The recent US Court decision that Yahoo must face a class action in court over the loss of three billion users’ personal information signals a shift in how the world is responding to data breaches.
There has been a spate of high profile data breach announcements this year – of which the Yahoo incidents were by far the largest – with this month’s revelations tripling the number of users exposed in the 2013 attacks. This month also saw US-based credit reporting agency Equifax scale up the number of people affected by its recent data breach to 145.5 million.
Just last week, an official from the Australian Signals Directorate (ASD) revealed a Defence contractor was targeted by hackers who stole 30 GB of data, including sensitive information about Defence projects. The small aerospace company has 50 staff, with only one person dedicated to managing IT and according to reports, failed to apply basic security protocols, which brings into question the process used by Defence in assessing its suppliers.
Defence Industry Minister Christopher Pyne said the breach was a "salutary reminder to everyone in the industry and the government" of the importance of taking cyber security seriously.
While previously people were perhaps more accepting that data breaches were a fact of life in the digital world, attitudes have changed as awareness grows about security measures available to these organisations and the disturbing prevalence of ineffective or inadequate security practices.
The price of Yahoo’s sale to Verizon was slashed as a result of its disclosures while heads rolled at Equifax with the CEO, CIO and CSO all “retiring” since the breach was announced. More broadly, senior executives are being taken to task and governments are increasingly taking action because the costs of identity theft and data breaches are just too high.
NSW Chief Information Security Officer (CISO), Maria Milosavljevic, has called for the CISO role to be redefined to ensure a consistent standard across government and private sector organisations and to expand the coverage of responsibilities. Ms Milosavljevic was appointed deputy chair of the ACS Cyber Security Committee and to the ACS Technical Advisory Board last week.
“At the end of the day, it’s people who are impacted when data is stolen or mishandled and the CISO role need to shift to more closely consider the human toll of poor security practices,” she said.
“Issues around privacy are just a starting point, because other impacts can also be financial, health-related and even life and death in some contexts. The definitions around cyber security are changing and so is the liability,” Ms Milosavljevic said.
The Australian Government has implemented a multi-pronged response to data theft that includes initiatives to:
· Enforce mandatory data breach notifications,
· Shore up its own cyber security capabilities, and
· Encourage the development of a larger cyber security skills base in Australia.
I attended the launch of the International Cyber Engagement Strategy by Foreign Affairs Minister Julie Bishop less than two weeks ago, where the Minister highlighted the lead role Australia is playing in developing rules governing how nations operate in cyberspace, calling the management of cyber issues “a matter of international strategic importance”.
Earlier this year, the Government passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, establishing the Notifiable Data Breaches scheme. This comes into effect in February 2018, requiring organisations to notify individuals when the loss of their information is likely to result in serious harm.
The recent Australian Cyber Security Centre 2017 Threat Report highlights the growing and pervasive threat of cybercrime through data hacks, ransomware, malware and social engineering manipulations, offering a range of strategies to guide government agencies and businesses in managing their risk and exposure.
A few weeks ago, Dan Tehan, the Minister Assisting the Prime Minister on Cyber Security, unveiled the new ACS Certified Professional (Cyber Security) and Certified Technologist (Cyber Security) certifications, which would allow ICT professionals to validate their expertise in this discipline and provide a clear benchmark for industry and government.
We have also made our work available internationally to the International Federation for Information Processing’s International Professional Practice Partnership (IFIP/IP3), which has confirmed that it will provide the specialism to its ICT member societies around the world, further enhancing international mobility and mutual recognition of cyber security professionals.
While recognising the risks inherent in operating online, recent developments have made it clear that users and governments alike will no longer accept compromises from organisations that fail to adequately secure the data and information of their customers.
As the deadline on the Australian Notifiable Data Breaches scheme looms, the pending class actions against Equifax and Yahoo serve as wake-up calls to organisations which take a laissez-faire approach on cyber security and data breaches.