Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best practices to mitigate data breach risk

286 views

Published on

Delivered at Trend Micro's Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia's new Mandatory Data Breach Notification legislation. YoutubeVideo available at https://youtu.be/j5nmY916H7k

Published in: Law
  • Be the first to comment

  • Be the first to like this

Best practices to mitigate data breach risk

  1. 1. EXECUTIVE BREAKFAST
  2. 2. Best practices to mitigate data breach risk Rob Livingstone Principal – Livingstone Advisory Fellow, University of Technology, Sydney
  3. 3. What I will be covering 1. Current data breach scenarios in Australia and New Zealand 2. The legal impacts on organisations and IT industry 3. Organisation’s responses to new legislation 4. Best practice & business strategies to deal with data breach prevention 5. Key takeaways
  4. 4. 1. Current data breach scenarios in Australia and New Zealand Some Data Breaches hit the headlines - mostly: • Public Authorities – in the public interest / duty of care • Where the media pick up the story • Visible through legal proceedings
  5. 5. 1. Current data breach scenarios in Australia and New Zealand Number of reported data breaches very low! https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification
  6. 6. 1. Current data breach scenarios in Australia and New Zealand NZ yet to implement mandatory data breach legislation It’s just a question of time, though
  7. 7. Hold information subject to legislation? DO ENOUGH TO ENSURE COMPLIANCE BUSINESS AS USUAL YES NO 2. The legal impacts on organisations and IT industry Privacy Amendment (Notifiable Data Breaches) Act 2016
  8. 8. 2. The legal impacts on organisations and IT industry Real question to ask is: Does your organisation*: 1. Hold or transact information subject to privacy and data breach notification legislation? or 2. Have contractual obligations with other parties (eg: Customers, affiliates, business partners) to protect their information entrusted to your organisation? …. if “Yes” or “not absolutely sure” then …… * Pay careful attention to what legally defines your ‘organisation’
  9. 9. 2. The legal impacts on organisations and IT industry … then consider the following actions (as a minimum)….. 1. Review / renegotiate supplier / outsource / cloud provider contracts as needed. What obligations do they have to meet the requirements of the new legislation? Overseas entities? (eg Panama) 2. Review all your terms of sale / customer contracts for existing customers 3. Update your privacy policy then publish it! 4. If you have inactive or old customer / privacy data that no longer serves a purpose - delete it (i.e. the risk of the ‘long tail’) 5. Review the terms of any business continuity, liability and indemnity insurance policies. (While you’re there, also Director’s indemnity)
  10. 10. 2. The legal impacts on organisations and IT industry The legal implications for the IT industry as a whole will vary widely, however things to consider are: • What comprises is YOUR organisation’s IT ecosystem? Who are the key players and what is their role in mitigating data breaches? • What are the relevant IT ‘industry bodies’ doing about helping their constituents? Ask them. ………… and others.
  11. 11. 3. Organisation’s responses to new legislation The effectiveness of any legislation is based on considerations such as the: 1. Deterrence factor 2. Actual protections afforded under the law and 3. Practicalities of enforcing the law. If the organisation that suffered a breach had in fact taken ‘reasonable steps’ to avoid a data breach the probability of falling foul of the law would be low. i.e.. Had implemented and were operating best of breed security technologies and business processes
  12. 12. 3. Organisation’s responses to new legislation However, if the organisation “did not take reasonable steps to protect the personal information from unauthorised access*” it may be in breach of the legislation. In such instances, what constitutes “reasonable steps” may be open to interpretation in technologically complex or rapidly changing environments – or both. * Obligations under APP11 - https://goo.gl/LazlYl
  13. 13. 3. Organisation’s responses to new legislation The bottom line for all organisations subject to breach legislation is to ensure that a well defined and effective action plan is triggered as soon as a breach has been detected and verified. Failing to do so will be significantly increase the likelihood of falling foul of the legislation Implement a breach response capability that: • Has an effective listening and proactive detection mechanism • Is quick to respond to identify and close the breach • Triggers a well defined stakeholder notification and remedial action process (customers, media, regulators, etc.)
  14. 14. 4. Best practice & business strategies to deal with data breach prevention a) Data Breach: Don’t forget to look within your business b) Recognise that systemic risk contributes to data breaches c) Leadership, culture, incentives and accountabilities d) Integrate IT security with business processes e) Build an adaptive Enterprise Strategy and Architecture capability for constant change* f) Consider cyber insurance g) Legals * Read Chapter 1 of the book Adaptive Enterprise Strategy Journey Management
