The past few years has seen a prolific increase in legislation both in Australia and abroad which organisations must consider both at governance and operational levels, as part of the signalling is a marked increase in public discloure which introduces risks derived from reputational damage. Additionally, some acts contain provisions for personal as well as organisational liability.
Some recent Australian examples include:
||Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
||Privacy Amendment (Notifiable Data Breaches) Act 2017
||Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
And of course, outside of Australia but still affecting relevant Australian organisations is the European Union's GDPR.
There's also other forms of regulation such as the Australian Signal Directorate's "Top 4" (which is mandatory for federal agencies) and "Essential Eight", which help to set expectations of the tone in which security discussions are being framed today.
Security isn't solely a technical endeavour and approaching it from the traditional perspective of firewalls and virus scanners can leave your business exposed to significant risk. From building-level security through to policy and user training, there's a raft of considerations to navigate - many of which persist even if you're pursuing a cloud strategy.
Looking at the OAIC's reporting on the Notifiable Data Breach scheme for 2019 H2 as an example, human error and malicious attacks account for 32 per cent and 64 per cent of notifications respectively.
However, what's more interesting is the breakdown of the "malicious" category (pictured below) where the dominant categories are "compromised or stolen credentials", and "phishing". As both are addressable through user training and corporate policy (i.e. information security), they can be at least partially attributed back towards human error in the shape of policy inaction. In contrast, hacking - which is often less readily addressable - chimes in around a relatively low six per cent.
It's worth briefly noting that these trends hold true for the previous reporting periods. 2019 H2 is simply the most current example.
The challenge this highlights is: has your organisation done all it reasonably can to minimise security-based risk? If you have a heavy reliance on written policy that hasn't been translated into a robust, auditable technical implementation then the answer is likely no and that's where we can help.
The best security outcomes are achieved when security is as well represented as a whole-of-business success factor, much as business continuity planning often is.
Below are some key indicators that security is well-integrated into your business' decision-making and implementation structures.