Most organisations are now aware of the federal government’s mandatory notifiable data breach (NDB) legislation and the penalties associated with failing to comply. Essentially, the scheme aims to give individuals more control over their personal data, so it requires certain businesses to report breaches of that data to the individual concerned as well as to the Office of the Australian Information Commissioner (OAIC). Failing to report a breach can result in financial and civil penalties.
The OAIC’s first quarterly report on Notifiable Data Breaches revealed that private education providers reported six out of the 63 reported breaches since 22 February 2018. 55 breaches in total were reported in March alone, which is almost two per day.
School and other educational institutions in Australia mainly run on open networks, making it easier for cybercriminals to get access to sensitive data. The ramifications of a data breach at a school can range from inconvenient to potentially life-threatening. If a student has suffered from domestic violence, an information breach can deliver enough information for the offender to access the child at school, even if that child is in hiding.
Less sinisterly, but still significantly, cybercriminals could use a child’s stolen details to apply for benefits or conduct other financial fraud. Often, the victims don’t find out until they reach adulthood and begin applying for benefits or loans.
Even an accidental breach can cause problems. It’s easy to send an email with personal details to the wrong recipient, and this could, in many cases, be considered an eligible breach.
If a breach happens because information is left lying around, or because a student improperly accesses school systems, the effects on individual students can be devastating. Having the details of their grades and special needs shared around the school can lead to bullying and ostracisation for vulnerable students. All of these potential consequences make it absolutely vital for education providers to secure information properly.
The NDB scheme applies to all government agencies and businesses already required to comply with the Privacy Act, which includes businesses and not-for-profit organisations with an annual turnover of more than AU$3 million. It also covers any business that collects and stores personal information such as education records, tax file numbers, or health records.
The Australian scheme is being mirrored around the world. For example, Europe’s General Data Protection Regulation (GDPR) includes similarly stringent requirements for businesses to take all reasonable steps to keep confidential information secure. The GDPR regulation extends to any business interacting with businesses or individuals in Europe, so Australian businesses need to be aware of their responsibilities under this regulation. In New Zealand, data breach notification is expected to become mandatory at some point but no details are confirmed yet.
While this need to be aware of and comply with regulations from around the world can seem overwhelming, there is one sure way to avoid falling foul of the regulations. Education institutions need to put all of their cybersecurity efforts towards preventing breaches from happening in the first place, rather than only looking to mitigate breaches after they’ve happened.
There are five key steps organisations should take now that the NDB scheme is in full effect:
1. Understand and map out what data the business holds
Companies collect and store data across any number of locations, so auditing the data held within the business is an important step towards complying with the scheme. It’s essential to know where the data resides (on-premise or in the cloud), who has access to it, what protections are in place, and whether there are any vulnerabilities that need to be addressed.
2. Implement security controls including educating employees
Securing individuals’ data is at the nub of NDB legislation, so it’s incredibly important to select and implement the strongest possible security controls to prevent unauthorised access to data from both within the organisation and by external parties.
With such a large proportion of data breaches caused by human error, this highlights the ongoing need to ensure all team members are well educated about their responsibilities when it comes to securing data. There are many basic steps people can take to protect the organisation’s data, including not clicking on suspicious email links, not plugging unknown devices into the network, and keeping passwords secret. However, team members don’t necessarily know about these fundamentals of security unless they’re told explicitly and reminded regularly.
3. Develop data breach prevention measures
Preventing data breaches is crucial, so proper cybersecurity measures are essential. This involves four key elements:
- Gain complete visibility into all traffic across the network, endpoint and the cloud, classified by application, user and content. Complete visibility provides the context to enforce dynamic security policy.
- Reduce the attack surface, which is expanding rapidly as companies’ use of applications and devices proliferates through SaaS, cloud, and IoT. A positive security model reduces the attack surface by enabling only specific, allowed applications for the right users while denying everything else.
- Prevent known threats such as commodity information-stealing Trojans, malware and application exploits. Look for security offerings that control threat vectors through granular management of all types of applications. This immediately reduces the attack surface of the network, after which all allowed traffic is analysed for exploits, malware, malicious URLs, and dangerous or restricted files or content.
- Prevent unknown threats through collective threat intelligence. Global information sharing makes unknown threats quickly known and, therefore, preventable. Automated responses are ideal because manually responding takes too long and increases the risk of exposure, whereas an automated response can outrun the threat.
4. Test, review, and improve
Because cyberthreats are constantly evolving, it’s essential that any security measures and plans evolve just as rapidly. Businesses must regularly test security systems and processes to ensure they are still relevant and active, and must ensure team members are well aware of their responsibilities regarding information security.
5. Develop a response plan
Despite an organisation’s best efforts, cyberbreaches can still happen, so it’s important to have a plan in place to deal with these incidents as swiftly and effectively as possible. A plan should outline the roles and responsibilities of people in the organisation, the processes for notifying affected individuals and the OAIC, and the steps that need to be taken to mitigate the attack. Being well-prepared will make the difference between handling a data breach effectively and minimising the damage or being caught in a crisis.
Regardless of whether an organisation is officially subject to the NDB scheme, it makes good business sense to demonstrate to customers that the business is committed to keeping their information secure.
Following these steps will help organisations minimise the risk of a successful attack and respond effectively if an attack does occur.