Is Your Business Set For The New Mandatory Data Breach Notification Laws?

New mandatory data breach notification laws take effect in Australia on 22 February 2018. This latest legislation seeks to protect consumers’ personal information, it requires that public agencies and private organisations, report all eligible data breaches to the affected individuals and the Privacy Commissioner. An eligible data breach occurs when there is unauthorised access to, exposure or loss of personal information held by an agency or organisation, which is likely to cause serious harm to those individuals. As yet, there is no definite measure of serious harm. However, we may consider serious harm to include physical, financial, and reputational damage, as well as adverse emotional or psychological impact.

This mandatory notification applies to all public and private entities that are governed by the existing Privacy Act, which includes organisations that have an annual turnover exceeding $3 million. Mandatory reporting also applies to those companies that make under $3 million and are in the business of handling personally identifiable information (PII) such as names, social security numbers, personal contact and credit information, as well as health and financial records. If an organisation is related to another that is governed by the Privacy Act, then that organisation is also subject to the mandatory data breach notification requirement.

Current State of Preparedness

Although the Privacy Amendment (Notifiable Data Breaches) Bill of 2016 had established the upcoming mandatory reporting requirement, there is some unpreparedness among organisations-especially small businesses. According to a recent survey, 44% of Australian businesses reported that they were not ready for the mandatory notification requirements. This may have resulted from a mistaken belief that small firms would not be subject to the new legislation. It may also be the case that information security has long been viewed as the domain of IT professionals, and so sufficient attention has not been directed to this aspect of business operations. However, given our growing digital economy with increasing cyber threats, it is becoming clear that the usual risk management framework must now also consider the mitigation of cyber risks.

The Process of Mandatory Data Breach Notification

If an organisation suspects that it may have been subject to unauthorised access, disclosure or loss of personal information, that may cause serious harm to any of its stakeholders, then it has 30 days to investigate and conclude whether or not an eligible data breach occurred. However it may not be prudent to wait an entire month before deciding on the eligibility of a data breach. The factors to consider when an organisation needs to determine if an eligible data breach has occurred include:

·      the type and sensitivity of the information in question;

·      whether or not steps were taken to protect the information (for example, data encryption)

·      how likely it is for the protection measure to be breached (such as the encryption being cracked) and the information revealed;

·      the scope of the potential serious harm to affected individuals; and

·      any other relevant factors.

In the case of an eligible data breach, the company must prepare a formal statement for the Privacy Commissioner and each of the affected parties. This statement must include details on the nature of the data breach, and the remedial actions to protect those adversely affected. In cases where it may not be possible to inform every affected individual, then the statement must be published on the company’s website. We recommend that legal counsel be obtained in the unfortunate event of a data breach, so that the organisation can be sure that all aspects of the mandatory notification requirement are met.

Non-Compliance Consequences

Failure to report eligible data breaches will be costly in several ways. The Privacy Commissioner is empowered to apply fines in cases of non-compliance with the mandatory notification requirement. Individuals (such as sole traders and general partners) may face fines of up to $360,000, while corporate organisations may have to pay fines up to $1.8 million.

However the consequences of non-compliance not only originate from the Privacy Commissioner. The Privacy Act enables an individual to make a representative complaint (on behalf of several affected parties) directly to the Privacy Commissioner. There is also the possibility of class actions being initiated in the wake of a data breach. Another pressing concern is the loss of consumer and investor trust. This goodwill is vital for a company’s success, and non-compliance may be perceived as a lack of trustworthiness, which may then have greater adverse effects on the organisation in question.

Compliance Matters

We recommend a two-pronged approach of both prevention and corrective measures to ensure full compliance with the new mandatory data breach notification law.

Prevention Measures

The mandatory notification requirement means that organisations need to establish robust information security systems, or review their existing systems in light of this new legislation. Information security covers all the cyber-safe policies and procedures governing the collection, storage and retrieval of personal data. However companies will need to do more than merely install commercial security software. The latest data-stealing malware are being delivered via email, which means that users at all levels of an organisation need to be trained to navigate and actively support the information security framework. Small businesses may need to outsource certain security needs to IT vendors. Therefore it is also important that all vendors are employing the latest cyber security innovations and are ready to quickly comply with any requests for updates and formal reports.

