0 Results Found
            Back To Results
              Fundamentals

              Australia's New Mandatory Data Breach Notification Laws Part 2: Preparation

              We’ve broken down what these new laws mean. Now it’s time for organisations to ensure they are prepared. By: Alex Tilley

              In part one of this blog series, I noted there will likely be a grace period as part of the introduced eligible breach notification law. This grace period is going to be an important time for organisations to consider either implementing new security strategies or evolving their current strategies to improve their overall security posture. The Four P's come to mind here: preparation prevents poor performance, or in this case, preparation reduces the risk of a breach occurring and the likelihood that you will need to report on said breach. But where to start your preparations? Let's assume your organisation has done nothing about cyber security. You likely have done something, but for the purposes of this conversation, let's start from the bottom and work up.

              Evaluate What's at Stake for Your Organisation

              Start by understanding about your risk profile. This is done by identifying what your key assets are: maybe it is your customer data; perhaps it's employee information, contracts, intellectual property, or financial payment data. Then think about who might attack you to gain access to this data: cyber criminals, a disgruntled employee, or hacktivists. Finally, what tactics might they employ to successfully breach your network? Will the threat actor steal credentials, use a phishing exercise, or exploit an unknown vulnerability on your network? While a risk profile is a little more complicated, the answers to these questions will give you a good idea about what your risk profile is going to look like.

              Understand your cyber risk profile, anticipate who the cyber criminals may be and the tactics they may employ.

              Dig into Your Data

              Think about all facets of the lifecycle of your data, from creation to application; from transmission to storage; all the way through to archival and subsequent destruction. Think about both the technical- and policy-based controls your organisation has in place across this data lifecycle. For example:

              1. What are your policies around data transmission?
              2. Do you have data classification in place?
              3. Do you control the types of people who can access particular data sets?
              4. Do you encrypt data through transmission?

              You can now combine your risk profile with what you've learned about your data lifecycle and use this information to determine both the impact and likelihood of a threat occurring to determine the level of risk.

              Build a Framework for Organisational Security

              From here, you will be ready to create your organisation's culture of security and centre it around a communication framework. Make sure that everyone is invested in securing your organisation. Find an executive sponsor, someone who will champion security up to the board; develop incentive systems for people who are positively impacting your security program; and make sure it involves everyone from developers through to executive leadership. A final thought here: make your communication framework something that people relate to and something they take home to discuss around the dinner table.

              Testing 1-2-3

              Develop a rigorous testing regime focused on testing technical controls, policy and process, and the people in your organisation. Test your network for vulnerabilities, run ethical hacking and incident response table top exercises. Test your policies against real world scenarios. Really get to know where your risks lie and report this up to your executive management team. If you and your executive team don't know your organisation's flaws, you won't know what to fix.

              Doing all of the above will not prevent a breach, but it will reduce the risk of it taking place. Preparation is critical to any cyber security strategy. Doing the following four things will certainly put your organisation on the right track to reducing risk:

              Related Content