Prepare to meet the challenges of Australia’s new notification laws by taking a holistic approach to security. Read More
Australia's New Mandatory Data Breach Notification Laws Part 2: PreparationWe’ve broken down what these new laws mean. Now it’s time for organisations to ensure they are prepared. By: Alex Tilley
In part one of this blog series, I noted there will likely be a grace period as part of the introduced eligible breach notification law. This grace period is going to be an important time for organisations to consider either implementing new security strategies or evolving their current strategies to improve their overall security posture. The Four P's come to mind here: preparation prevents poor performance, or in this case, preparation reduces the risk of a breach occurring and the likelihood that you will need to report on said breach. But where to start your preparations? Let's assume your organisation has done nothing about cyber security. You likely have done something, but for the purposes of this conversation, let's start from the bottom and work up.
Evaluate What's at Stake for Your Organisation
Start by understanding about your risk profile. This is done by identifying what your key assets are: maybe it is your customer data; perhaps it's employee information, contracts, intellectual property, or financial payment data. Then think about who might attack you to gain access to this data: cyber criminals, a disgruntled employee, or hacktivists. Finally, what tactics might they employ to successfully breach your network? Will the threat actor steal credentials, use a phishing exercise, or exploit an unknown vulnerability on your network? While a risk profile is a little more complicated, the answers to these questions will give you a good idea about what your risk profile is going to look like.
Dig into Your Data
Think about all facets of the lifecycle of your data, from creation to application; from transmission to storage; all the way through to archival and subsequent destruction. Think about both the technical- and policy-based controls your organisation has in place across this data lifecycle. For example:
- What are your policies around data transmission?
- Do you have data classification in place?
- Do you control the types of people who can access particular data sets?
- Do you encrypt data through transmission?
You can now combine your risk profile with what you've learned about your data lifecycle and use this information to determine both the impact and likelihood of a threat occurring to determine the level of risk.
Build a Framework for Organisational Security
From here, you will be ready to create your organisation's culture of security and centre it around a communication framework. Make sure that everyone is invested in securing your organisation. Find an executive sponsor, someone who will champion security up to the board; develop incentive systems for people who are positively impacting your security program; and make sure it involves everyone from developers through to executive leadership. A final thought here: make your communication framework something that people relate to and something they take home to discuss around the dinner table.
Develop a rigorous testing regime focused on testing technical controls, policy and process, and the people in your organisation. Test your network for vulnerabilities, run ethical hacking and incident response table top exercises. Test your policies against real world scenarios. Really get to know where your risks lie and report this up to your executive management team. If you and your executive team don't know your organisation's flaws, you won't know what to fix.
Doing all of the above will not prevent a breach, but it will reduce the risk of it taking place. Preparation is critical to any cyber security strategy. Doing the following four things will certainly put your organisation on the right track to reducing risk:
- Understand your risk profile and apply this understanding to your data life cycle
- Create policies applicable to the highlighted risk
- Create a culture of security that swings around a good communication framework
- Develop a rigorous testing regime