Corrective Measures

In the event of an eligible data breach, it is useful to have a set of templates and procedures on hand. It is vital to have a detailed incident response plan which includes an organisation’s breach assessment criteria, templates to notify affected parties and the Privacy Commissioner, and procedures to implement remedial measures. We recommend that any incident response plan be tested with all members of an organisation and external vendors, so that each person is aware of their role in responding to any possible data breaches. We further recommend that all organisations obtain legal counsel to ensure that all elements of the mandatory notification requirement are conducted appropriately.

The mandatory data breach notification law will definitely alter the way in which businesses operate within Australia. Other countries such as the USA, Germany, Canada and the UK already have such legislation in place, so successful adaptation to these new requirement have already proven possible. We urge all Australian organisations to become familiar with their new legal obligations, to access all of the available resources and services, for both information security and notification support.

Beware of Real Estate Hacking Attacks

Hacking attempts are not just a problem for large corporations. Unfortunately, cybercriminals are equal opportunists, a fact which has been corroborated by the recent real estate hacks. The Australian real estate industry is valued at approximately $14 billion, which makes it a tempting target for these criminals.

Consumer Affairs Victoria reported that a few of the state’s homebuyers were victimised in an email scam and they lost over $200,000. The buyers said that they received emails containing contracts of sale and trust account details for the payment of their deposits. This first email was then followed by another email, which instructed the hapless buyers that there was an error in the original email and that they should deposit their funds in an alternate account. These criminals hacked the real estate agents’ email accounts and used the second round of emails to divert the funds to their bank accounts.

Unfortunately a similar case of virtual fraud occurred in the real estate sector last May. The Real Estate Institute of New South Wales reported that a real estate agency’s online bank account was hacked and $757,000 was siphoned away in a series of transfers.

There are significant losses associated with such cyber hacks. Director of Consumer Affairs Victoria, Simon Cohen advises that persons who are purchasing their homes do their due diligence before making deposit payments. He recommends that buyers beware of emails that give different banking information. In fact, it is always best for buyers to call their real estate agents to verify all payment details before transferring any funds. Any individual or business that discovers that payment was made to an incorrect account should contact their respective financial institutions immediately. Furthermore, real estate agencies are encouraged to regularly review and secure all online systems to rebuff any hacking attacks. If you become a victim of cybercrime, we recommend that you make a formal report to the Australian Cybercrime Online Reporting Network.

We all operate in a globally connected world and we face increasing threats. Therefore it is prudent to adopt the best cybersecurity practices to protect ourselves and our assets.

How much could ‘Free Wi-Fi’ be costing you?

We can all appreciate the availability of an Internet connection when we are away from our home or office connectivity. Some people are on limited data plans, so very often, love the fact that they can save their data and use free Wi-Fi. Free public Wi-Fi is now commonly available throughout most Australian cities as a result of renewed investment in this area. While it is good to have greater accessibility, public Wi-Fi is often unsecured, which makes it fraught with multiple threats to the security of consumers’ personally identifiable information (PII) and banking credentials.

A number of news outlets have conducted experiments to show how easy it is for cybercriminals to access personal and financial information by using public Wi-Fi to hijack mobile devices. In each case, the unwitting participants in the exercise are astonished at how easy it was to convince them to sign on to the rogue Wi-Fi networks and the extent of the exposure of their confidential information.

Last year McAfee conducted a survey of 1200 Australians, of which 42 percent said that they believed that their personal information was as safe when they connected to Wi-Fi while on vacation as when they were at home or at work. This is compounded by the fact that 62 percent of these respondents also indicated that they either did not know or did not care if they were using a secure Wi-Fi connection.

A related survey by Symantec, found that 83 percent of Australians have used public Wi-Fi to log into their email accounts, share media online and even check their bank balances. The prevalence of Wi-Fi connectivity in retail spaces has also influenced consumers to access their financial accounts on unsecured Wi-Fi networks.

