In February 2018, the Notifiable Data Breaches (NDB) Scheme was introduced and, in the time since, we’ve had a chance to look at the statistics and see what kinds of changes we should be making in response to data breaches.
The first reporting period showed us that over 50% of the breaches reported have been attributed to human errors and insiders. Data breaches aren’t slowing down and although barriers for external threats are important, it’s clear that more needs to be done to reduce human error and to protect against the insider threat, whether malicious or accidental.
So, what can we learn from the breaches so far?
- Organisations need to start from a ‘zero trust’ perspective - it’s not that all your employees will be untrustworthy, it’s simply recognising that human error does occur and, according to the first quarterly report, it happens far more often than we might think.
- We all need to understand the value of the information in our possession and the consequences of that information getting into the wrong hands.
- All organisations need clear Information Security Policies to reduce risk of breaches and reduce financial, reputational and competitive advantage losses.
- Secure Information Management tools need to be rolled out along with employee educational programs that ensure all employees know their role in Secure Information Management as well as regulatory laws, updated internal policies and all Secure Information Policies.
Know the emergency responses
Everyone may be on alert when it comes to data breaches but even still, they’re occuring at alarming rates. There are, of course, approaches to protecting against breaches but cyber resilience is all about being flexible and responsive when incidents do occur. Does everyone in your organisation know what to do when an incident occurs? This helpful guide from the Office of the Australian Information Commissioner can assist when it comes to outlining the specific actions your organisation will need to take if an incident does occur - particularly in relation to the NDB Scheme. Ensure that everyone knows their role should a data breach take place so that the threat can be contained and resolved as quickly as possible.
Be strategic with insider access
It’s easy to baulk at the high statistics of insider breach occurrence - after all, if you can’t trust the people within your organisation, who can you trust? While malicious insider breaches do occur, it’s accidental breaches that occur far more often and they can impact any business, of any size. Unfortunately, we are all human and all of us make mistakes, so the best way to reduce the risk is to make it easy for your team not to inadvertently cause a breach. A solution is to ensure your organisation has the correct tools and protocols in place.
Part of that is knowing exactly who has access to what and never giving anyone access to sensitive information who doesn’t need it. Berkeley’s Enterprise Security Services Platform (ESSP) allows for this kind of security when it comes to SharePoint. By adding data classification and enforcement to your SharePoint content, ESSP protects you and your organisation from experiencing insider (and outsider) breaches. This way, if important documents end up in the wrong hands, there is an extra layer of protection against any sensitive information being released.
Cyber resilience is key
Data breaches - big and small - are still happening all over the world, to organisations of every size. Protecting yourself is a matter of being flexible in your approach to responding to incidents but it is also vitally important to be putting strategies and techniques into place to reduce the risks of any cyber security incidents occurring in the first place.
No matter the size of your organisation, all strategies and techniques should adhere to ASD’s Essential Eight in order to increase Information Security and reduce the risk of threats taking hold of any valuable information.
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average total cost of data breaches for organisations sits at $2.51 million, or $139 per compromised record. So, although implementing strategies that align with the Essential Eight may seem daunting, the approach is far more time and cost effective when compared to responding to a large scale threat.
At Berkeley, we develop and deliver secure data protection and privacy solutions to government and commercial organisations to ensure compliance with relevant data and privacy laws. Get in touch with us today to find out how we can provide you with the right data protection solution for you. https://berkeley.solutions