  15. 15. 4a. Data Breach: Don’t forget to look within your business - Security is not all about the technology. - A rising proportion of adverse cyber security events are coming from within the organisation – some say in excess of 60% - Common causes include: • human error, ‘tick the box’ security training, revolving door of part timers, contractors, short term employees • Poor vendor choices (e.g. consumer grade cloud) • Inappropriate IT and security architectures • ‘Shadow IT’
  16. 16. Technical Risk: “All systems are running perfectly, Captain!” Systemic Risk: “What iceberg Captain?” 4b. Systemic risk contributes to data breaches Move executive’s focus from technical risk to systemic risk
  17. 17. 4b. Systemic risk contributes to data breaches - The combination of a number of events may adversely impact the whole organisation (or your organisation’s ecosystem). • This is a systemic view of the enterprise of which technology is only one element - The conventional approach to managing the ‘cyber risk register’ – which underpins Security certification such as ISO27001 – often fails to detect systemic risk effectively. - A systemic view of the cyber risk results in an improved perspective of what the actual business risk is rather than what you think the risk might be. - This requires a multidisciplinary and collaborative approach.
  18. 18. Assess and develop Strategic Leadership competencies for the digital era Are traditional business leadership practices failing today’s organisations facing rapid change and technology innovation? Industry research* drawn from 3,300 business across 106 countries Identified a 36% gap between leadership’s importance and readiness rating. * Bersin, J., (2015), “Global Human Capital Trends 2015”, Deloitte University Press. https://goo.gl/HpUYxr 4c. Leadership, culture, incentives and accountabilities
  19. 19. 4c. Leadership, culture, incentives and accountabilities Recognise the importance of culture on cyber security capabilities Can you recognise the signs? • poor staff engagement and satisfaction, • adversarial cultures, • conflicted and inconsistent decision-making, • chronic inefficiency, • poor or ineffective cross functional collaboration, • continual state of crisis
  20. 20. 4c. Leadership, culture, incentives and accountabilities Review the structure and intent of managerial and staff incentive schemes Primarily focusing on driving localised, short term targets can hamper or even undermine effectiveness of cyber security – enterprise wide. • If cyber security is important for your business and it’s seen by business stakeholders as someone else’s job, this will be your CEO’s starting point in defining executive incentives and business scorecards • Incentives drive temporary compliance. What does that say for developing, operating and maintaining ongoing security capabilities?
  21. 21. 4c. Leadership, culture, incentives and accountabilities N > 400 : BDO and AusCERT 2016 Cyber Security Survey Australia and New Zealand https://goo.gl/671596 Define accountabilities for all aspects of information security across the organisation, and at all levels
  22. 22. 4d. Integrate IT security with business processes Shift from “IT-Business Alignment” to “IT-Business Integration”. Likewise with security • By integrating IT security within and across business processes, the context and behaviours of system users and the IT ecosystem as a whole will be better understood. • This will improve the sensitivity and speed of detection of unusual events by the business, with the help of IT. • This will be a significant mitigating factor against falling foul of mandatory data breach notification laws
  23. 23. 4e. Adaptive Enterprise Strategy and Architecture for change • Enterprises that develop an whole-of-business adaptive business strategy and architecture capability (which in turn drives IT security capabilities) are well equipped to deal with constantly changing : • Business value drivers • Customer and market requirements. • External cyber threats • Digital and IT ecosystems • A proactive, agile and adaptive IT security capability is a critical success factor for organisations dealing with sustained change
  24. 24. 4f. Consider Cyber-insurance Why not transfer your (residual) risk? Consider these points, however: 1. Get your house in order first 2. Understand your business and its technology ecosystem well. 3. Meticulously read, understand and test any hypotheses 4. Set executive’s expectations that cyber insurance is not precise 5. Continually reassess the effectiveness of your cyber incident response team and process to minimise contributory negligence 6. Peer into your supply chain
  25. 25. 4g. Legals
  26. 26. 5. Key takeaways 1. Turn security to a business value driver, not a cost to be minimised. 2. Effective data breach protection requires a whole-of-organisation approach. IT’s not just the job of the CIO or CSO 3. To assess your readiness, separately ask each of your directors this question: Who will be standing in the courtroom defending our business in the event of a data breach – be that due to legislation or customer contract violation? - Then compare your answers.

×