Delivered at Trend Micro's Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia's new Mandatory Data Breach Notification legislation. YoutubeVideo available at https://youtu.be/j5nmY916H7k
2. Best practices to mitigate data
breach risk
Rob Livingstone
Principal – Livingstone Advisory
Fellow, University of Technology, Sydney
3. What I will be covering
1. Current data breach scenarios in Australia and New
Zealand
2. The legal impacts on organisations and IT industry
3. Organisation’s responses to new legislation
4. Best practice & business strategies to deal with data
breach prevention
5. Key takeaways
4. 1. Current data breach scenarios in Australia and
New Zealand
Some Data Breaches hit the headlines - mostly:
• Public Authorities – in the public interest / duty of care
• Where the media pick up the story
• Visible through legal proceedings
5. 1. Current data breach scenarios in Australia and
New Zealand
Number of reported data breaches very low!
https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification
6. 1. Current data breach scenarios in Australia and
New Zealand
NZ yet to implement mandatory data breach legislation
It’s just a question of time, though
7. Hold
information
subject to
legislation?
DO ENOUGH TO
ENSURE COMPLIANCE
BUSINESS AS
USUAL
YES NO
2. The legal impacts on organisations and IT industry
Privacy Amendment (Notifiable Data Breaches) Act 2016
8. 2. The legal impacts on organisations and IT industry
Real question to ask is: Does your organisation*:
1. Hold or transact information subject to privacy and
data breach notification legislation?
or
2. Have contractual obligations with other parties (eg:
Customers, affiliates, business partners) to protect
their information entrusted to your organisation?
…. if “Yes” or “not absolutely sure” then ……
* Pay careful attention to what legally defines your ‘organisation’
9. 2. The legal impacts on organisations and IT industry
… then consider the following actions (as a minimum)…..
1. Review / renegotiate supplier / outsource / cloud provider
contracts as needed. What obligations do they have to meet the
requirements of the new legislation? Overseas entities? (eg Panama)
2. Review all your terms of sale / customer contracts for existing
customers
3. Update your privacy policy then publish it!
4. If you have inactive or old customer / privacy data that no longer
serves a purpose - delete it (i.e. the risk of the ‘long tail’)
5. Review the terms of any business continuity, liability and indemnity
insurance policies. (While you’re there, also Director’s indemnity)
10. 2. The legal impacts on organisations and IT industry
The legal implications for the IT industry as a whole will vary widely,
however things to consider are:
• What comprises is YOUR organisation’s IT ecosystem? Who are the
key players and what is their role in mitigating data breaches?
• What are the relevant IT ‘industry bodies’ doing about helping their
constituents? Ask them.
………… and others.
11. 3. Organisation’s responses to new legislation
The effectiveness of any legislation is based on considerations such as the:
1. Deterrence factor
2. Actual protections afforded under the law and
3. Practicalities of enforcing the law.
If the organisation that suffered a breach had in fact taken ‘reasonable
steps’ to avoid a data breach the probability of falling foul of the law would
be low.
i.e.. Had implemented and were operating best of breed security
technologies and business processes
12. 3. Organisation’s responses to new legislation
However, if the organisation “did not take reasonable steps to protect the
personal information from unauthorised access*” it may be in breach of the
legislation.
In such instances, what constitutes “reasonable steps” may be open to
interpretation in technologically complex or rapidly changing
environments – or both.
* Obligations under APP11 - https://goo.gl/LazlYl
13. 3. Organisation’s responses to new legislation
The bottom line for all organisations subject to breach legislation is to
ensure that a well defined and effective action plan is triggered as soon as a
breach has been detected and verified.
Failing to do so will be significantly increase the likelihood of falling foul
of the legislation
Implement a breach response capability that:
• Has an effective listening and proactive detection mechanism
• Is quick to respond to identify and close the breach
• Triggers a well defined stakeholder notification and remedial action
process (customers, media, regulators, etc.)
14. 4. Best practice & business strategies to deal with
data breach prevention
a) Data Breach: Don’t forget to look within your business
b) Recognise that systemic risk contributes to data breaches
c) Leadership, culture, incentives and accountabilities
d) Integrate IT security with business processes
e) Build an adaptive Enterprise Strategy and Architecture capability for
constant change*
f) Consider cyber insurance
g) Legals
* Read Chapter 1 of the book Adaptive Enterprise Strategy Journey Management
15. 4a. Data Breach: Don’t forget to look within your
business
- Security is not all about the technology.
