Security

Today's security context

Increasing legislation

The past few years has seen a prolific increase in legislation both in Australia and abroad which organisations must consider both at governance and operational levels, as part of the signalling is a marked increase in public discloure which introduces risks derived from reputational damage. Additionally, some acts contain provisions for personal as well as organisational liability.

Some recent Australian examples include:

Year Act
2015 Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
2017 Privacy Amendment (Notifiable Data Breaches) Act 2017
2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

And of course, outside of Australia but still affecting relevant Australian organisations is the European Union's GDPR.

There's also other forms of regulation such as the Australian Signal Directorate's "Top 4" (which is mandatory for federal agencies) and "Essential Eight", which help to set expectations of the tone in which security discussions are being framed today.

The challenges

Security isn't solely a technical endeavour and approaching it from the traditional perspective of firewalls and virus scanners can leave your business exposed to significant risk. From building-level security through to policy and user training, there's a raft of considerations to navigate - many of which persist even if you're pursuing a cloud strategy.

Looking at the OAIC's reporting on the Notifiable Data Breach scheme for 2019 Q2 as an example, human error and malicious attacks account for 34 per cent and 62 per cent of notifications respectively.

However, what's more interesting is the breakdown of the "malicious" category (pictured below) where the dominant categories are "compromised or stolen credentials", and "phishing". As both are addressable through user training and corporate policy (i.e. information security), they can be at least partially attributed back towards human error in the shape of policy inaction. In contrast, hacking - which is often less readily addressable - chimes in around the relatively low eight per cent mark.

Breakdown of the malicious category taken from the official OAIC 2019 Q2 report.

Reported breach reasons across all industries.

User/policy "malicious" categories vs. hacking.

It's worth briefly noting that these trends hold true for the previous reporting periods. 2019 Q2 is simply the most current example.

The challenge this highlights is: has your organisation done all it reasonably can to minimise security-based risk? If you have a heavy reliance on written policy that hasn't been translated into a robust, auditable technical implementation then the answer is likely no and that's where we can help.

What's our approach to security?

Security is a pervasive topic that can be attributed to many facets of the business, but to provide a baseline for discussion on the areas we assess, we've partitioned them into three broad categories with some example topics beneath.

Governance

Organisational structure supports the security function.

Accountability and authority is clearly articulated.

Policies and procedures are transparent and auditable.

Policies and procedures are enforced by technology.

Ensuring security features in critical incident response and business continuity plans.

Compliance (i.e. internal, regulatory) requirements are stated - with measurements where possible.

Identity management systems and how they support governance.

Key Performance Indicators (KPI) support compliance.

Reporting requirements.

Applications and services

Risk assessment for existing and proposed applications/services (including cloud).

Identity management systems and how they reduce unauthorised access.

Role-based structures to support governance requirements.

Best practices related to secure operations.

Encryption health.

Infrastructure

Risk assessment for infrastructure (including cloud).

Elevating the profile of internally-facing security using industry and vendor best practice, and government guidance such as the Australian Signal Directorate's "Essential Eight".

Identity management systems and how they can reduce infrastructure risk.

Role-based structure to support governance requirements.

Harden mission-critical services to make them less vulnerable.

Leverage Windows Server/Azure AD security mechanics to improve security at no additional cost.

Secure network services (including Wi-Fi!)

Best practices related to secure operations.

Encryption health.

Additional information

Legislation and regulation

Quarterly Statistics Reports, Office of the Australian Information Commissioner, accessed September 2019.
Essential Eight Maturity Model, Australian Signals Directorate, accessed March 2019.
Notifiable Data Breaches scheme, Office of the Australian Information Commissioner, accessed March 2019.
Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, Federal Register of Legislation, accessed March 2019.
Privacy Amendment (Notifiable Data Breaches) Act 2017, Federal Register of Legislation, accessed March 2019.
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, Federal Register of Legislation, accessed March 2019.

Notable Australian data breaches in the news

Bank details, TFNs, personal details of job applicants potentially compromised in major PageUp data breach, Australian Broadcasting Corporation, accessed September 2019.
PageUp face customer losses, lawsuits after data breach, Australian Financial Review, accessed March 2019.
Commonwealth Bank customers' medical data exposed in potential privacy breach, Australian Broadcasting Corporation, accessed March 2019.