Clayton Utz's cyber partner, Brenton Steenkamp, has suffered his fair share of cyber attacks. Returning to Australia in October after a seven-year stint in Amsterdam, he brought home stories of dealing with multiple large ransomware attacks in Europe, as well as the data governance lessons they provided.
Steenkamp said he has observed that many Australian organizations have not yet embraced the “paradigm shift” view of risk around data sets that is necessary for future data governance, and soon, local CISOs could find themselves caught up in the regulatory view as a new global wave of regulations. The action breaks off on local shores.
It recommends that organizations monitor data sets using measures such as better classifying data records, asking if data needs to be retained, and minimizing data by deleting data. By involving all stakeholders, CISOs should also be able to present a snapshot of data risk at any time.
Australian organizations fail to address risks to their data holdings
Steenkamp said it hasn't been long since organizations, as the era of big data took off, wanted to collect as much information as possible. They would then have that information available to do whatever they needed, such as facilitating marketing and sales personalization.
However, there is now a growing realization, encouraged by the rise in data breaches, that this has brought “a new level of risk.” He said time and again organizations get caught out, often unaware of the data they have in the bank and that their compliance and processes “haven't taken on the risk.”
SEE: Download a risk management policy from TechRepublic Premium
While he said there is awareness in Australia about the country's Privacy Principles, a lower volume of regulatory action means organizations have not yet “felt the pain” in the form of fines or sanctions, such as CISOs or members of the board of directors are held accountable, so data risks are not fully taken into account.
The OAIC case against Australian clinical laboratories
A wake-up call is the case of the Australian Information Commissioner's Office against Australian clinical laboratories. In the case, the OAIC alleged that the organization, due to its size, failed to take reasonable steps to protect personal information from unauthorized access or adopt a reasonable security posture.
Steenkamp said the case raises two issues. The first is how companies protect the data they possess, the typical domain of the CISO. The second is the effective assessment and management of risk associated with data from a cybersecurity perspective.
Organizations urged to understand the full scope of data risk
According to Steenkamp, Australian organizations need to do a deeper and more holistic assessment of the risks associated with their data sets. If organizations don't understand the risks associated with their data and link it to security, they will have a “disparate point of view that could be risky,” she said.
“It's going to require a whole new approach around risk identification,” he said. “You can't raise the stakes around your security posture if you don't at the same time address the real risk, the risk inherent in the data you have embedded in your organizations and through third parties.”
This will require organizations to take a step back and examine their policies and processes around what risk is, what it means for the data they hold, and how they can take reasonable steps to mitigate that risk. This is also something that will need to be evaluated and implemented on an ongoing basis.
The organizational risks that exist in a world of “assume noncompliance”
In February 2024, hackers successfully breached UnitedHealth, a major US health insurer that processes around 50% of US medical claims. Despite paying a ransom, health and Personal data of a “substantial portion of people in the United States” was stolen, according to a company statement.
Steenkamp said that while the investigation into the breach is still ongoing, it appears that despite having sufficient security controls in place, the organization was still breached. In situations like this, he said, the question from a risk perspective is: What did they do behind the scenes in terms of data?
If organizations do not address the broader risk aspects of their data holdings and implement data security and governance controls to minimize and mitigate risk, Steenkamp said what the UnitedHealth hack shows is that the “viability of organization is potentially harmed.
A wave of regulatory and law enforcement could soon hit Australian shores
A wave of regulatory action could hit Australian shores after currently proposed changes to the Privacy Act become law.
Steenkamp said CISOs could be pursued for negligence in cases where they misrepresent the organization's security preparedness, fail to implement appropriate controls or fail to bring issues to the board's attention.
In some cases, security professionals in foreign markets are reported to avoid being promoted to CISO roles altogether for fear that new responsibilities will see them exposed to security and organizational data failures, which can sometimes seem outside their direct remit. . control.
Global cases show movement to crack down on lackluster data governance
Steenkamp said a number of examples from global markets could soon be replicated in Australia.
- The U.S. Securities and Exchange Commission is prosecuting Uber's former chief financial officer for, among other things, misleading and giving a misleading impression about the company's data risk and security posture, putting major risks at risk. amounts of driver and customer data.
- The SEC also launched proceedings against SolarWinds CISO Timothy Brown, alleging that he lied to investors when he exaggerated SolarWinds' cybersecurity practices and understated or failed to disclose known risks, which came to light after a major hacking event. in 2021.
- Recently, French regulators fined Google €250 million ($271.73 million) for misrepresentations the company was found to have made about data it was capturing without the consent of French publishers. Google was using the data to train AI models.
“I think this is a serious wake-up call,” Steenkamp said. “There is a tendency around the world, in the United States, but also among regulators in Europe, particularly in continental Europe and Ireland, to take an aggressive stance against the whole data issue,” she said.
Organizations must pass the “reasonable test”
The Australian Securities and Investments Commission has made it clear that, in the event of data breaches, it will seek to lead by example by taking legal action against any board member or executive whose companies are not as prepared as they should be for cyber attacks.
Steenkamp said ultimately “reasonable evidence” will be the bar Australian organizations must meet. This will require that organizations have understood the specific nature of the data risk landscape they face, have implemented appropriate measures to safeguard data, or are taking steps to address any identified security gaps that may be identified.
Practical steps that can help organizations gain greater control over data risk
There are practical steps IT and security leaders can take to better manage data risk. Steenkamp said “less is now more” when it comes to data, and priorities include a continuous process of knowing what data you have, classifying it and retaining only what you need for as long as you need it.
This point is made clear by the push for current class action lawsuits against Medibank and Optus following major data breaches at those organisations. The cases concern, firstly, whether adequate security controls were in place to protect the data and, secondly, whether the organizations needed the data.
Organizations recommended by Steenkamp should prioritize steps such as the following:
Improve data classification and retention periods
Organizations should audit and classify their estate data records and implement practical guidelines on data retention and deletion. Steenkamp said time and time again that large data breaches involve data that organizations realize they “would never have kept if they had known.”
Engage in data minimization instead of maximization
Minimizing data risk means minimizing data. Steenkamp recommended leveraging diagnostics and technologies to help identify where data is stored and then minimize it, particularly when it comes to sensitive data, such as health data or personally identifiable information.
Understand the risk well enough to provide a snapshot of it.
CISOs and business risk managers should be able to demonstrate or paint a picture of the organization's risk posture related to data at any time. This would show that the organization has addressed the necessary risks and that appropriate measures are being taken to mitigate any potential gaps.
Inform the board of data risks and mitigations.
Boards must be informed about the data risk landscape. While it may be tempting to avoid this by asking if this is really a legal or board issue, Steenkamp said that if the data becomes exposed, the first question the board will ask is why they were not informed or informed. gave the necessary information about the risks that exist. data.
