“Basic cyber hygiene isn’t sexy, it’s necessary”, businesses warned as data breach scheme starts


With less than a day until mandatory data breach reporting laws take effect, a cybersecurity vendor has warned that while basic cyber hygiene isn’t “sexy”, businesses that fail to practice it risk incurring “headline-grabbing data breaches” that will instantly lose them customers.

[Related: A last-minute guide to preparing your business for Australia’s new data breach regulations and Small businesses face stiff penalties under new data breaches scheme, Ombudsman warns]

From 22 February, organisations with personal information security obligations under the Privacy Act 1988 will be covered by the Notifiable Data Breaches (NDB) scheme, which is administered by the Office of the Australian Information Commissioner (OAIC).

Where an individual is likely to suffer ‘serious harm’ due to an ‘unauthorised entity’ accessing their personal information from an organisation’s computer system, that organisation must notify the OAIC as well as the individual of the data breach.

Bede Hackney, ANZ Country Manager of cybersecurity firm Tenable told Dynamic Business that a very few organisations in Australia are prepared for the potential commercial and reputation risks the NDB scheme brings.

Moreover, he said a “vast majority” are complacent when it comes to taking the “basic, foundational steps” such as the Australian Signals Directorate (ASD) Top 4 Strategies to Mitigate Targeted Cyber Intrusions.

“The NDB scheme kicks in this week but for the last twenty years organisations have been expected to take take reasonable steps to protect personal information in accordance with the Privacy Act 1988,” he said.

“If reasonable steps like patching applications or operating systems, which are espoused by the ASD, have been known to organisations for two decades, the question is… why are so many still complacent?

“Part of the reason is that cybersecurity vendors have been a little guilty of concentrating on the latest, most sophisticated technologies – things like advanced threat protection, threat intelligence, next generation this, next generation that – because basic cyber hygiene is, by comparison, less flashy, less sexy.

“The thing is, if you look at all the headline-grabbing data breaches over the last couple of years – for example, Equifax, Uber – the culprits weren’t undertaking the sort of sophisticated zero day attack the industry warns of, they were leveraging vulnerabilities that had been known publicly for weeks, if not months.”

Hackney said another reason for complacency amongst organisations is that remediating vulnerabilities can seem like a “daunting” prospect, especially as a business grows.

“For example, if you’ve got 200 employees using 500 connected devices, it’s reasonable to expect there might be a couple of hundred thousand security vulnerabilities in your business,” he said.

“When there are hundreds or thousands of vulnerabilities to remediate, it can seem like an insurmountable task and the risk is that it will just be ignored.”

Asked if it was too late for businesses to seek to comply with the NDB scheme, Hackney said “No”.

He explained, “The government has provided businesses with a blueprint for taking reasonable steps to protect personal information. That blueprint is the ASD Top Four,  i.e. patch applications, patch the operating system, application whitelisting and password management.

“If followed, these recommendations will significantly reduce an organisation’s cyber exposure risk. The ASD Top Four along with the ASD Essential Eight are a great starting point when it comes to basic cyber hygiene.”

Hackney warned that business will be at a competitive disadvantage if they don’t comply with the NDB scheme.

“They will lose customers the moment they get breached and have to notify the Office of the Australian Information Commissioner – it won’t be gradual,” he said. “When a organisation all of sudden finds itself in the headlines for losing personal data, customers will flock to a competitor.”