Security

Today's security context

Increasing legislation

The past few years has seen a prolific increase in legislation both in Australia and abroad which organisations must consider both at governance and operational levels, as part of the signalling is a marked increase in public discloure which introduces risks derived from reputational damage. Additionally, some acts contain provisions for personal as well as organisational liability.

Some recent Australian examples include:

Year Act
2015 Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
2017 Privacy Amendment (Notifiable Data Breaches) Act 2017
2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

And of course, outside of Australia but still affecting relevant Australian organisations is the European Union's GDPR.

There's also other forms of regulation such as the Australian Signal Directorate's "Top 4" (which is mandatory for federal agencies) and "Essential Eight", which help to set expectations of the tone in which security discussions are being framed today.

The challenges

Security isn't solely a technical endeavour and approaching it from the traditional perspective of firewalls and virus scanners can leave your business exposed to significant risk. From building-level security through to policy and user training, there's a raft of considerations to navigate - many of which persist even if you're pursuing a cloud strategy.

For example, looking at the OAIC's Notifiable Data Breach statistics, human error and malicious attacks account for most reported breaches.

What's interesting in the "malicious" category breakdown (below) are the dominant categories of "compromised or stolen credentials", and "phishing" - both of which are exacerbated through policy inaction. In contrast, the cliched hacking scenario chimes in around a relatively low six per cent.

Breakdown of the malicious category taken from the OAIC 2021 H2 report.

Reported breach reasons across all industries.

User/policy "malicious" categories vs. hacking.

The challenge this highlights is: has your organisation done all it reasonably can to minimise security-based risk? If you have a heavy reliance on written policy that hasn't been translated into a robust, auditable technical implementation then the answer is likely no and that's where we can help.

What's our approach to security?

The best security outcomes are achieved when security is as well represented as a whole-of-business success factor, much as business continuity planning often is.

Below are some key indicators that security is well-integrated into your business' decision-making and implementation structures.

Governance

The business recognises security as an important strategic function.

Accountability and authority is clearly articulated.

Policies and procedures are transparent, auditable and sustainable.

Technology strategies align with and support the policies and procedures.

Applications and services

The presence of information security best practices such as role-based access, "just enough access", separation of duties, etc.

Well-defined criteria for assessing existing and proposed applications/services (cloud, service providers, etc.)

Identity management stategies and systems.

Infrastructure

Risk assessment for infrastructure (including cloud).

Alignment to vendor and industry best practice frameworks, such as the Australian Signal Directorate's "Essential Eight".

Systems are modern and proprely maintained.

Harden mission-critical services to make them less vulnerable.

Leverage Windows Server/Azure AD security mechanics to improve security at no additional cost.

Secure network services (including Wi-Fi!)

Additional information

Legislation and regulation

Notifiable data breaches statistics - Home, Office of the Australian Information Commissioner, accessed February 2022.
Essential Eight Maturity Model | Cyber.gov.au, Australian Signals Directorate, accessed February 2022.
Notifiable data breaches - Home, Office of the Australian Information Commissioner, accessed February 2022.
Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, Federal Register of Legislation, accessed March 2019.
Privacy Amendment (Notifiable Data Breaches) Act 2017, Federal Register of Legislation, accessed March 2019.
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, Federal Register of Legislation, accessed February 2022.

Notable Australian data breaches in the news

Bank details, TFNs, personal details of job applicants potentially compromised in major PageUp data breach, Australian Broadcasting Corporation, accessed September 2019.
PageUp face customer losses, lawsuits after data breach, Australian Financial Review, accessed March 2019.
Commonwealth Bank customers' medical data exposed in potential privacy breach, Australian Broadcasting Corporation, accessed March 2019.
Personal details of nearly 80,000 South Australian public sector workers accessed in cyber attack, government confirms - ABC News, accessed February 2022.