Are Aussie businesses prepared for mandatory breach notification laws?
- 22 September, 2016 15:44
The majority of Australia IT executives believe that their organisations are unprepared to handle the requirements of the government’s proposed mandatory data breach notification scheme if it is passed into law, according to new research.
The findings come from CyberArk’s latest Global Advanced Threat Landscape Survey – the tenth edition of the annual report – and reveal that just 34 per cent of Australians surveyed felt their businesses were completely prepared to handle mandatory breach notification requirements.
“It can be inferred, therefore that there is a lack of confidence about either being able to identify a breach, or in existing emergency response plans – including providing the necessary information to the executive team, who would be responsible for the public breach notification,” the survey stated.
Less than half of the survey respondents said they believed the proposed scheme will be good for their organisations as a whole. At the same time, almost 20 per cent believed there would be a negative impact on their organisations.
Drawn from input from 750 IT and IT security ‘decision makers’ from around the world, including Australia, New Zealand, and Singapore, the survey examines whether global enterprises are learning their lessons from highly publicised cyber attacks, such as the notorious Sony Pictures Entertainment hack in 2014.
As noted by ARN’s sister publication, Computerworld, the government’s proposed mandatory breach notification legislation is likely to be on the table during the spring sittings of parliament.
A draft of the proposed breach notification bill was made public in December last year, revealing that businesses would be obliged to report a ‘serious data breach’ to the Australian Information Commissioner, while also notifying individuals whose data has been affected by a breach.
The draft bill has met with some resistance, with the Australian Industry Group (Ai Group) suggesting in a submission to the Attorney-General’s Department that it is not convinced the proposed laws are needed, given existing privacy protections.
Even Telstra, which claimed in its submission responding to the exposure draft of the bill that it already had the capabilities to handle its requirements, made several recommendations for changes to the proposed legislation.
However, the survey results follow reports by CIO that more data breaches have been disclosed in Australia than anywhere else in the Asia-Pacific region, suggesting some level of preparedness among local businesses.
According to the Gemalto Breach Level Index, 22 data breach incidents were recorded in Australia in the first half of the year, compared to just seven in Japan and New Zealand.
The CyberArk survey also found that organisations in Australia and New Zealand are less concerned about securing third-party vendor access than their international counterparts, with a full third of respondents in a new study revealing that their organisations aren’t in the habit of monitoring such access.
16 per cent of respondents from Australia and New Zealand said that their companies do not secure third-party vendor access, with 33 per cent saying their organisations do not monitor that access.
According to the report, the Asia-Pacific region is of particular note when it came to securing and monitoring third-party access, with fewer best practice policies apparent in the region than in other markets, including the United States, Europe, and the United Kingdom.
By comparison, 10 per cent of US respondents said their company did not monitor third-party access, and just three per cent did not monitor that access.
This lapse in remote access security controls among companies in the Asia Pacific region and, particularly Australia and New Zealand, can leave organisations with a weak link in their network security, according to CyberArk.
At the same time, just 27 per cent of Australia and New Zealand respondents ranked DDoS attacks as the most concerning type of attack for their organisations in the next 12 months. This was higher than the 19 per cent global average.
Meanwhile, phishing was ranked as the most concerning type of attack by 14 per cent of respondents globally, while 13 per cent named ransomware as the type of attack that is of most concern.