Table of contents
Not if, when.
Looking at new laws, evolving infrastructure, or brand-new innovations in technology, it must be said that data privacy and cybersecurity are well into their renaissance. Around the world, threat actors are deploying increasingly creative methods, running rampant in the digital sphere and converting personal information into revenue. On the good side, cybersecurity specialists work hard to keep up by developing new hardware, software, operational technology, and workflows that limit the effectiveness of threat actors and, when implemented by businesses, can be used to quickly identify, respond and recover from data incidents.
Burch&Co. had the opportunity to hear from some of the world leaders in cybersecurity and data protection at the second annual Australian Cyber Security Summit and Awards, hosted in Canberra. With presentations from Microsoft, the Australian Federal Police, and experienced cybersecurity professionals, our team, including Data and Privacy Specialist Hana Lee (nominated for Cyber Security Lawyer of the Year) heard from some of the world leaders in the field.
At the Summit, we identified 4 non-negotiables that we think every Australian business should incorporate to protect their – and their client’s – personal information, to become resilient, responsible businesses in digital Australia.
The 4 Non-Negotiables
1. Enable Multi-factor authentication (MFA)
If you’re not already aware, MFA is any additional method of confirming that you are who you say you are in the virtual world. Typically, it takes the form of an authentication code sent to your phone, email address, or authenticator app that must be entered on login. In 2024, MFA is required to access the vast majority of reputable online services.
Though it’s undoubtedly an industry standard, MFA is still not absolutely required by every user of every platform. Notwithstanding, Australian businesses can no longer rely on the notion that MFA is annoying and unnecessary given that enabling it reduces the likelihood of being hacked by 99%!
More importantly, companies are at risk of being found legally negligent for failing to employ MFA, given how effective it is for such little additional effort.
The reality is, threat actors have developed countless methods to harvest massive quantities of passwords, from dark web auctions to complicated phishing schemes. By enabling MFA you can make cyber threat actors’ lives much more difficult, and your data that much more secure.
2. Delete data you don’t strictly need
Time and again we heard from the cybersecurity experts that regardless of business size, value, or sector, data security incidents are bound to happen to everybody at some point. It’s not enough to have a data incident response plan anymore. Businesses must incorporate practices that ensure the least amount of data is at risk at any given time. To be proactive is to be prepared. In the words of the specialists, data is a poisonous hot potato that you should only keep in your business if it absolutely needs to be there.
Looking to the 2022 Optus data breach we can see the dangers that come with holding excessive and unnecessary data. Prior to the data breach, Optus retained the name, bank details, address, driver’s licences, passport numbers and Medicare numbers of their customers for as long as 6 years after the customer had left Optus. Optus argued that they had a legal obligation to keep these details so that they could chase debts and assist law enforcement agencies. This was found ultimately to not be true because, for example, why would they need Medicare numbers to send an invoice?
By routinely holding onto so much extra information without a valid purpose, Optus put all of their customers at risk. In short, don’t hold onto what you don’t need.
3. Educate your team
When a data incident occurs, think of it as you and your staff entering a chess match against a chess master. On the positive side, you have your incident response team on your side. On the other, you have a hacker that is likely well-versed in exactly what they need to do to extract your data, having prepared just like a chess pro. It will benefit you and your team immensely to be prepared well in advance to work collaboratively in minimising the impact of the data incident.
In terms of how best to prepare, experts at the summit agreed that the first step is to assign roles and establish responsibility. Specifically, these roles should assign responsibility for: reporting obligations; managing the technical response; and communicating with executives throughout the incident. By establishing responsibility prior to an incident, you forego having to allocate roles in the middle of a crisis.
The second step is to conduct regular (twice annually is recommended) walkthroughs, known as ‘table-top’ exercises, where you and your team take the time to walk through each stage of a data incident, as if it was occurring in real time. During these walkthroughs, team members are given the opportunity to experience the flow of a data incident response, become familiar with their roles, and gain the knowledge and confidence to act efficiently when an incident occurs. Regular table-top exercises are recommended due to the ever-changing landscape of data incidents, and so that your staff are familiar with variations to the response plan as and when they are made. Every minute you spend training data incident response will save you hours (and $$$) during a real incident
4. As an executive, buy-into cybersecurity!
The lasting impression from our time at the Cybersecurity Summit was that, although cybersecurity is on a rampant upwards trend in importance in our increasingly digital world, executives around Australia remain sceptical of its significance. As the people who hold real decision-making power regarding the direction of Australian businesses, executive buy-in remains the largest hurdle in ensuring that data protection and cybersecurity are given the attention they need.
The worst possible outcome to a data incident response meeting, and one that is all too common, is for the CEO or Chairperson to declare that they are completely unaware of any data incident response or business continuity plan. As mentioned above, prior preparation is imperative to a resilient, responsible business, and it all starts at the top with executives taking a proactive approach to data security. Without buy-in from each and every executive in a business, the important and necessary changes to workflows, policy, and training cannot take place.