A study conducted by lead researcher Dr. Ian McShane at the RMIT University corroborates this trend. The most used public Wi-Fi networks were provided by restaurants and cafes, followed by shopping centres and hotels, and then parks and city squares. Approximately 10 million Australians have accessed public Wi-Fi networks, with 2 million persons conducting financial transactions, and one million performing work-related duties such as accessing emails and sharing files on these networks. According to McShane, Australia ranks as the sixth highest on an international scale for cyber attacks. Public Wi-Fi is also a popular hotspot for criminal activity, so appropriate care must be taken when accessing any such networks.

It is also not enough for adults to be careful when using public Wi-Fi. A lot of children have their own mobile devices (or frequent access to family devices), which generally means that they are accessing Wi-Fi as well. This means that children need to be monitored whenever they are using the Internet, and older children must also be educated about safe Wi-Fi use.  According to Alex Merton-McCann, McAfee cybersecurity blogger, it is important to manage Wi-Fi use among children, especially when vacationing.

The inappropriate use of public Wi-Fi can be very costly. In December 2017, a diner lost $155,000 worth of Bitcoin when he used a restaurant’s unsecured public Wi-Fi. The man had logged into his Bitcoin account at the restaurant to check his account balance. The cybercriminals moved the stolen funds to an untraceable account. Companies located in Japan and South Korea, have also suffered significant financial losses as a result of cyber criminals hijacking digital currency accounts. The vulnerability of these digital currency accounts also extends to payment cards and other online payment vehicles.

According to Dr. Mark Gregory of RMIT University, the implementation of widespread public Wi-Fi in Australia means that government, industry and consumer agencies should develop awareness campaigns on the matter of public Wi-Fi security. Merton-McCann emphasised that it is best to avoid public Wi-Fi to ensure personal and banking information security. Admittedly, it can be difficult to reduce public Wi-Fi use to zero, so as a compromise, consumers should never access personal and banking accounts while using these networks. Public Wi-Fi security can be improved through the use of Virtual Private Networks (VPNs) and also by ensuring that websites and services accessed operate under HTTPS.

What everybody really needs to know… about Cyber Security and Australian Banks

The recent Mandatory Breach Notification legislation has brought the issue of cybersecurity to the forefront of national dialogue. The Australian Prudential Regulation Authority (APRA) asked banks, insurers and superannuation funds to be aware of the risks of cyber attacks.

The Australian banking industry reported a cash profit of $31.5 billion for 2017 and a 6.4% growth rate relative to 2016. It is also important to take into account our nation’s $2.6 trillion superannuation pool, as well as the vast numbers of customers who conduct daily online banking activities. Understandably these facts render the industry, and its customers, as prime targets for cybercriminals.

APRA’s executive board member Geoff Summerhayes indicated that a major data breach at any Australian financial institution is “probably inevitable”, and could even adversely impact the longevity of that institution.  Unfortunately, a number of financial institutions have yet to fully consider how they would handle an online attack, which would be guaranteed to generate significant and costly risks.

According to Summerhayes, cybercrime is a growing and lucrative industry. In the face of the relatively slower adaptation of institutions to the reality of rapidly evolving cyber crime, virtual criminals are reaping huge benefits with very little prospect of being apprehended.

The APRA believes that cyber risk is a significant prudential threat to financial organisations. Large corporations that invest heavily in their own cybersecurity have a reduced risk of an attack resulting in sufficient damage to put them out of business.

However, APRA surveys showed that while there was an increasing awareness of cyber risks, improvements still need to be made. While some companies may have documented incident response policies to counter any possible virtual attack, these plans have not been tested and incorporated into their overall disaster recovery framework.

In light of these circumstances, the APRA has revealed its first prudential standard on information security, which will set the minimum requirements for the sector to manage cyber risks. Financial institutions will be required to conduct regular testing of their cyber defenses, implement strong detection systems, and delegate senior staff members to be in charge of cybersecurity. According to Summerhayes, these preventative measures will strengthen the banking sector, reduce the likelihood of successful virtual attacks, secure Australians’ confidential information and support national stability.

