Ready, Set, Comply. Are Australian Companies Ready for the Notifiable Data Breach Scheme?
NDB kicks off next week and more than half of organizations say they’re not ready.
With just days to go until Australia’s Notifiable Data Breaches (NDB) scheme takes effect, new research suggests that nearly half of Australian companies haven’t yet implemented the corporate cybersecurity controls and policies needed to comply with the new legislation.
Just 17 percent of the Australian IT decision-makers responding to the iTnews-Mimecast survey said they were ready for the new NDB scheme and feel confident that they can comply already. While another 38 percent said they were confident they would be ready by the deadline.
The remainder said they weren’t confident of their compliance, admitted that it would “be touch and go”, or said they didn’t know much about the legislation.
That legislation imposes strict disclosure requirements on all businesses with turnover of $3m and more – and can impose fines of $360,000 for individuals and $1.8m for organizations that fail to appropriately disclose and act upon data breaches.
The legislation also applies to any smaller business providing health services, contracted for Commonwealth government services, trading in personal information as well as others. This means that every business regardless of size should be ready to follow its guidelines and to implement the right cybersecurity tools for data leak prevention and continuous data protection.
Data leak prevention is an integral part of developing a robust cyber resilience strategy, in which appropriate cybersecurity management and controls are implemented to ensure that businesses are protected from potential online security breaches – and can recover quickly in the event of a data leak.
Given the importance of email to today’s organizations, many organizations are naturally focused on email protection software as a core element of their cyber resilience plans. Some 77 percent of respondents said they were investing in email protection, which provides protection against ransomware and targeted phishing as well as protections for organizations that are migrating to Microsoft Office 365.
Missing the bigger picture
A truly effective protection regime also requires protection of other parts of the enterprise – and in this respect, Australian companies are proving to be less diligent.
Best practice suggests that adherence to the Australian Signals Directorate’s (ASD’s) Top 4 and Essential Eight guidelines can dramatically improve cyber resilience and ease compliance with NDB’s obligations. However, just 64 percent of companies said they were using patch management, as is recommended in the guidelines to fix software vulnerabilities that could be exploited.
Even fewer were using other ASD-recommended protective measures such as application whitelisting and access control. This lack of basic protections leave companies on the back foot as they try to prevent ransomware, malicious email attachments, advanced persistent threats, and whaling from breaching their data security – and potentially exposing them to sanctions under the NDB scheme.
Cloud email security solutions offer a rapid means of improving data protection and NDB compliance – but they are just one part of the bigger picture when it comes to protecting sensitive personal data.
Apart from the potential direct financial and reputational damage to a company after a breach, the costs and time involved in recovery can be devastating. This is why the findings of the iTnews-Mimecast survey are a wake-up call for every Australian business – and will compound concerns as we near the May implementation date for even stricter European Union general data protection regulation (GDPR) controls.