Sydney’s latest Cyber Risk Meetup (October 18, 2018) not only drew a record crowd but was largely successful in demystifying the complex issues of data breach and incident response to an eclectic audience of lawyers, tech-heads and crypto and blockchain enthusiasts.
The three speakers all offered personal insights into the increasingly globalised world of data connectivity and how breaches affect everyone from multinationals to anyone with a MyHealth record or a Facebook account.
First up was Olga Ganopolsky, General Counsel, Privacy and Data, at Macquarie Group, who is responsible for all of the 28 jurisdictions Macquarie operates in. With her extensive knowledge of the data and privacy space, she was able to provide valuable insights into how lawyers view the issue in an international context and the current shape of data breach regulation globally.
Cyber Risk Meetup organiser Shamane Tan presents to a full house
“Data breaches take everyone out of their comfort zones, including lawyers,” she says. “If data is global, the question then becomes how relevant are local laws?”
While some global frameworks have already taken shape, such as the European Union’s General Data Protection Regulation which came into effect in February this year, there was still a spectacular lack of uniformity for reporting and policing data breaches, Ganopolsky says.
In the EU, for example, organisations are obliged to notify authorities within 72 hours of a data breach, while in the US the laws change from state to state and New York actually has three separate regulators responsible for data breach.
This lack of uniformity runs not only across nation states, but cultures and in some cases, such as the US, even across industries. This means that something which is deemed immediately notifiable in Australia may not be considered worthy of notification in a country such as The Philippines, which is rapidly becoming a hub for global outsourcing.
Then there’s the added layers of complexity when it comes to ascertaining where the breach originated and who was responsible, made all the more complicated if, for example, a service provider inadvertently did something to a customer’s IT platform or infrastructure.
Ganopolsky believes it is still possible to operate in such a regulatory minefield and, from a legal standpoint, understanding the regulatory framework of the country where the breach has occurred is essential, however difficult that may be. “Facts are important, but context is essential, and that involves making a real effort to understand the quirks of the country or territory in question.”
Being human-centric and understanding the people who have been affected and how it has affected them is also vitally important in a globalised environment, she says, especially since the current gap in global frameworks is not going to be rectified anytime in the near future and cultural sensitivities will always be prevalent.
Keep your incident response simple
Dr Ignatius Swart, a security professional of more than 15 years standing, is a Managing Consultant of Privasec and also leads the NSW GRC and Incident Response teams. He was largely in accord with the previous speaker’s comments on the complexity of the issue, especially in light of huge data breaches to the likes of Facebook, a plethora of banks and high-profile cases such as dating site Ashley Madison.
Having said that, he believes there are some simple steps organisations can take to greatly reduce the risks of such breaches. “First and foremost, there need to be defensive systems in place for when a breach occurs. Knowing where and why it happened will go a long way towards remedying it,” Swart says.
Swart recommends a return to basics, where there is a simple security framework in place with a tested plan with clearly defined roles for those responsible across an organisation.
Often there are procedural steps that hinder incident response, like failure to withdraw password authorisation for users whose machines might be affected, especially if the attack occurs after hours when there’s virtually nobody around.
Then there was the time when a major multinational suffered a major data breach which affected some very large customers, several of whom sent in their own incident response teams, with predictably disastrous consequences.
“This company ended up spending over 50 per cent more on fixing the breach than they should have because they didn’t have proper response systems in place,” Swart says.
Instead, they should have tested their environment for internal and external threats, given staff better training on what to do if an incident occurs, and above all else kept calm, he adds.
Regarding the future, Swart believes drones, AI and blockchain (all the major buzzwords, as he put it), will have a positive role to play in data security: drones through their high-speed computing platforms, AI through its potential to investigate breaches and remedy them and blockchain through its ability to provide an evidentiary link for every computing chain.
“Preparation is always better than response and communication between stakeholders is essential for post-incident reviews,” Swart adds.
Data breaches affect everyone
Finally Andre Jenkins, the leader of CEC’s Analytics Strategy, offered some unique insights into the risks everyone faces to their privacy and what can be done to keep their data secure.
He also provided the bulk of the mirth for the evening, with special reference to Facebook’s Mark Zuckerberg spending untold millions to purchase surrounding houses in Palo Alto to ensure his privacy while being seemingly flippant about the data privacy of the hundreds of millions of ordinary folk who use his platform.
What made his talk especially interesting though was his posing the question of whether anyone could guarantee privacy now or going forward and whether it would still be as relevant in the future.
“If data is the new world order, we need to make informed decisions about a product that changes all the time,” he says.
His example of health data was a powerful one, judging by the audience’s response. It used to be that credit card fraud was the most feared form of data breach, but now you just report what happened and get most or all of your money back.
“Loss of health data, on the other hand, could lead to identity theft or the loss of your job if it fell into the wrong hands,” he opined, “especially in the future when it may become much harder to differentiate between what’s real and what’s stolen.”
This, he adds, is why Care.data, the UK equivalent of Australia’s MyHealth, is now defunct after a relatively short period of time as people stopped trusting the government to be responsible custodians of their most intimate information, even allowing for the myriad of benefits that belonging to such a system brings with it.
The upshot of all of this, Jenkins adds, is that for someone with no technical knowledge, privacy and data breach concerns can be overwhelming, and that is likely to remain the case for the foreseeable future.
The Organisers, Cyber Risk Meetup, ISC(2) & CryptoAustralia would like to extend a special thanks to Platinum Sponsor GHD Pty Limited, Host King & Wood Mallesons and Event Partners Privasec and MySecurity Media.
By Alan Hartstein, ACSM Correspondent, MySecurity Media