To Businesses Who Want to be Cyber Safe… but Don’t Know How to Get Started

Small and medium-sized businesses (SMB’s) are not exempt from cyber attacks. In fact, close to 60% of all breached organisations can be categorised in this segment. The recent Mandatory Data Breach Notification law now also means that there are hefty consequences for ignoring the protection of customer information.

This legislation requires that all eligible data breaches are reported to the affected individuals and the Australian Privacy Commissioner. Any failure to report an eligible breach can result in heavy fines levied against sole proprietorships ($420,000), partnerships and/or companies ($2.1 million). Therefore it is essential that SMB’s keep abreast with the latest developments and relevant statistics in the cybersecurity sector.

The issue for most businesses is though, that they don’t know where to start. The segment known as ‘cybersecurity’ is rather large and covers many areas. For SMB’s in particular, they often don’t have a designated person to look after this for them, unlike larger organisations, and they are left to wade through the many options available themselves, or turn to their dedicated IT person.

So where does a business start? To best answer that question, it is important to know the motives behind these attacks in order to be able to deter them. According to data published in the 2018 Data Breach Investigations Report (DBIR), approximately 76% of breaches are financially motivated, no real surprise there I hear you say.

The 2018 DBIR indicates that phishing is the most popular initial access method used by criminals, with roughly 92% of malware being delivered via email. Phishing is a form of social engineering where cybercriminals use emails to pose as legitimate persons or institutions to deceive others into revealing personal, confidential and financial information.

These emails in the past used to be a lot easier to pick up, often littered with spelling mistakes, poorly replicated logos, non-matching domains from the email sender and the like. This is now not as often the case and the criminals have upped their game. The emails are now a lot more sophisticated, are not as easy to spot and in many cases, now closely resemble the emails sent by legitimate organisations.

Now here’s the key takeaway from all of this. The Ponemon Institute’s 2017 report indicates that 54% of data breaches were due to negligent employees. Therefore the recommendation is that SMB’s should invest in training their personnel to detect and avoid phishing emails, and also run frequent controlled phishing campaigns to ensure compliance.

Ransomware is the top category of malicious software that is used in approximately 40% of malware-based attacks. This form of malware is popular because it is easily deployed through phishing emails, web-based instant messaging apps, drive-by downloads and malware-laden advertisements. Ransomware is also an effective means to illegally obtain large sums of money with a low risk of prosecution and imprisonment.

According to the Ponemon Institute’s 2017 report, close to 60% of small businesses have reported that cyber attacks are becoming more complex and destructive. Cybercriminals have become savvier by using techniques that circumvent standard security measures. In 2017 a staggering 77% of these attacks utilised fileless techniques. These techniques make use of system vulnerabilities (such as browser add-ons) to launch virtual attacks. These fileless attacks are ten times more likely to succeed, as anti-malware software only detects file-based malware.

Your IT person/department can look after the software and hardware eg. firewalls, antivirus, routers, etc, etc… but as you can see here, the ‘human firewall’ is most often, your last line of defence. So make that part as bulletproof as possible. And finally, the answer to the earlier question is… to train everybody within the organisation. Awareness training, phishing simulations and generally keeping this critical issue front of mind are key.

Cybercrime – The Human Element Beyond IT

ybercrime is on the rise. Not only are rates of cybercrime increasing but its breadth and depth have reached a level of sophistication that is disproportionate to our defences. It has now become a well-organised operation perpetrated by highly skilled professionals with the capability to undermine organisations large and small.

The American based Target Corporation was the object of one particularly damaging case of cybercrime. In December 2013, Target publicised that the credit card details of 40 million customers had been the subject of cyber theft; and an additional 70 million customers had personal information including their names, addresses, email addresses and phone numbers stolen.

Closer to home, organisations are regularly scanned for weaknesses in their defences as the sophistication of cybercrime evolves, with harmful malware having the capacity to sit unnoticed for weeks before an actual theft takes place.

Our very real problem that we are now faced with is that organisations are not necessarily able to compete with this new level of sophistication. Moreover, the risk of cyber attack has always been viewed as a function of IT and responses to cyber threat have been acted upon as such.

