Breach notifications: You can’t disclose what you haven’t discovered

You’d be forgiven for thinking that Australian businesses aren’t in the cross hairs of cyber attackers. The lack of a mandatory reporting regime has meant there has been no legal compulsion for Australian organisations to publicise data breaches. 

But all this will change on February 22.

When the Australian Government’s Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into force, all businesses will be required to notify not only the Office of the Australian Information Commissioner (OAIC), but also any impacted clients, about significant data breaches.

While there are some exemptions, for example the new rules will apply only to those organisations with more than $3 million revenue, the end result is that many more breaches will become public. As a consequence, the false sense of security that Australian organisations are safer than their international counterparts will receive a sobering reality check. 

The OAIC has published a list of resources for organisations who fall under the purview of the new law, and much of the public commentary has focused on what organisations must do after they learn they’ve been breached. 

Across the industry, there is much concern about the new laws due to a lack of preparedness. In fact, research suggests 44 per cent of Australian businesses aren’t ready to meet their obligations. While this has serious implications, there has been much less discussion on how to discover a breach in the first place – after all, it’s impossible to disclose what you haven’t discovered.  

Recent research shows that almost half of the breaches (47 per cent) discovered in 2016, were discovered by third parties. While these figures are for the US, given the maturity of the antipodean market and the existence of breach disclosure legislation for some time, I’d hazard a guess that the Australian figures are much worse.

The reason businesses struggle to identify breaches themselves is because of their reliance on outdated methods such as log-based intrusion detection systems. SIEMs, for example, are reminiscent of Homer Simpson’s ‘everything’s OK alarm’ – this traditional log-based approach to cyber security is failing because the avalanche of false positives and alert fatigue gives attackers too much static within which to hide.

This is where services like LMNTRIX can be of enormous value. We use a validated and integrated threat detection and response architecture to hunt down advanced and unknown threats that routinely bypass perimeter controls. We do this with the use of a proprietary platform called Active Defense – a 24/7 analyst-driven service. Unlike the industry norm, we don’t rely on the customers’ existing infrastructure and we don’t rely on logs. 

ATR’s technology stack includes multiple network and endpoint sensors, deceptions everywhere, and threat intelligence feeds – even from the deep and dark web. ATR enables an offensive military approach, based on the concept of hunting and adversary pursuit. This is critical to neutralising the adversary’s ability to gain entry and remain undetected.

This means the only thing a client receives is a validated breach. We don’t deliver endless alerts, a fancy portal that nobody logs into, or reports filled with meaningless statistics. 

Ultimately, businesses shouldn’t need legislation to compel them to notify affected parties when their data has been breached. Now, with fines of up to $1.8 million for failing to do so ‘as soon as practicable’, there won’t be a choice. 

But first they’ll need to discover what it is they need to disclose.   

Tags: No tags

Comments are closed.