Not a question of if, but a matter of when: the vulnerability of data in business cyberspace
October was Optus’ month.
The telco’s data breach was the dominant (and infamous) topic in the media – and for good reason. Right now, the sensitive data of almost 10 million Australians strays adrift in cyberspace – and on the hard drives of malicious cyber criminals.
The company languishes, customers attempt to consolidate their data, and investigations continue; as much as $5.5 million is being allocated to “investigate and respond to the Optus data breach” in this year’s federal budget.
Medibank – the private health insurance provider which covers 3.7 million people – joined the club just two weeks ago.
Names. Addresses. Phone numbers. Medicare card numbers. Hospital records. Diagnosis and procedure codes. All these credentials, stolen by cyber criminals.
Unlike the Optus situation, details of the events leading up to Medibank’s breach have come to light with greater transparency.
Disturbingly, an entity gained the login details of a member with high-level access to the organisation. They then masqueraded as the member, extracting the data meticulously.
The first lesson?
When it comes to Cybersecurity, humans are the weakest link.
Lesson number two?
Businesses need to accept the inevitability of cyberattacks and reconsider the amount and types of data they collect and whether, for how long and where they store it.
Gone are the days where a username and password cut it; most websites we come across today recommend enabling two-factor authentication, at minimum. This considered, we should question if it is necessary for businesses to store their client’s most sensitive and intimate information within their databases. To echo the words of the attorney Attorney-General, Mark Dreyfus:
“Companies throughout Australia should stop regarding all of this personal data as an asset for them, they should actually think of it as a liability,” he said.
The concept of digital archives and record keeping was an attractive one until now. Perhaps, a return to filing cabinets and ‘classified’ safes should be on the cards for major corporations. Once a customer has been ID verified, what is the need to keep copies of their passport, medical records or address online? Where there is a genuine need to retain this personal information, shouldn’t the storage of a physical photocopy be better and safer?
Layers of encryption, complex passwords and secure portals are insignificant when we refer back to lesson one – humans are the weakest link, as we know from the Medibank case – and it takes just one moment of complacency, a daydream, or a (well-put-together) phishing email for a staff member to give hackers access to both your staff and your clients’ most sensitive data.
What can you do to mitigate the risks and repercussions of a cybersecurity breach?
With the volatility of corporate cyberspace in mind, it is imperative that you protect your staff and organisation against potential harms.
GRC Solutions offer a suite of courses catering to the needs of organisations both across Australia and internationally. We are the experts in online compliance training, and offer:
- Off-the-shelf courses built with foundations of expansive industry knowledge;
- Custom-built training to suit the specific needs of your organisation;
- The award-winning Salt Compliance LMS, with the new and intuitive Salt Adaptive application and;
- Consultancy services to better understand your business specific requirements.
Click here to view our suite of Privacy and Data Protection courses, including Cybersecurity – non-jurisdictional.