- A rising proportion of adverse cyber security events are coming
from within the organisation – some say in excess of 60%
- Common causes include:
• human error, ‘tick the box’ security training, revolving door of part timers,
contractors, short term employees
• Poor vendor choices (e.g. consumer grade cloud)
• Inappropriate IT and security architectures
• ‘Shadow IT’
16. Technical Risk:
“All systems are running
perfectly, Captain!”
Systemic Risk:
“What iceberg Captain?”
4b. Systemic risk contributes to data breaches
Move executive’s focus from technical risk to systemic risk
17. 4b. Systemic risk contributes to data breaches
- The combination of a number of events may adversely impact the whole
organisation (or your organisation’s ecosystem).
• This is a systemic view of the enterprise of which technology is only one element
- The conventional approach to managing the ‘cyber risk register’ – which
underpins Security certification such as ISO27001 – often fails to detect
systemic risk effectively.
- A systemic view of the cyber risk results in an improved perspective of
what the actual business risk is rather than what you think the risk
might be.
- This requires a multidisciplinary and collaborative approach.
18. Assess and develop Strategic Leadership competencies for the
digital era
Are traditional business leadership practices failing today’s
organisations facing rapid change and technology innovation?
Industry research* drawn from 3,300 business across 106
countries Identified a 36% gap between leadership’s importance
and readiness rating.
* Bersin, J., (2015), “Global Human Capital Trends 2015”,
Deloitte University Press. https://goo.gl/HpUYxr
4c. Leadership, culture, incentives and
accountabilities
19. 4c. Leadership, culture, incentives and
accountabilities
Recognise the importance of culture on cyber security capabilities
Can you recognise the signs?
• poor staff engagement and satisfaction,
• adversarial cultures,
• conflicted and inconsistent decision-making,
• chronic inefficiency,
• poor or ineffective cross functional collaboration,
• continual state of crisis
20. 4c. Leadership, culture, incentives and
accountabilities
Review the structure and intent of managerial and staff incentive
schemes
Primarily focusing on driving localised, short term targets can hamper
or even undermine effectiveness of cyber security – enterprise wide.
• If cyber security is important for your business and it’s seen by
business stakeholders as someone else’s job, this will be your CEO’s
starting point in defining executive incentives and business
scorecards
• Incentives drive temporary compliance. What does that say for
developing, operating and maintaining ongoing security
capabilities?
21. 4c. Leadership, culture, incentives and
accountabilities
N > 400 : BDO and AusCERT 2016 Cyber Security Survey Australia and New Zealand https://goo.gl/671596
Define accountabilities for all aspects of information security
across the organisation, and at all levels
22. 4d. Integrate IT security with business processes
Shift from “IT-Business Alignment” to “IT-Business Integration”. Likewise
with security
• By integrating IT security within and across business processes, the
context and behaviours of system users and the IT ecosystem as a whole
will be better understood.
• This will improve the sensitivity and speed of detection of unusual
events by the business, with the help of IT.
• This will be a significant mitigating factor against falling foul of
mandatory data breach notification laws
23. 4e. Adaptive Enterprise Strategy and Architecture
for change
• Enterprises that develop an whole-of-business adaptive business
strategy and architecture capability (which in turn drives IT
security capabilities) are well equipped to deal with constantly
changing :
• Business value drivers
• Customer and market requirements.
• External cyber threats
• Digital and IT ecosystems
• A proactive, agile and adaptive IT security capability is a critical
success factor for organisations dealing with sustained change
24. 4f. Consider Cyber-insurance
Why not transfer your (residual) risk?
Consider these points, however:
1. Get your house in order first
2. Understand your business and its technology ecosystem well.
3. Meticulously read, understand and test any hypotheses
4. Set executive’s expectations that cyber insurance is not precise
5. Continually reassess the effectiveness of your cyber incident
response team and process to minimise contributory negligence
6. Peer into your supply chain
26. 5. Key takeaways
1. Turn security to a business value driver, not a cost to be minimised.
2. Effective data breach protection requires a whole-of-organisation
approach. IT’s not just the job of the CIO or CSO
3. To assess your readiness, separately ask each of your directors this
question:
Who will be standing in the courtroom defending our business in the
event of a data breach – be that due to legislation or customer contract
violation?
- Then compare your answers.