Following the introduction of the Notifiable Data Breach Scheme (NDB) in February 2018, a survey of ANZ businesses by CompTIA has revealed that 23 per cent of organisations have not made changes to security policies to comply with the NDB and a further 35 per cent of respondents are not sure if their organisation has made changes.
According to the Office of the Australian Information Commissioner (OAIC), more than one third of companies that had data breaches in the past quarter passed on private customer information because of simple human mistakes. (1)
James Bergl, CompTIA ANZ Channel Community executive council member and director of sales, APAC, Datto, Inc., said, “With human error accounting for a large proportion of breaches, it is concerning that some people are not even aware of whether their company has changed its policy to comply with the NDB. Education and awareness need to play a critical role in protecting customers and mitigating risk.”
When it comes to incident response, 37 per cent of respondents said their organisation did not have formal policies and procedures, but relied on unwritten rules that were typically followed. A further 14 per cent did not have policies and procedures addressing security incident responses.
In the July-September 2018 quarter, 245 breach notifications were reported to the OAIC.
James Bergl said, “These breaches are happening, and will continue to do so, which means organisations need to take the threat seriously and make sure they are compliant with the legislation.”
According to the respondents with formal response plans, these included: roles and responsibilities for addressing the incident (90 per cent); complete backup/recovery plan including prioritisation of systems (80 per cent); identification of affected systems (75 per cent); identification of attack (74 per cent); education on how incident occurred and future mitigation strategies (73 per cent); and a public communications plan if customer/partner data was affected (55 per cent).
James Bergl said, “Most businesses think they are in control of security. However, the reality is quite different for many. It can be easy to forget how dynamic the danger is, and cybercriminals rely on this complacency.
“A security risk assessment is an effective way for businesses to assess their current posture. Businesses should treat information security risk assessments as an ongoing process of discovering, correcting, and preventing security problems.”
References –
(1) – https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-july-30-september-2018
(2) – https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-july-30-september-2018