After many years of asking, often without action or progress, the security industry in Australia finally has a breakthrough.
The Notifiable Data Breaches (NDB) scheme, established in Australia as a result of the Privacy Amendment (NDB) Act 2017, was introduced on 22 February 2018, providing structure to an otherwise makeshift security strategy.
“It’s been a long time coming,” observed Joseph Mesiti, sales director of Enosys. “A very long time in fact because the industry has been crying out for this for more than 10 years.”
Following a decade of debates and discussions, the legislation has spanned a lifetime of scrutiny to finally land on Australian shores.
Operating as a security specialist, Enosys entered the market in 2011, when conversations were still dollar orientated and business buy-in low.
“We struggled to get projects funded at that time,” Mesiti recalled. “The industry believed if the government introduced legislation, again, along the lines of what they are doing now, then it would be easier to assist in accelerating the uptake.
“Of course, there’s a selfish desire to sell more products and to sell more services. But we all adamantly believed during this time that we had a valuable go-to-market strategy in place, through the assistance we could provide to businesses.
“We only exist to resolve the problems of our customers, if there was no problem then we wouldn’t have a business.”
Speaking as a security expert, Mesiti observed that the wider industry in Australia has matured significantly during this “wait” period, with boardrooms now recognising cyber security as a business risk, a risk organisations are now committed to investing in to mitigate.
Under the Privacy Amendment, organisations have 30 days to notify the Privacy Commissioner and all affected parties if a breach occurs.
With the clock ticking, the margin for error is razor thin as individuals face hefty fines of up $420,000, with businesses in line for a maximum hit of $2.1 million.
“Any organisation that’s not applying some level of security today must get with the times,” Mesiti stressed.
But despite a seemingly endless supply of technology solutions available, having the latest and greatest in place is no longer enough, with Mesiti pointing to people as the weakest link inside an organisation.
“What are organisations doing around cyber security awareness now that we have three or four generations of IT users in most companies?” Mesiti asked.
Alluding that different generations are likely to possess different skills, Mesiti advised organisations to invest in a continual cycle of training, designed to ensure staff remain on the same page in the context of security.
“A breach will happen,” Mesiti added. “Any CEO who thinks their organisation is safe must rethink that thought. The breach will occur and, as an office holder, the CEO is ultimately accountable for that. Have the staff prepared the organisation for that?”
In observing current market responses, Mesiti said Enosys customers — spanning medium to large enterprise — were overall ready for the change of legislation.
“The organisations we deal with, surprisingly enough, are ready,” Mesiti said. “Most of those businesses have strong security controls in place.”
With NDB now in play, the security provider operates as certified specialists through ISO 27001, forming part of an industry standard requirement.
Specifically, ISO 27001 is a standard providing requirements for an information security management system (ISMS), which can include sensitive internal company and customer data being held.
“When we embarked on ISO certification we had to ensure all our processes aligned with the standard,” Mesiti added. “Every six months we have a review and then every 12 months there’s a formal audit by the issuer.”
When the NDB was put into place last month, the only thing that needed to be added for Enosys was an amendment stating that “in the event of breach of data the commissioner has to be notified” and that it will take the appropriate steps if that occur.
Mesiti said that today, the company is doing more consulting around ISO 27001.
“We’re doing more and more ISO 27001 consulting around preparation for an audit and for compliance to occur," he said. "This means that our go-to-market will develop and evolve.
“The NDB will continue to push organisations down this path. So, I can only see a broadening and refinement of our portfolio.”
As customers continue to recognise the value of security, and the need for deeper levels of protection, Mesiti also observed a shift in attitudes with regards to mainstream media, with cyber threats now commanding front page news.
Such a shift is crucial in creating an environment capable of raising greater security awareness, removing the need for legislation to act as an industry trigger point.
“Businesses are not thinking of NDB as a reason to do something,” Mesiti explained. “They are doing it because they know it’s good practice and because it needs to be done.
“Most organisations we’re dealing with have already matured to an extent that they know action is required. They understand that they must protect directors and office holders in the organisation, while also keeping user and customer data safe.”
In Australia, businesses take an average of 175 days to detect that a breach has occurred, according to findings outlined via the 2017 Cost of Data Breach Study.
Delving deeper, $2.51 million stands as the average total cost of a data breach in the local market, representing a five per cent decrease in costs during the past 12 months.
The result is that vulnerabilities could exist for at least five months inside an organisation, creating new layers of complexity and challenge for businesses across the country.
“How do you go back and look at when the breach occurred? Or how it occurred? Or what leaked?” Mesiti asked. “Businesses must retain their log data.
“We offer a SIEM (security information event management) service which fundamentally focuses on log data and the correlation of events across that data. We also examine retention times on that data.”
Currently, telecommunications providers are required to keep a set of data for two years to ensure Australia’s law enforcement and security agencies are lawfully able to access data.
This is due to the Federal Government data retention scheme that entered into effect in April 2017.
But at this stage, there is currently no point specifying that an organisation must retain data for a certain period, leaving the responsibility and decision with the business.
From a channel perspective, and for service providers who win contracts via tender processes, offering data retention is usually a contractual requirement, with some organisations requesting logs spanning 12 months or more.
For Mesiti, smaller businesses usually struggle with this more than enterprise players.
“The bigger end of town knows exactly how long they need to be keeping information for,” Mesiti said. “They also know the chain of custody on that data and the fact that information needs to remain in its raw format so that it can be presented in court as a legal artefact.”
As explained by Mesiti, this area remains one of the biggest challenges impacting smaller organisations today.
“In most cases, someone inside an organisation may not have spent an adequate amount of time on information security,” Mesiti added. “Then they will deploy the latest and greatest next-generation equipment and suddenly, alarm bells start going off.
“That’s when we realise that someone has been in there and that they’ve been in there for a while. Without having stored that data you can’t know for how long, all you can do is react to something that’s already occurred.”
Specific to the legislation, Mesiti acknowledged that a $3 million turnover threshold can pose a problem for smaller organisations which tend to have little security maturity, placing the onus on service providers to keep customers informed regarding risks and requirements.
Furthermore, the rise of cloud computing, coupled with increased smartphone adoption, has created an ecosystem of information access and sharing, allowing hackers to take advantage of an interconnected world.
“Smaller customers may not view themselves as a target but one of the businesses they supply services to could be,” Mesiti warned.
“The way this customer interacts and connects with that business could mean that the business could become a higher priority target for cyber criminals.”
But as the security dust settles, the impact of NDB in Australia remains, at this stage, an unknown.
Only when inevitable breaches occur and reporting is required will a precedent be set by the Commissioner, with the actions of the government determining how seriously businesses will respond.