weerapat1003 - stock.adobe.com

How Australian firms can plug data protection gaps

Australian organisations can address data protection challenges by creating roles such as a data governance lead, classifying data and improving employee awareness of cyber hygiene

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Trend Watch – data protection

The number of data breaches continues to grow in Australia, underscoring the need for local companies to shore up their data protection practices amid mounting cyber attacks.

According to the Office of the Australian Information Commissioner (OAIC), 537 data breaches were reported between July and December 2019, a 19% increase over the first half of that year.

Of those breaches, 64% were attributed to malicious or criminal attacks, 32% to human error, and 4% to system faults. Some 12% of malicious or criminal attacks were “inside jobs”, while the number of breaches caused by cyber attacks rose from 192 in the first half of 2019 to 230 in the second half.

Sean Duca, Palo Alto Networks’ vice-president and regional chief security officer in Asia-Pacific and Japan, said it was possible that a significant number of notifiable breaches were not reported.

“We have found that 97% of SMEs [small and medium-sized enterprises] in Australia are unaware of how the privacy laws impact them, whether this is the Australian notifiable data breach laws or the EU’s General Data Protection Regulation and how they hold information or transact with citizens within the EU,” he said.

Joel Camissar, McAfee’s Asia-Pacific regional director for its Mvision cloud access security broker service, said that as the digital landscape broadens, data breaches are moving away from on-premise infrastructure to the cloud.

“With the broad distribution of data across devices and the cloud, visibility becomes increasingly fragmented,” he said.

Dhruv Dhumatkar, NetApp’s director of sales engineering in Australia and New Zealand (ANZ), did not think Australia had done particularly well in data protection, especially as more organisations operate in hybrid cloud environments where cloud servers should be hardened appropriately, and data protected against interception while in transit.

The next OAIC report might be even worse. According to Cisco ANZ’s director of cyber security, Steve Moros, Australia’s and New Zealand’s workforces are now operating remotely and have had to adjust to this “new normal” almost immediately.

Security has been tested at scale in this environment, emphasising the importance of foundational security capabilities,” he said. “A key learning is to relentlessly simplify through an integrated platform, consolidate and drive constant awareness and education around cyber hygiene.”

Rob Dooley, VMware Carbon Black’s ANZ director, said that although chief information security officers have realised the need to minimise the attack surface, the rise in remote working means new devices and apps are being used within organisations, increasing the likelihood of more breaches.

To shore up data protection, organisations need to address both people and technical problems.

Lucas Salter, Dell Technologies’ ANZ general manager for data protection solutions, recommended engaging business leaders on the value of data and incident response simulation exercises, and creating roles such as a data governance lead and a chief data officer.

“These positions give one person, or one team, the oversight and authority needed to ensure the organisation is responsibly managing their data and meeting both local and international regulations,” he said.

Steve Moros, Cisco’s director of cyber security in ANZ, advised organisations to drive constant awareness and education around cyber hygiene, while McAfee’s Camissar warned against treating security as something to be delivered and managed solely by the IT department.

“In a cloud environment, the security model involves everyone across the enterprise,” said Camissar.

Read more about data protection in Australia

  • Australia’s data breach notification rules have largely been complied with, but some quarters are calling for more clarity on the reporting threshold and tougher action against errant firms.
  • Australian businesses are starting to explore their obligations and responsibilities under the country’s new Consumer Data Right (CDR) legislation and assess what changes they may need to make to ensure compliance.
  • NetApp’s leaders in Asia-Pacific discuss the company’s pivot into data services and its traction in the region.
  • Australia and New Zealand have seen a four-fold increase in the amount of data moving from on-premise environments to the top public clouds, survey finds.

Amid the Covid-19 pandemic, NetApp’s Dhumatkar highlighted the importance of ensuring that security compliance and data protection do not take a back seat.

This includes identifying and classifying personally identifiable data, said Howard Fyffe, Veritas’ ANZ managing director, pointing to a recent study which found that more than half of company data in ANZ remained unclassified, despite a rise in security breaches and data protection regulations.

Once classified, products such as data loss prevention software – along with other good data management practices – can then provide universal data protection across endpoints, networks, and the cloud.

Data protection, however, has evolved to be more than what businesses think.

Fyffe said: “ANZ organisations need to understand that data protection is a fundamental business strategy that will guide them to future-proof their core IT infrastructure. When done right, this will save companies millions to billions of dollars.

“Businesses risk losing customers and harming their brand if they cannot protect data – be it their organisation or customers’ data.”

Dell’s Salter advised businesses to contact the Australian Cybersecurity Centre or the Defence Signals Directorate for guidance on best practice around responding to data loss or a breach.

“My suggestion is that all data and IT teams familiarise themselves with the Essential Eight mitigation strategies that the ACSC has set out, and understand how they apply to your organisation, no matter what level of maturity your data protection and resilience strategy is at,” he said.

Read more on Privacy and data protection