Let’s be pragmatic in responding to Notifiable Data Breach laws. Hint: doing nothing is not an option!
You would have to have been living under a rock to have missed all of the talk about the new laws that came into effect in February 2018. Jared Staniland and Leon Slattery provide a list of proactive options you should consider.
In early 2017, the noise around mandatory data breach notifications started to increase, with it hitting a crescendo in February 2018 as the laws came into effect. A lot of that noise came from us, as we published several background pieces and calls-to-action on the topic, which was followed by several dozen conversations with customers who (rightly) understood the need to be proactive to ensure their compliance.
Both private and public sectors are under pressure
While the new laws have a predominant focus on the private sector, the public sector has also recognised their shortcomings, something which was highlighted by the March 2018 NSW Auditor-General’s Report – Detecting & Responding to Cyber Security Incidents as an acute issue for state government agencies, which called out the ability to detect and respond to cyber security incidents “needs to improve significantly and quickly,” with response approaches ranging “from good to poor.” Many would also argue that this would seem a fair assessment across all levels of government.
This example shows the growing acceptance, and renewed focus in IT departments around the country, across both public and private sectors alike. And rightly so – given that directors and other business leaders are now liable for breaches, and government agencies are under increased scrutiny, the discussion has moved well beyond simply securing networks and the data centre.
Regardless of where responsibility lies, it is good to see Australia joining many other jurisdictions in protecting our personal data. 160 million customer records are leaked every year, through gaps in security. Yes, you read that right, 160 million. That’s payment records, medical data, addresses, dates of birth. It really is an identity thief’s playground out there, and this presents a massive headache to any organisation that gathers, processes and stores information.
The data protection gap your organisation may be missing
Typically, over recent years, the focus has been very much on protecting the core systems that store data. To some degree that makes sense, but as the workforce has become more mobile, a gap has arisen. The more organised businesses probably have documented processes to manage mobile devices, while in other cases, some necessary protections can be overlooked. Both, though, are at risk.
Of the leaked customer records, many are taken directly from lost or stolen laptops, mobiles and tablets. Some, such as the theft of government laptops containing the data of 3.7 million Hong Kong voters, is likely intentional. Others may be the result of opportunistic thieves spying shiny new iPads and smartphones left unattended. Either way, devices often hold more data than perhaps the IT department may like.
Unsecured Mobile Devices and Data Theft
Physical theft is only one contributor to a larger problem. Devices may not be updated, users may download unapproved apps, or visit unsafe websites, and no matter how many times the IT department trains users, someone will always click on a seemingly legitimate email. If it was hard convincing users not to click on Anna Kournikova links, this is worse. Today’s cyber-criminals are better resourced and more professional, and mistakes happen.
One unsecured device can be the equivalent of rolling out the welcome mat to your IT environment. Keeping devices updated and patched is a serious undertaking in itself. What was a dull but simple task when everyone used office-based desktops has become a lot more complex. It isn’t as simple as just choosing the latest patches – a decision must be made on which combination of updates and patches will work best in the organisation’s carefully balanced IT eco-system. And in a mobile workforce, performing updates may depend on the co-operation of users, something few IT workers have time to monitor.
Modern Workplace-as-a-Service + Managed Security
That is certainly not a criticism of the IT department – it is hard to argue that hunting down a sales rep to check their iPhone should take precedence over rolling out a new service for customers. Still, if customers are to trust the organisation, their data must be secured. The answer for a growing number of organisations is to stop spending their time on device management, and instead enroll in a Device-as-a-service (DaaS) or a Modern Workplace-as-a-Service (MWaaS) solution.
Each involves outsourcing device management. Our MWaaS solution takes over everything from licensing and user support to refresh cycles and ongoing management, providing easy reporting on every element. We even onboard staff and provide the right devices, with an automated approvals process to save the IT department from another labour-intensive task. Increasingly, organisations are turning to this type of outsourcing to allow them to concentrate on business growth, or to make better use of their skilled IT resources. The IT team’s time may be simply better spent elsewhere. Coupled with an advanced Managed Security solution from an ISO27001 certified partner, providing access to industry-leading security experts, you’re a long way towards securing your fleet of assets and meeting your compliance requirements.
Devices without Capex
There’s another reason too. Acquiring devices, and managing them through to end-of-life, involves significant capital expense. It is one of the financial anchors that can weigh down an otherwise agile organisation. MWaaS does have some Capex options available to suit certain clients, but the majority are keen to shift yet another element of IT into the operational expenses column. Easier to manage budgeting and more flexibility to meet demand cycles, the question is why wouldn’t you consider it?
Although data protection has traditionally been a lower focus than efficiency in the beginning, those handing device management to a dedicated specialist have enjoyed improved data security as part of the package. The emergence of Australia’s NDB laws endorses their decision. Our ISO27001 certification helps assure those opting for MWaaS that they can demonstrate the highest level of care is taken with customer data at the device level. As consumers, it is the least we should all expect.
How can CSA help?
To find out more about our Managed Security, Modern Workplace solution or any other Security measures you may need to take to address the new mandatory data breach laws, complete the form and we’ll be in touch to book a time to discuss further.
About the Authors
Jared is Portfolio Manager for Managed Services at CSA. Jared has over 23 years experience in the IT industry, having built and managed multiple businesses in this time. His objective is to help customers with their challenge of balancing the time and cost of running technology against their strategic IT objectives. Jared’s governance, risk and compliance expertise positions him as a trusted advisor that can advise customers on what can and can’t be delivered as-a-service by a technology partner.Jared Staniland
Leon Slattery is Portfolio Manager Network and Security at CSA. Leon’s security domain knowledge has been acquired over 12 years of experience in the IT services industry focusing on development and delivery of innovative network and security solutions for customers. Leon has applied his skills for clients within Utilities, Finance, Health and Higher Education industries giving him insight into the unique challenges faced in securing information in these environments.Leon Slattery