Australia has reached an important milestone by enacting the Privacy Amendment (Notifiable Data Breaches) Act, or, as it is better known, mandatory breach notification.
As of 22 February 2018, most businesses that are breached need to notify the Office of the Australian Information Commissioner (OAIC) within 30 days, providing peace of mind and ensuring that breaches don’t go undiscovered for years, possibly never being made known to those affected. We’ve since learned that the OAIC received 63 breaches within the first six weeks, and there will be plenty more where that came from.
While it is an important milestone, it won’t solve our cyber security woes, far from it. Knowing about breaches after the fact helps us take stead and make a decision on whether we want to continue to be associated with the organisation which has suffered the breach. It ensures that organisations have to take ownership and action to rectify damage, rather than, potentially, taking action to ensure the breach stays out of the public realm.
But what does the Act do to help us learn from our mistakes?
Speak to any head of IT, cyber security executive or even CEO candidly and there’s a good chance they have some ‘war stories’ in their closet about a mistake they’ve made, an embarrassing weak point in the IT environment they manage that led to a low-level hacker getting access, or insights on how a very sophisticated hacker broke through despite a very solid defence being in place.
We tend to safeguard these stories because usually, there’s a finger to point. A report last year from Kaspersky Lab highlighted that employees in 40 per cent of businesses worldwide hide IT security incidents. Whether it’s a member of the IT team or anyone in the organisation trying their hand at a bit of shadow IT, someone is bound to end up red-faced if the truth comes out.
Opening up a dialogue
I believe we need a more open dialogue between IT and business leaders about what goes wrong and how it can be fixed, thus helping to prevent history from repeating itself. This can be anonymised so those contributing to it don’t need to be exposed or embarrassed by the situation.
There are already examples of this kind of forum being used abroad. In the UK, the UK Data Center Interest Group last year launched the Data Center Incident Reporting Network (DCIRN). The network provides a resource for operators to share information about data centre failures confidentially so that the whole industry can learn from them.
While we can learn something from organisations like this, what better than to have one here in Australia to educate us about what threats are prevalent in our own backyard?
It’s a more preventative system than a reactive one. Think about the automobile industry, how for decades the focus was on how to design cars so that when they crash, damage is minimised. Now, we see more and more features that focus on preventing the crash and protecting occupants and pedestrians, to the point where we’re on the verge of handing the responsibility to keep us safe over to autonomous vehicles rather than ourselves.
Just as vehicle security has transitioned from minimising damage to crash prevention, we need to start addressing cyber security from a more preventative standpoint. Call me crazy, but I believe that simply talking about it is a great way to start.
Too often we read media coverage of a cyberattack, data centre outage, or other events that take down businesses and everyday services, just to be told ‘the reason behind the breach was not disclosed’.
Imagine a scenario where, in detail, we could learn the nature of a breach, where the hacker started, what weakness/es they exposed, how the business reacted during that crucial few hours post-breach, and what specific measures were taken to prevent similar future incidents.
This is far more detail than a mandatory breach submission will provide, and anonymity means the focus isn’t on the organisation that suffered, just on the issue itself. We can look at that data and say, ‘ah, I could see how that could actually affect us’, and make a pre-emptive move to stop it.
Cyber crime is becoming more sophisticated. We can’t rely on merely raising our hand to say, “I’ve been breached,” to learn hard lessons from it. Moreover, data centres are moving out to the edge in our imminent smart cities and newly-connected world. We’re about to have a whole lot more hackable things out there.
While the iron is hot from mandatory breach notification, we need to find a forum to dig into the detail, share our war stories and create an open dialogue that helps us avoid making the same mistake over and over again.
Tony Gaunt is senior director colocation, cloud and BFSI Asia for Vertiv (formerly Emerson Network Power), a critical infrastructure specialist.