There are three critical items to a strong security strategy: protection, detection, and response. The introduction of eligible breach notification to Australia will make many organisations want to act impulsively and acquire technologies that will protect their organisation from malicious activity. But cyber security success stories don't come from protecting a network; they come from detecting a threat and rapidly responding to it.
Overreliance on Technology
If you have protection-based technologies across your network (from the network to the endpoint), and these protection technologies defend against threats 95% of the time then you would think that you are pretty secure. Yes, protection technologies are going to mean that you are protecting your organisation from most commodity-based attacks. But what happens with the 5% that protection fails to pick up? If you don't see the threat – if you don't even know it is happening, then it's too late. This is where the real success behind detection and response comes into play. Detection of threats that occur means you can reduce the time it takes to respond. Not all threats are based around malware or known vulnerabilities. There are many cases the SecureWorks Counter Threat Unit™ (CTU) research team has studied where the threat actors have gained access to a network using stolen credentials. Protection technologies aren't going to pick up someone in a network if they have the appropriate credentials to be there.
This is where monitoring comes into play, if you can monitor behaviour that is abnormal for your organisation, and quickly determine that particular behaviour should not be happening, then you have given your organisation a fighting chance at stopping the threat actor from moving further infiltrating your network to prevent them from achieving their objective(s). Then you have the ability to go to your board and say: “hey, we monitored some nefarious activity happening in our network, we managed to detect it, determine what they were up to and remove them from our network quickly.”
A Holistic Approach to Security
Why is this important when it comes to the introduction of eligible breach notification? The changes to the Privacy Act 1988 say that a breach will not be deemed as an eligible data breach if the unauthorised access does not result in serious harm to the individual to whom the data pertains. So in short, if protection fails, and you manage to detect and respond to the threat before a reasonable person would deem this to cause serious harm, then the unauthorised access is not an eligible data breach and reporting of the incident does not need to occur. I want to make sure I am clear here so allow me to reiterate: protection is needed. It is critical to any security posture but it is not the whole story. Organisations who are serious about data security should be looking at implementing the three critical items of protection, detection, and response.
To wrap up this series, eligible breach notification law is going to be a shake-up to Australia's attitude towards cyber security. As mentioned in Part 1 of this blog, there are several high-profile incidents that occurred in the last 18 months that has forced the hand of the Australian Parliament. The addition of eligible breach notification to the Australian Privacy Act 1988 means that organisations are going to race to introduce technologies to protect themselves. There will be some grace period, and this period needs to be used wisely.
Determine your risk profile, your organisation's data lifecycle, and understand the associated risk. Once you have this, develop a culture of security and pivot this around a solid communication framework. Develop a robust testing regime for your technical, process, and policy controls. Finally, make sure that you investigate the implementation of monitoring and response to your security posture. This will allow you to detect and respond to threats before they become something that can be deemed to cause serious harm to the individual.