Cybercrime and data-security are a growing challenge here in Australia. The Australian Government recently published figures estimating that cybercrime costs our economy about AU$1 billion annually and if the international trends are anything to go by, that figure will be growing rapidly over the next few years.
Legislators around the world are grappling with this question; how do we steer our digital economy toward a more secure future?
Australia is about to implement a new regulatory regime designed to help accomplish that goal.
What is the NDB Scheme?
The Australian Federal Government have devised a set of regulations to manage cybersecurity accountability; the Notifiable Data Breach (NDB) Scheme is coming into effect on Feb 22 and its implications for Australian business are far-reaching.
Any company or organisation with an annual turnover greater than AUD$3 million that handles people’s personal information - data like bank account information, credit card details, medical records or identification documents - is covered by the new regulations.
The NDB Scheme makes it compulsory for companies that suffer data breaches to notify the Office of the Australian Information Commissioner (OAIC).
They must also directly inform the people whose information is exposed so they have the best possible opportunity to protect themselves from adverse effects.
The NDB Scheme is a quantum leap for cybersecurity regulation in Australia, so there’s quite a lot of debate about what the rules really imply.
Although the detail is complicated, the essence of the scheme is about ensuring better protection for the public when companies and government organisations experience a data breach, or when they’re hacked.
What is a data breach?
For the purposes of the NDB Scheme, the OAIC defines a data-breach this way:
“Unauthorised access (of data) by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party... For example; a computer network is compromised by an external attacker resulting in personal information being accessed without authority...”
The broad terms of the Scheme could be applied to almost any sort of data from address lists in mobile phones to company HR records and customer credit card details stored on servers.
The criteria for mandatory notification under the scheme also says that ‘serious harm’ must be likely to occur as a result of the breach for it to come under the NDB rules.
There’s some room for speculation about what qualifies as ‘serious harm,’ but the advice from the OAIC stipulates that it can include psychological and reputational damage as well as financial loss.
Although the NDB regulations include a lot of different data breach types, the OAIC specifies four categories that are ‘more likely to cause an individual serious harm if compromised.’ These high priority data categories are:
- sensitive information, such as information about an individual’s health
- Medicare card; drivers licence; and passport details
- financial information
- a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about
It’s clear from this list of high priority breach categories that the NDB is intended to focus on data that can compromise people’s privacy or be used to attack individuals in one way or another, whether it be by fraud, extortion or theft.
I think it’s significant that this list identifies data types that are commonly exploited by cybercriminals. It’s an especially dangerous situation if criminals can get hold of multiple data points about a person - as mentioned in item 4 - because that makes it easier for them to perpetrate identity fraud against them.
That conclusion certainly fits with the current trends in cybercrime, which is increasingly driven by identity fraud leveraging stolen personal data. Breaking into a company’s customer records enables criminals to steal credit card files that include passwords, addresses and documentation of the cardholders as well as the card details themselves.
Is your business affected?
The NDB Scheme is designed to focus on medium to large businesses with annual revenues of more than AUD$3 million.
Small business operators are more or less excused from NDB compliance but there is a quite extensive list of exceptions to this general rule. If you’re a small business owner and unsure about your responsibilities it’s probably a good idea to check the OAIC website and read their compliance rules.
Any medium to large company that is storing the personal or financial data of individuals should be taking steps to prepare for the introduction of the NDB.
What data do you have?
The first step toward NDB preparedness is knowing what data your company is collecting and how it is stored. A comprehensive data audit is fundamental because you’ll need to discover what information your company handles that could come under the purview of the NDB. As I mentioned above, the NDB Scheme is very inclusive in its scope, so your audit should look at all platforms, device types and departments.
Step 1 of a data audit is identifying what data you already have.
Look at all kinds of assets stored in all formats, across every kind of software and media. List your data assets in categories to make it easier to assess.
- CRM platforms
- POS purchase information
- online shopping records
- marketing lists
- social media contacts
- Excel spreadsheet records
- company data held by contractors and other third parties
Step 2: survey department heads to find out how your company’s data is used. Who accesses what and for what purpose? Pay particular attention to data handling problems or unnecessary data sharing.
Step 3 involves locating and eliminating redundant data. Once you know what you have, how it is gathered and what it is used for, you can take action to be more efficient. Data is an asset but it can also be a liability if you are storing large volumes of material that has no useful purpose.
In the event of a breach more redundant information in storage means more potential exposure.
How safe is your data?
Once you have established a clear picture of how your company’s data management works, you’ll be in a position to make a risk assessment:
- What cyber-threats could your company face?
- Where are the security weak-points in your technology infrastructure?
- Do you have effective cybersecurity measures in place?
- What threats does your security software protect you from?
- Do you have education programs in place to counteract human security vulnerabilities?
- How would you know if your data storage was compromised?
- What is your responsibility to third parties whose data you handle?
- Who is responsible for your company’s cybersecurity management?
Take control of cybersecurity
The bigger objective of this scheme is to incentivise better cybersecurity practice. Dealing with a data breach under the NDB will mean a pile of paperwork, but the real pain involved in a data breach scenario is financial and reputational; the NDB isn’t going to change that.
Data breach incidents can be very costly; it’s not just the immediate losses caused by fraud or theft, but also the disruption of a company’s regular activities. Breaches can expose companies to very significant liability and disrupt relationships with suppliers and customers.
In May this year, the EU will introduce their GDPR regulations, creating another substantial incentive to avoid data breach incidents. The GDPR - General Data Protection Rule - mandates that any company doing business in the EU, or even just selling goods or services to EU citizens, must pay hefty fines for data breaches. Penalties under the GDPR will be calculated according to the number of files exposed in a breach and will be topping out at 4% of the gross annual revenue of penalised companies.
Is your company taking proactive steps to prevent data breaches?
That’s the bigger question we should all be tackling because if your company suffers a ‘serious data breach,’ your compliance responsibilities to the OAIC will only be one of your problems.
Make your data secure.
Initiating greater accountability and transparency in data management is only half of the formula for NDB preparation.
Businesses are losing millions of dollars to cyber-attacks that could have been prevented. Cybersecurity is seen as an IT issue; a lot of CEOs imagine that their IT department will take care of it but it just isn’t that simple anymore. Good cybersecurity policy requires the involvement of all levels of management and a commitment to educating every member of the team.
- Use strong passwords and 2 factor authentication
- Provide cybersecurity education to your staff
- Get professional advice on how to strengthen your company’s security
- Make sure you have solid data backup and recovery procedures in place
- Implement local and cloud-based cybersecurity protection
The sophistication and diversity of contemporary cybercrime requires a multi-layered approach that includes scanning software, staff training and email and web filtering. Relying on a single cybersecurity tool like traditional antivirus software is no longer viable.
There’s never been a better time to take on the challenge of breach-proofing your data storage. The old saying goes ‘prevention is better than cure’ and that’s certainly the case with cybersecurity.
The introduction of the NDB is one more good reason to make sure your data is secure.
If you would like to learn more about solving the complex cybersecurity challenges facing business leaders today, please read my book Surviving the Rise of Cybercrime. It's available to download, here.
Join the conversation.
If you have comments or questions you would like to share with me, please get in touch.