Hi Everyone,
It’s been a while since our last update and so much has happened – so let’s dive straight in!
Latest Data Breaches
In February, the GoAnywhere data transfer service was breached by the C10p ransomware gang resulting in numerous data breaches around the world including several here in Australia including (but not limited to), Crown Resorts, Rio Tinto and the Tasmanian Government.
Also in February, The Good Guys warned that up to 2m of their customers were potentially impacted by a former third-party provider My Rewards data breach.
And then in March, the cyber-attack on Latitude Financial (formally GE Money) was at least 42 times bigger than initially reported, eclipsing both Medibank and Optus, affecting some 14 million customers, making it one of the largest reported data breaches in Australian history.
Understanding & Preventing Data Breaches
Sadly, just like all data breaches, these latest ones were completely preventable. The cause – human error as always! It still astounds me that so many businesses have an overreliance on existing IT systems/software, underpinned by assurances, without attestation from internal/external IT that everything is fine.
Whilst there is no silver bullet to protecting a business from an incident or breach, there are numerous simple, strategic processes that businesses can do to mitigate their risk – with evidence. Sometimes, the simplest way I can assist others better understand cyber security risk is to think of it like your car. You don’t just put fuel in your car and trust that everything else will be fine – do you?
Modern cars today have so many safety features and technology that assist in keeping us and our loved ones safe. You may have chosen additional safety features such as auto emergency breaking, stability control, blind spot warning, lane assist, forward collision mitigation and all-round passenger airbags. You probably take it to a garage or mechanic for regular servicing. You may also take other safety precautions such as ensuring that everyone wears their seatbelt, check tyre pressure regularly, change tyres when they’re worn, change the windscreen wipers to ensure they’re effective and keep the reservoir toped up to clean the windscreen etc.
Finally, you insure the car, not because you’re a bad driver, but in case someone else hits you or something unexpected happens. You do all of this to mitigate the risks to you, anyone else in the vehicle and other road users.
Robust cyber security requires a similar approach, commonly referred to as “defence in depth”. Assurances that your firewalls, anti-virus, systems and crown jewels are all protected, without attestation is simply not enough, and in the event of a breach can expose directors and officers to personal liability under Section 180 of the Corporations Act.
As always, the great news is that business can take various proactive measures to assess and mitigate their risk exposure, with the development of a clear and measurable cyber maturity strategy. This strategic approach enables businesses to better protect themselves, their stakeholders and more importantly, mitigate directors’ and officers’ personal liabilities in the event of a breach.
If you have any concerns or questions relating to your company’s potential exposure, the team and I are here to answer your questions and assist.
Cyber Governance & Good Practices
For those who are only just starting their cyber maturity journey, it can often be daunting, challenging, or perhaps difficult to even know where to start.
The great news is that you don’t need to understand technology to protect your organisation. You probably already have a good understanding of risk and how to mitigate it – it’s the same approach with cyber risk. Identify the risk across the entire business, from a people, process, information and technology perspective and then ascertain your risk appetite and budget to strategically and methodically mitigate the identified risks.
ASIC has significantly strengthened their language and stance around boards and businesses needing to take cyber security more seriously or face the consequences. They have listed some strongly recommended “Cyber Resilience Best Practices”, which are simple to understand, and I’d encourage you and your board to read more here
AICD recently released some excellent guidance for boards and senior executives, outlining key Cyber Security Governance Principles. Again, I’d strongly encourage you and your board to familiarise yourselves with this valuable and informative information here:
- Cyber Security Governance Principles
- Snapshot of the Cyber Security Governance Principles
- SME and NFP Director Checklist
Privacy Act Review
Australia’s Privacy Act was introduced in 1998 and with changes in technology, underpinned by the way businesses collect, store, process, manage and share highly sensitive information – a review has been long overdue.
The highly anticipated Privacy Act Review was recently released by the Federal Attorney-General, which sets out significant proposals to amend the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs). When implemented, these changes will have far-reaching implications for all organisations.
This landmark report proposes many significant changes, including the introduction of more prescriptive privacy rules, a specific focus on online services, and the empowerment of regulators to play a more active enforcement role. The changes largely reflect the European Union General Data Protection Regulation (GDPR), widely regarded as representing a high watermark for data protection laws around the world, and vigorously enforced in Europe since 2018, with enforced fines for businesses topping €1.526bn (AUD$2.5bn).
Our colleagues at Minter Ellison Layers have produced a summary of the key proposed reforms which you can read here.
Training & Awareness
CAT is now running dedicated Board & Executive training, awareness and guidance sessions that assist directors’ and officers’ by raising cyber security awareness and literacy, in line with the above guidance from AICD & ASIC. We’ve also recently introduced tabletop exercises relating to testing the organisation data breach incident response capabilities when responding to current and common breach scenarios.
Should this be of interest to you and your board, please get in touch with us today.
CAT is now running dedicated Board & Executive training, awareness and guidance sessions that assist directors’ and officers’ by raising cyber security awareness and literacy, in line with the above guidance from AICD & ASIC. We’ve also recently introduced tabletop exercises relating to testing the organisation data breach incident response capabilities when responding to current and common breach scenarios.
Should this be of interest to you and your board, please get in touch with us today.
Privacy Awareness Week 2023
For the 5th year in a row, CAT is a proud supporter of the Office of the Australia Commissioner (OAIC) Privacy Awareness Week (PAW). PAW is an annual event to raise awareness of privacy issues and the importance of protecting personal information.
PAW 2023 will be held from Monday 1st May to Sunday 7th May and this year’s theme is all about “back to basics”. This is a great reminder for us all to ensure that we get the very basics right, not just within our businesses but also as individuals.
CAT will be providing our customers with some tips around ensuring the basics are in place and we encourage you to learn more here.
New Partnerships
In our continuous pursuit to provide customers with the broadest, most comprehensive and cost-effective set of cyber services, CAT is proud to announce not one, but two new partnerships this quarter.
The first is with Tenable, the leader in Exposure Management – This partnership strengthens our vulnerability management offerings, enabling our team to continue providing customers with best-in-class cyber security solutions.
This partnership enables CAT to deliver superior vulnerability coverage across a client’s entire IT infrastructure, eliminating blind spots, and allowing them to prioritise risks and optimise resources while reducing exposure.
Furthermore, CAT can offer the technical and business context needed to allow for faster risk mitigation, patch velocity, and an overall focus on continuous security improvements.
The second is with Avertro, the world’s first Cyber Management Decision System (MDS) – As the cyber threat landscape is constantly evolving, many clients, particularly those in the mid-market, struggle to develop an effective cyber security strategy aligned to their risk profile, resulting in limited budgets being spent without achieving key outcomes. Incorporating Avertro’s CyberHQ platform into our vCISO offering will deliver clients greater visibility around their cyber maturity in one platform whilst maintaining regulatory compliance and optimising their return on security investment.
Conclusion
I appreciate that this was a longer quarterly update and trust you found some of the information and guidance of use.
We always want to ensure we are providing relevant updates and should there be anything specific you would like us to address in the next update, please feel free to contact the team or I and we’d be happy to engage with you and discuss.
Stay Cyber Safe!
Damian Seaton
Managing Director
Cyber Audit Team
