Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
Welcome to this special edition of the elevenM News Roundup for Privacy Awareness Week, headlined by the Office of the Australian Information Commissioner’s release of its Insights Report covering the first 12 months of the Notifiable Data Breaches scheme. Privacy has been a hot topic on the other side of the world too – in Silicon Valley, the tech giants spent recent weeks jostling for top spot in the privacy stakes. As you’ll read in this week’s roundup, not all these efforts landed so well.
Summary: Australia’s first mandatory data breach reporting scheme drove a 712 per cent increase in data breach notifications.
Key risk takeaway: In publishing this report, the regulator has signaled it expects organisations to not only be aware of their reporting obligations, but also understand the primary causes of data breaches and what ‘harm’ might mean for their customers, and to proactively implement preventative measures. A key takeaway from the report is the prominent role of human factors in breaches, whether through staff error or malicious attacks that prey on human vulnerabilities. These findings emphasise the importance of staff education and providing users with tools and technologies to protect data.
Tags: #regulation #privacy #education
Summary: Facebook has outlined an overhaul of its social network as it seeks to refashion itself into a more privacy-focused platform. Not everyone was convinced by the announcement, while a co-founder later issued an explosive call for the tech giant to be broken up.
Key risk takeaway: When it comes to impacting perceptions of trust, actions clearly speak louder than words. Scepticism around Facebook’s announcement stems not only from its track record on privacy, but limited detail on how it will actually evolve into a privacy-enhancing social network. He might have stood under a banner proclaiming “the future is private” and announced plans to make messaging apps encrypted, but Facebook CEO Mark Zuckerberg shed little light on how the company would alter its core practice of using personal data to drive advertising. Prominent voices continue to make the argument that stronger regulation is the answer, with Facebook co-founder Chris Hughes calling for a new agency to regulate technology companies whose “first mandate should be to protect privacy”.
Tags: #trust #privacy
Summary: Google has unveiled new privacy controls for its services and published new privacy commitments for its hardware.
Key risk takeaway: Google’s delivery of functional privacy enhancements has been contrasted with the vaporware of Facebook’s pro-privacy pronouncements, another fillip for the argument for actions over words. The search giant announced privacy-focused additions to Chrome and Google Maps, while also issuing a clear and detailed set of “privacy commitments” for smart home products (another area where Google is attracting favourable mentions compared to competitors) such as Google Nest. Offering users more tools and controls to protect their own privacy reflects growing thinking. The OAIC’s 12-month Insights Report released this week recommends organisations provide their staff with tools and technologies (in addition to education) to better protect customer and business data.
Tags: #privacy #reputation #tools
Summary: LandMark White estimates the customer data theft perpetrated against it cost the property valuation firm around $7 million, based on loss of work after being suspended from bank supplier panels.
Key risk takeaway: The potential for financial damage as a result of a data breach is becoming more salient in a climate of mandatory data breach reporting, combined with heightened governance and expectations by businesses of their suppliers. LandMark White was one of the multi-party breaches recorded in the OAIC’s 12-month Insights Report. Taking a proactive approach to assuring clients of the measures in place to protect data will increasingly be a baseline requirement for businesses.
Summary: Financial institutions will soon be subject to CPS 234, the Australian Prudential Regulation Authority’s new cybersecurity regulation that goes into effect July 1.
Key risk takeaway: In introducing these regulations the regulator is evidently acting with urgency to improve the security posture of financial organisations in what it deems a hostile cyber security environment. Key focus areas are greater board-level accountability for cyber security, classification of data according to criticality and sensitivity, and notification of serious security incidents to APRA within 72 hours. A recent think-tank report also highlights the increasing focus on cyber security and data protection from financial regulators across the Asia-Pacific region. The authors note that while each regulator tends to draw from common frameworks and standards, varying country-specific implementations threaten to create inconsistencies and even introduce systemic risks and vulnerabilities.
Tags: #cyberrisk #regulations
Summary: Up to 50,000 companies running SAP software are reportedly at greater risk of compromise after security researchers found ways to exploit vulnerabilities of unpatched systems. Key risk takeaway: Patching systems is one of select number of key “security hygiene” activities regarded as fundamental practice for mitigating cyber security risks (see respected guidance such as the Australian Government’s “Essential Eight”). Software providers regularly release fixes for security bugs (as SAP did in this instance), and it’s imperative organisations apply these fixes in a timely manner, particularly for critical systems. This is easier said than done, especially in larger organisations with expansive and complex IT environments. Patching large numbers of servers can be resource intensive and potentially impact service availability. Knowing which systems are most critical and understanding the actual risk represented by a published security vulnerability for your organisation or industry will guide a more prioritised, risk-based approach.
Tags: #securityhygiene #patching #prioritisation
Summary: Israel has used military force to respond to a Hamas cyberattack, an incident seen as the first example of a physical or kinetic attack used as a real-time response to digital aggressions.
Key risk takeaway: Though cyber is now widely considered a domain of warfare (alongside land, sea, air and space), the norms of cyberspace and cyber warfare are relatively nascent and continue to evolve. Some see this incident – in which a cyber-attack resulted in a real-time physical response – as a precedent. Others play down the prospect of a rise in physical retaliation against any and all forms of geopolitical hacking (of which there is a significant amount), noting that Israel’s physical attack came in the context of an existing, ongoing physical conflict.
Tags: #cybernorms #cyberwar
Summary: The head of the Australian Cyber Security Centre Alastair MacGibbon has resigned.
Key risk takeaway: As a prominent and central figure in Australia’s cyber security leadership, Macgibbon’s departure will have an impact on the implementation and direction of the Government’s national cyber security strategy and focus. MacGibbon held both policy and operational roles and was a highly visible figure – he often spearheaded the public response to national-level incidents, such as the disruption of the 2016 census and compromise of parliament. There are calls to simplify governance arrangements in deciding on Macgibbon’s replacement.
Summary: A security researcher has found a smart city database accessible from a web browser without a password.
Key risk takeaway: The growing incidence of “leaky databases” – where organisations fail to sufficiently protect cloud-based data stores – continues to be of concern. Cloud-based platforms offer cost and technology advantages, however organisations must be vigilant about the types of data being stored and about enforcing configuration settings and policies to protect that data. In this instance, the exposed Elasticsearch database reportedly held gigabytes of data, including facial recognition scans on hundreds of people. For some businesses, automated solutions are proving an effective way to identify and remediate these kinds of security gaps.
Tags: #privacy #cloudsecurity #dataprotection