Last year was a difficult year for data privacy and security in Australia. Several high profile, back-to-back data breaches left the majority of Australians
Last year was a difficult year for data privacy and security in Australia. Several high profile, back-to-back data breaches left the majority of Australians having critical identity data exposed, through no fault of their own. The scale of the breaches was so great that it became a political issue. The Australian government’s response was to crack down, hard, and significantly increase the penalties involved in a data breach. The penalties are, now, the greater of these three: $50 million, three times the benefit of a contravention, or (where the benefit can’t be determined) 30 per cent of domestic turnover. This is an effort on the government’s part to pressure organisations into modernising their compliance systems, and make the necessary investments in risk management and data security. However, with the number of reported cybercrimes increasing by 13 per cent to 76,000 in the last year, and Australia tracking to have a deficit of 30,000 cybersecurity professionals over the next four years, it seems unlikely that the breaches will be stopped by the government’s tougher stance. This raises the question; will 2023 see the first $1 billion data privacy fine levelled at an organisation, and, is your business ready for penalties of that kind of scope?
It wouldn’t be the first time such a penalty has been imposed globally. Last year, Luxembourg’s privacy watchdog fined Amazon €746 million (AU$1.17 billion). Now, however, Australia has some of the strictest penalties in the world, and it seems inevitable that at some point a local enterprise will face a similar fine. Not many companies are in the position of Amazon to be able to manage such a fine. For that reason, data privacy, above and beyond security has become a board-level discussion point, and a concern that the entire executive team is expected to shoulder, rather than just the CIO.
For CIOs and badly stretched IT security teams, however, this renewed focus on data privacy is a potential opportunity. Businesses have undertaken transformation to be more cloud-oriented and operate hybrid IT models. Now, the next step is to properly resource the security of such environments, and this will be a two-stage process this year:
1) Firstly, organisations will need to grapple with the skills shortage. This is particularly affecting SMEs, who don’t have the resources to recruit large teams of security specialists at a time where good security professionals command high incomes. Smaller businesses have had a casual approach to security in recent years, but now will look to formalised security strategies too. The result of these trends is that managed security will become a standarised approach for businesses. This is because they will see the value in having a team of security specialists providing 24/7, dedicated security support.
2) Secondly, we’re going to see a split in the rhetoric around data and security. Previously, the terms would be used interchangeably – a data privacy strategy was part of the broad security strategy. However, organisations are increasingly aware that security breaches are less a matter of “if” as “when”, and it’s what happens after the breach that is the big risk as far as those escalating government penalties are concerned. What we’ll see is more dedicated data privacy strategies, relying on zero trust security (to minimise what data a successful cybercriminal is able to access) and with a focus on recovery and data loss prevention solutions. Security will continue to be important as a first line of defence.
However, data privacy will be a separate conversation and matter for the IT team, executive group, and board members to grapple with.
Finally, it is worth noting that, going hand-in-hand with this will be an increased focus on DevSecOps. Many of the successful attacks on enterprises at the moment are coming from criminals targeting the APIs within cloud environments. The proliferation of those APIs, and the generally poor security behind them in many cases, makes them a relatively easy mark. The combination of the zero trust approach and the leveraging of DevSecOps expertise will see security and DevOps brought into closer alignment.
This is something that SMEs might believe they have to worry about less. It is unlikely that they’re leveraging too many APIs, or have a large DevOps team potentially exposing them to the same level of risk as a large enterprise. But here, too, having the support of a managed services provider is critical, because in many cases organisations are unaware of their exact level of exposure. It is usually more than they think. Between insecure APIs (that an SME might be using without even realising it), “dark data” (data within an environment that is not immediately “visible” to the organisation), and the understaffed IT security and DevSecOps teams, many organisations are unaware of just how exposed they really are to be able to form a successful security strategy.
And so one of the most critical functions of managed services providers in 2023 will be in providing a thorough audit of the security environment and risk exposure reporting. This is something that Protectera can help you with, so if you are in any way concerned with the penalties for a data breach, you should start the conversation with us today.