The past few years has seen a prolific increase in legislation both in Australia and abroad which organisations must consider both at governance and operational levels, as part of the signalling is a marked increase in public discloure which introduces risks derived from reputational damage. Additionally, some acts contain provisions for personal as well as organisational liability.
Some recent Australian examples include:
Year |
Act |
2015 |
Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 |
2017 |
Privacy Amendment (Notifiable Data Breaches) Act 2017 |
2018 |
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 |
And of course, outside of Australia but still affecting relevant Australian organisations is the European Union's GDPR.
There's also other forms of regulation such as the Australian Signal Directorate's "Top 4" (which is mandatory for federal agencies) and "Essential Eight", which help to set expectations of the tone in which security discussions are being framed today.
Security isn't solely a technical endeavour and approaching it from the traditional perspective of firewalls and virus scanners can leave your business exposed to significant risk. From building-level security through to policy and user training, there's a raft of considerations to navigate - many of which persist even if you're pursuing a cloud strategy.
For example, looking at the OAIC's Notifiable Data Breach statistics, human error and malicious attacks account for most reported breaches.
What's interesting in the "malicious" category breakdown (below) are the dominant categories of "compromised or stolen credentials", and "phishing" - both of which are exacerbated through policy inaction. In contrast, the cliched hacking scenario chimes in around a relatively low six per cent.
The challenge this highlights is: has your organisation done all it reasonably can to minimise security-based risk? If you have a heavy reliance on written policy that hasn't been translated into a robust, auditable technical implementation then the answer is likely no and that's where we can help.
The best security outcomes are achieved when security is as well represented as a whole-of-business success factor, much as business continuity planning often is.
Below are some key indicators that security is well-integrated into your business' decision-making and implementation structures.