But the IT security function alone is not an adequate enough to safeguard against this new sophisticated cyber threat. In order to build a strong defence, organisations must look beyond the IT based nature of conventional cyber crime and understand the contribution that humans often make in cyber breaches.

Organisations have become extremely savvy at building robust fire walls that are able to block just about any potential threat; however these defences are redundant if they have not been able to predict what may be planned against them.  It is critical that organisations maintain a channel into the cyber community networks where potential attacks are being plotted, in this way they will be armed with information about where their potential weaknesses are as a business.

In order to stay ahead of the cyber criminals, organisations need to acknowledge that its people that commit crimes, not computers; and that unfortunately it can be people from within organisations that are complicit in these crimes. Cyber criminals are able to infiltrate at any point of weakness, which can often mean exposing the vulnerabilities of staff or someone close to the organisation who is able to access, test and deploy malware into the system.

The Three Lines of Defence model is the ideal way to mitigate risk across an organisation. The first line of protective controls includes building a strong fire wall to secure the network. This line of defence acts as the gatekeeper of the traffic which may or may not pass through. The second line of defence revolves around watching out for external threats such as analysing conversations in chatrooms, and engaging in network vulnerability tests. Lastly, measures must be taken to protect the organisation from internal threats. This may include conducting background checks of staff, ensuring that sensitive information is only available to a select few.

The Three Lines of Defence model is a great start to circumventing any potential cyber threat. However this can only take an organisation so far, as the unpredictable nature of the human condition can ultimately leave an organisation vulnerable to cyber threat, especially in the current environment where threats may emanate from within and outside of the organisation.

Cyber Security – the insider threat

Generally when we think of online hackers, we think of faceless perpetrators whose intention is to scam us out of our hard earned money in one swift malicious attack.

But what if the actual threat of cybercrime is right in front of you, in plain sight?

Organisations of all sizes are at risk of cyber threat from within their own organisation. While companies spend a considerable amount of time and energy on evading external cyber threats, experts have argued that more than 60% of attacks are coming from within the walls of a business.

Many of these attacks have been intentional, however there have been cases where attacks have been committed inadvertently. This can happen staff may become careless with data or accidentally undermine a company’s secure IT systems.

One local case where an internal threat occurred from within was at fashion brand Showpo, whose customers were reporting that they’d been contacted by its competitor. Information began to surface implicating an internal source had obtained personal information and shared this with the competitor.

A UK analysis of insider cyber threat cases found that the motivators behind internal attacks are usually centered around financial gain and revenge.

With the rise in internal cyber threats, the Federal Attorney General’s department has overhauled its ‘Managing the insider threat to your business’ publication which aims to educate managers on how to best navigate their approach to internal cyber security. They suggest implementing sound recruitment procedures which include thorough checks of new staff and tighter security controls on internal access to data.

Experts suggest that it’s important for organisations to be as vigilant towards external cyber threats as internal threats and that there are many ways to do this by monitoring staff behaviour, directing funding and educating employees.

The rise of phishing attacks

A recent study by Tripwire has found that more than half of all security professionals surveyed had noticed a rise in phishing attacks at their organisation in the past 12 months. Alarmingly, the survey also uncovered that these professionals believed that their company was ill-equipped to protect themselves against these scams.

It comes as no surprise that the increase of phishing attacks is one of the most significant cyber security threats to organisations today. Therefore it’s imperative to arm all staff and board members with the knowledge to identify these scams in order to protect our company data.

The following list outlines 6 common phishing attacks:

1. Deceptive Phishing

This is the most popular phishing scam used. It occurs when cyber criminals pretend to be a legitimate company with the aim of stealing an individual’s personal information. These emails often use threats to get what they want. Be wary of generic greetings or requests for information that the sender should already have. Errors in syntax and spelling are often a giveaway that you’ve been targeted in a deceptive phishing attack.

2. Spear Phishing

Spear fishing is a more personalised version of deceptive phishing. For example criminals will customise their scam email with the recipient’s name, position, organisation or even phone number, in the attempt to hoodwink the target into believing that they have an established relationship. In much the same way as deceptive phishing, the aim of this scam is to trick the recipient into clicking onto a malicious link, thus exposing their personal data.

