Patching-up cyber security with NDB
A significant legal step has been enforced for Australian companies to report security breaches. The Notifiable Data Breach (NDB) Scheme became law on 22 February. It states that businesses with an annual turnover of more than $3M will now be required to report breaches. With over $86Billion spent on cyber security globally it’s a hot topic which is only gaining momentum. The question isn’t ‘if’ businesses will be a target, but a matter of ‘when’.
When a breach occurs a business has 30 days to investigate which customers had their details affected and have an obligation to advise affect parties. If you are unfortunate enough to suffer a breach the Privacy Commissioner will do an assessment. If the business has a security plan in place that will help from a fine perspective.
However, if a business is earning under $3M and doesn’t have to report then it’s still good practice to improve security with some simple steps. But how does a business protect itself?
The Australian Signals Directorate (ASD) believes no single mitigation strategy is guaranteed to prevent cyber security incidents. The ASD believes at least 85% of the adversary techniques used in targeted cyber intrusions could be mitigated by implementing the following strategies. Referred to as the ‘Top 4’:
- use application whitelisting to help prevent malicious software and unapproved programs from running
- patch applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers
- patch operating systems
- restrict administrative privileges to operating systems and applications based on user duties.
Simple steps really about keeping software up-to-date, so it’s no surprise the consultancy industry for service providers is booming. However, it’s costly. Most of the time the cost cannot be passed onto clients. For example, if a retailer spends $100K on a consultancy to help set up the security program it’s unlikely for the retailer to jack up prices by 20% to make up for it. This is because it’s a highly competitive market.
While some businesses are pro-active, others take the compliance led approach. What that means is they do the bare minimum in order to meet requirements. The most common example is the Payment Card Industry Data Security (PCI DSS) standard. That standard was pushed down by major card providers Visa, AMEX and Mastercard. The framework follows a prescriptive guide in terms of having two-factor authorisation, anti-virus capabilities, as well as a comprehensive list of controls that’s been around for 17 years. It helps support good security practice.
However, the way some organisations approach compliance is, ‘OK, this is regulation, we’re going to do the bare minimum to adhere to this’. They spend the least amount of money, they scope it right down until it almost becomes not valuable. However, they become compliant. They have a ticked box saying ‘they’re compliant’ to this framework.
The thing is every single retailer that has been breached to date has been PCI compliant.
Just because a business is compliant to a certain standard doesn’t equate to an adequate job. It’s the same thing with NDB. Some people will look at the actual law and the regulation itself and they’ll go, ‘If I do the minimum area in this, or reach the minimum standard I will be OK from a fines perspective’. They may well be, but the challenge is regulation doesn’t work in isolation. Regulation is there to support good governance. The best thing an organisation can do is protect data, protect customers, suppliers etc.
As we move more of our business online, the more we store our data on the cloud, it makes it a much juicer target. The size of the pie for cyber criminals grows.
Cyber criminals avoiding jail
Think of it this way, say I was a criminal and I said, ‘You and I we’re going to rob a bank in main street Brisbane and we’re going to get $10K but the problem is there’s a 99.9% chance we’re going to get caught and go to jail’. Or I could come to you and say, ‘If you work with me, we’ll probably have to invest $2-$5K to hire some people to write some malware for us, deliver it, etc. We could make $10K and there’s a 99.9% chance we won’t get caught.’ Which would you do?
That’s why we’re seeing a lot more cyber criminals because they’re hard to catch. Most of it’s done off-shore from places like south-east Asia, Asia and eastern Europe. Because of the laws and jurisdictions there is absolutely no way they can be extradited.
Attacks evolve in response to – and even weaponise emerging technologies, such as:
- cloud-based services
- complex encryption
- intelligent apps and devices
- virtual and augmented reality
- mesh apps.
Terry Group Consulting (TGC) will be highlighting different perspectives of experts within the field of cyber security. Our first is Lani Refiti, a long-time security professional, entrepreneur and business technologist. Malcolm Burrows, Legal Practice Director at Dundas Lawyers will offer a legal perspective. Jeremiah Dowd is a Senior Security Consultant with Proficio and will provide understanding around cyber criminal operations.