With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in Australia to see what's happening with changes to privacy laws...
On March 12th, the Australian Privacy Principles (APP) came into effect, giving privacy laws in the country a lot more teeth. The Australian Information Commission now has the power to prosecute corporations for serious or repeated breaches, with financial penalties of up to $1.7 million. Unfortunately many Australian businesses are under prepared and struggling to comply with the new requirements. A recent survey of IT managers responsible for security and compliance found that 35% of respondents didn't know that the data privacy laws were being amended.
So what has changed? At a high level, there are now 13 Australian Privacy Principles, compared to the 10 National Privacy Principles previously. The new principles range from providing individuals the option of using a pseudonym, to restrictions around use of personal information for direct marketing purposes. For IT security professionals, changes to requirements for securing personal information may have significant impact. While organisations have always been required to protect personal information from misuse or loss, now they are also required to take “reasonable steps” to protect it from “interference”, i.e. cyber-attacks.
What are considered “reasonable steps” is not explicitly defined in the law; it can vary depending on the size of organisation and sensitivity of data. For example, an organisation that is collecting personal health or financial information would need to take a lot more steps than one that is only collecting names and email addresses. At the very least, all organisations should have basic security technologies and processes in place, like anti-virus, firewalls, patching, password policies, user awareness training, etc. Every business is different, from the IT environment setup to the type of information collected, so there is no one-size fits for data security. However, here are some general principles that organisations should consider following:
- Identify systems in your environment that contain or have access to personal information; how valuable and/or sensitive is this data?
- Implement a layered defense to secure these systems, including physical, technical and procedural controls
- Assess the security risk of these systems regularly; are there gaps in your defense that could be exploited by attackers?
- Monitor systems and network traffic continuously to look for indicators of a breach and have processes in place for investigation.
In today's modern IT environment, there are many ways that data loss can occur. In addition to risk assessment and monitoring for your on-premise network, you may also need to consider mobile devices, USB drives, off-premise laptops, and cloud services. Find out more about how Rapid7 solutions can help you secure your assets and users, across virtual, mobile, private and public cloud networks here.