3. CEO Fraud

In this scenario, the criminals will impersonate an executive’s email address and use it to request payments and transfers from others within the organisation.

4. Pharming

This new type of phishing scam involves exploiting the internet’s naming system server (DNS) which converts website names to IP addresses. In this type of attack the criminal targets a DNS server and alters the IP address in order to redirect victims to a malicious website, even if the victims entered in the correct website name originally.

5. Dropbox Phishing

Some phishers customise their scam emails to mimic a company or service such as Dropbox. In this scenario a victim is sent a realistic looking email claiming it has come from Dropbox requesting the user to click onto a link which then installs malware onto their computer.

6. Google Docs Phishing

Just like Dropbox phishing, the criminals use the Google brand to lull victims into a false sense of security in order to harvest their personal details. A message is sent to a user to view a document on Google docs, and whilst the landing page is on Google drive, when the victim’s personal credentials are entered they go straight to the criminal.

Smaller companies now more vulnerable to cyber attack

When we hear about cyber hacking crimes, the target of the attack is usually a large corporation or household name; however hackers are increasingly targeting smaller corporations, particularly those of less than $1 billion in revenue.

A recent survey by companies Nationwide and Advisen uncovered that since 2012 the average target company size had decreased by 28%, and alarmingly figures uncovered by the same survey indicate that malicious data breaches had risen by 40% between 2015-2016.

According to a subsequent survey by Beazley Breach Response (BBR) Services, financial organisations of less than $35 million in revenue were targeted more aggressively by hackers when compared to larger institutions. BBR cites the reason smaller companies are targeted is because they are simply more vulnerable. BBR says, “hackers are increasingly targeting smaller financial institutions with less robust data security systems and personnel than larger banks.”

Such is the breadth of cyber hacking proportions globally, its even garnered the attention of the G20. In a statement obtained by Reuters, the world’s largest economies vowed to collaborate in their fight against cyber attacks on the banking industry saying, “we will promote the resilience of financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies, including from countries outside the G20.”

The light shone on cyber attacks by the G20 highlights the changing nature of businesses vulnerable to cyber attack and consequently, that the industry is ill-prepared to deal with such attacks. In order to protect themselves financial institutions should be aware that cyber threats are often indiscriminate and inherent in various sources including unencrypted data, new and unsecured technologies, and unsecured mobile banking.

To ascertain your vulnerability, take our survey or give us a call for a confidential discussion.

Cyber Security – It’s Easier Than You Think

Nowadays, a common problem that most businesses will face is understanding how they can protect themselves from cyber attack and whose responsibility this is.

“Don’t make the mistake of thinking of [cybersecurity] as a technology thing. It’s not,” says Adam Moseley, MD of Schwab Business Consulting and Education at Charles Schwab. Moseley follows by warning, “it is no longer a matter of if, but when, you’re going to be compromised.”

Much of the best advice points out that organisations should adopt the same defence practices as consumers in order to protect themselves against attack.

Mosely explains that these practices should spring from smarter cyber behaviour and better education, “I don’t think there’s a single greater threat to your organizations outside of email…we don’t hesitate to click a link, to open an attachment,” he said; especially when we consider that most malicious links and ransomware are generated via scam emails.

Moseley says that the most prudent organisations will engage a provider to test staff behaviour and provide education around safer cyber practices. He goes on to say that it’s beneficial to rethink behaviour around the simple things like passwords and emails and that cyber security must start with the individual.

Common cyber-security openings, weaknesses and behavioural issues can be resolved with better education. There are many easy and accessible habits that we can all engage in to help protect ourselves.

For example:

  • Call email senders to test legitimacy of suspicious comms
  • Keep sensitive data out of emails
  • Pick longer passwords (hackers will find these harder to penetrate)
  • Implement two-factor authentication where available

Addressing cyber security in the workplace doesn’t need to be a daunting exercise. There are many more simple and easily adopted behaviours that will help to protect us all from harmful cyber attack.  Call us to find out how we can help you and your business with educational resources or, to set up a meeting for further discussion.

Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.