It`s important to pay attention to the way the personal information of your company is secured. If you mishandle the confidential information of your customers, it can cause them a financial or reputational loss and lead to a decreasing of trust and considerable harm to your good name.
So what should you do to maximise protection and minimise the consequences if there is a breach?
At the Australian level, the most useful information is issued by the Office of the Australian Information Commissioner on the one hand and the Defence Signals Directorate (“DSD”) on the other hand.
The Information Commissioner has published a “Guide to securing personal information” (hereafter “the Guide”). This Guide gives some examples of reasonable steps and strategies you should take to protect the personal information you get in order to comply with the security obligations under the Privacy Act 1988. See https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
What qualifies as reasonable steps to ensure the security of personal information depends on the circumstances, but the Guide sets out nine broad topics which may be appropriate to take into account. They are not intended to be prescriptive or exhaustive and it may not be necessary to take all the steps and strategies. The following list enumerates the nine topics in question.
- Governance, culture and training.
- Internal practices, procedures and systems.
- ICT security.
- Access security.
- Third party providers (including cloud computing).
- Data breaches.
- Physical security.
- Destruction and de-identification.
On the other hand, the DSD has set up a list in a publication called Strategies to Mitigate Targeted Cyber Intrusions. The list is informed by DSD`s experience in operational cybersecurity, including responding to serious cyber intrusions and performing vulnerability assessments and penetration testing for Australian government agencies.
The DSD says that while no single strategy can prevent all malicious activity, the effectiveness of implementing the so-called “Top 4 strategies” remains very high. At least 85% of the cyber intrusions that DSD responds to involve adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package.
Implementing the Top 4 mitigation strategies can be achieved gradually, firstly on workstations of users who are most likely to be targeted by cyber intrusions, and then implementing them on all workstations and servers. Once this is achieved, organisations can selectively implement additional mitigation strategies to address security gaps until an acceptable level of residual risk is reached.
Therefore, every company should at least implement the four first mitigation strategies that follow.
- Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including .DLL files, scripts and installers.
- Patch applications e.g. Java, PDF viewer, Flash, web browsers and Microsoft Office. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest version of applications.
- Patch operating system vulnerabilities. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest suitable operating system version. Avoid Microsoft Windows XP.
- Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.
For more information about the Top 4 strategies as well as the entire list, please have a look at http://www.asd.gov.au/infosec/top35mitigationstrategies.htm.
What is the rest of the world doing?
It can also be interesting to consider foreign regulation concerning cybersecurity.
The US Cybersecurity Framework provides guidance to an organization on managing cybersecurity risk. It can be used to identify and prioritize actions for reducing cybersecurity risk. Moreover, it is a tool for aligning policy, business and technological approaches to managing that risk.
The Framework Core provides a set of activities to achieve specific outcomes and comprises five functions: Identify, Protect, Detect, Respond and Recover. Each of these functions are divided into different categories and subcategories (see Framework for Improving Critical Infrastructure Cybersecurity). Although the Framework is necessarily US centric, it is useful for Australian companies who are serious about their cybersecurity to take this framework into account.
Here is a short review of the five given functions:
- The first function is “Identify”, which means developing the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
- The second one, “Protect”, is about the development and implementation of the appropriate safeguards to ensure delivery of critical infrastructure services.
- The third function “Detect” refers to the implementation of the appropriate activities to identify the occurrence of a cybersecurity event.
- Then, the “Respond” function aims to develop the suitable activities to take action regarding a detected cybersecurity event.
- And finally, “Recover” means to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The more strict EU regulation certainly deserves special attention. The EU wants to apply the same norms, principles and fundamental values both offline and online. The Joint Communication on Cybersecurity Strategy of the European Union reminds us how important safety and security are when it comes to freedom online. It sets out that governments have several tasks to protect the cyberspace, but that private actors also have a leading role.
The EU vision presented in the Joint Communication is articulated in five strategic priorities, addressing the main challenges of the EU.
1. Achieving cyber resilience
The European Commission asks companies to take leadership in investing in a high level of cybersecurity and develop best practices and information sharing at sector level and with public authorities. This needs to be done in the view of ensuring a strong and effective protection of assets and individuals, in particular through public-private partnerships.
In addition, industry should promote awareness at all levels, both in business practices and in the interface with customers. In particular, industry might reflect on ways to make CEOs and Boards more accountable for ensuring cybersecurity.
2. Drastically reducing cybercrime
To reduce cybercrime, companies should improve coordination at EU level
3. Develop industrial and technological resources for cybersecurity
The Commission invites companies to stimulate the development and adoption of industry-led security standards and technical norms and to invest in stronger, embedded and user-friendly security software and hardware.
Furthermore, private and public stakeholders should develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums, which would enable companies that have made investments in security to benefit from lower risk premiums.
All of these regulations relating to cybersecurity give an interesting overview of the major features you have to focus on when dealing with personal information. Although the Australian rules remain the most important one, international regulations give some valuable extra information.