The recent disclosure by the Australian Signals Directorate that a defence contractor had lost 30 gigabytes of sensitive, but not classified, data to hacking caused a flap in the mainstream media.
The loss of the data came down to sloppy procedures, according to the ASD, which has declined to name the group or government behind the attack.
But PwC’s Asia Pacific Cyber Leader Steve Ingram says the ASD disclosure was a positive thing, and built upon last year’s announcement of a breach at the Bureau of Meteorology.
“The [government] has been open with other matters, and this year they spoke of the contractor breach,” Mr Ingram said.
“What they are doing is sending a signal that no-one is immune or special, and as we become more mature we will understand that it happens. We can’t solve these issues alone, we have to work together.”
The disclosure signals that the government is willing to abide by its own rules, including the Mandatory Data Breach Notification Laws, which come into effect in February, 2018. Under these laws, any organisation subject to the Privacy Act (generally those with a turnover in excess of $3 million) must report a data breach to the Office of the Information Commissioner, and also make the disclosure public.
“There are two aspects associated with the Breach Laws,” noted Mr Ingram. “The first is that no-one wants more laws. That’s a fact.”
“But the second is that the government has to keep the community safe and provide safe standards. If we don’t report breaches ourselves, then we need laws. If we had been proactive and shared our breaches, then we would not have the laws.”
However, there still remains some confusion and clarification associated with the introduction of the new laws.
According to Mr Ingram, questions remain about what constitutes a notification, and what happens when a company notifies the Office of the Information Commissioner and the public about a breach they have experienced.
“What it comes down to, is that there are three types of organisations,” he said.
“Those that have been breached and know about it, those that have been breached and don’t know, and those that disclose it.”
Mr Ingram said collaboration between industry, academia and government is the only way that cyber security can be properly addressed, given that virtually all organisations will experience a breach at some point.
“The Joint Cyber Security Centres that have opened and will open in the New Year are a big step in the right direction,” he said.
“Now we need to collaborate more on what sort of sharing of threat information would be effective.”
He said that having a group of large companies that gathered together and shared threat data and breach information on a standard, anonymised platform would be a huge step in the right direction.
“The information could be sent to all businesses in Australia, from the smallest medical centre on the corner to the largest bank, and it would make the environment more secure and make Australia a better place to do business.”
Creating triage points where businesses could access threat data and remediation would also be another step in the right direction, he noted.
“Technology is important, but so are people. We need to share information, in a form that anyone can understand. Information to check if patches are up to date and so on. You should do that with your home computer, and so should businesses, but the information needs to communicated in a form that people can relate to,” he said.
Mr Ingram also said that there are two sleeper issues for Australian business coming along – the EU’s GDPR requirements, and the SWIFT requirements. Under the SWIFT requirements, organisations will have to self-attest against 16 mandatory data controls on an annual basis.
“Boards need to be aware of these requirements, and I think we are getting there, but there is still work to be done,” he said. “Business is alert that something needs to happen.”
Overall, he said, we are in the middle of what equates to a new industrial revolution, with interconnectivity between just about every organisation and individual, regardless of size.
“We need to help people understand that there are great benefits that come with cyber, but we also need to be careful with our data,” he said. “We’d never get into a car without seat-belts and airbags, and yet in some ways that’s what we are doing with our data.”
PwC is a valued supporter of InnovationAus.com, and a strategic partner of the ‘Cyber Security: The Leadership Imperative’ forum being held in Melbourne on October 26. You can secure your seat to this important event here.