 million), whichever is higher!”
According to Strand, big fines are not the only incentive to encourage better security practices, posture and hygiene. Privacy law should help to encourage breach disclosure, with merit given to those that practice privacy by design or who embed security into their data policy.
Organisations that can account for their security systems and take steps to ensure they have the right technologies and plans in place to ensure and prove protection, by using solutions that help expose or protect data or reporting on the security policy in place that helps to define their data processes and hierarchy.
He cites as valuable the approach taken by the Australian Signals Directorate (ASD) in actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws. This also promotes the adoption of powerful mitigation techniques while encouraging businesses to move to a better security posture and transparency in data privacy and protection policy.
Are Australian capable of providing information on sensitive data breaches?
Strand says that with the right security solutions and proper preparation around security policy, architecture and implementation, (such as proactive assessment, and real time prioritisation of security events) it is possible for organisations to provide the full scope of a data breach.
“But I’m not convinced they are quite ready to do this today. Given the recent string of data and information breaches worldwide recently, there is still much to do to ensure breach discovery and report perfection.”
Compliance regulation holes
Strand says a few obvious holes exist in the major Australian privacy mandates, such as the exclusions of companies under $3 million in turnover. That represents a large proportion of businesses and could account for a significant potential data loss which would not be publicly disclosed.
New technology is also an incipient threat, says Stand.
“I believe that submerging tech is putting compliance standards at risk. We have never had a period with more unsupported vulnerable applications and operating systems globally as we do now. Many of the recent major exploits, such as WannaCry were successful by preying on unsupported system vulnerabilities – something that’s unacceptable in this age of advanced security technology.
Strand recommends a defence in depth approach with the proper application control and ironclad protection on the front end. Just as the ASD mandates application allowlisting as it’s number one mitigation, Carbon Black advocates that applying a positive security approach that can prioritise events in real time while enforcing the trust policy will lead to eliminating the risk of vulnerabilities, while automating the process of identifying potential anomalies that target systems and data.
News emerged recently that the ASD utilises Carbon Black technology among its own data security strategies.
About Chris Strand
Christopher Strand leads Carbon Black’s security risk, audit and compliance sales and marketing strategy. With more than 20 years of information technology and compliance experience, he oversees the development of enterprise network and application security solutions that help organisations to deploy proactive security to maintain, measure and improve their compliance and risk posture. Strand is in Australia this week to host executive round table discussions in Canberra, Sydney and Melbourne.