Sign Up
..... Connect Australia with the world.
Categories

Posted: 2017-02-24 06:33:31

Australians now have some comfort they will at least be notified if their online personal data is compromised and many companies are expected to ramp up cyber security after federal parliament passed mandatory breach reporting laws.

The legislation requires government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that's likely to result in serious harm.

It follows high-profile delays in people being informed of hacks, including Catch of the Day in 2011 and Ashley Madison in 2015.

The chief executive of Ottawa-based TITUS, Tim Upton, has been in Australia for several weeks. His company last week announced an agreement to provide data protection services to NATO.

Mr Upton said mandatory disclosure had been a "hot topic" during his visit.

"It's going to be a rude awakening for companies because these breaches happen every single day," he said.

"The burden that it's going to put on an enterprise to start tracking, reporting and investigating all of these incidents is going to be enormous, well above the burden of the potential fines that could come out of it.

"Similar legislation is coming into effect next year in Europe. Companies that work in the EU will have to comply with that, and those will also be very costly for enterprises to comply with.

"Document classification is a very visible way of enabling a shift in accountability to the point of creation and also dramatically improves the effectiveness of data leak prevention tools."

Catch of the Day disclosed its leak nearly three years after it occurred, but avoided prosecution because the Office of the Australian Information Commissioner had no power to act.

Mr Upton said up to 97 per cent of data leaks stemmed from human error.

He said the company's tools worked like a spell checker, prompting users to assign a classification, with built-in checks to recognise sensitive topics and keywords.

Just like eating an elephant, it is one byte at a time.

Tim Upton

Clients include the federal police, major banks, Human Services, ATO and Defence.

Mr Upton said giving documents an identity also helped with release of data and disposal.

In Canberra, he said most departments had already implemented email classification.

"That's mature, now there's a realisation that email is the transport mechanism and needs to be protected, but sometimes there are a lot of things that go along with that.

"You wouldn't want to attach a sensitive document to a public email; that would be a data breach. We can prevent that happening before it occurs."

Mr Upton said human oversight was important, and with increasing demand for open data, he said classification could assist.

"A lot of organisations try to shut everything down because they don't know what they have," he said.

"If only seven per cent of their data is truly of national security interest, then tag it as that. With the other 93 per cent, let it flow.

"It's about enabling the sharing of information."

Mr Upton said governments could also get smarter about deleting documents that were no longer required.

A 2010 strategy estimated agencies spent about $850 million a year on data centres, using 30,000 square metres of space.

"Many organisations don't know what they have. If they did, then they could make decisions, like what to keep, what to discard, what to share, with whom, and what to protect," Mr Upton said.

"Just like eating an elephant, it's one byte at a time. If they do nothing, and keep the status quo, the problem gets bigger every day with more unknown data being created every day.

"If they start by giving that unstructured data an identity today, then the problem stops growing immediately.

"With time, the legacy data becomes less relevant and a smaller problem, and can be tackled in due course.

"I think over time we will see more organisations doing this in the context of life-cycle management, not just the security context."

Mr Upton wouldn't be drawn on high-profile government IT blow-outs, including Child Support and the tax office, but said removing old or unwanted data could have benefits.

"I believe document storage could be done better if all the documents were labelled," he said.

"I'm not sure of the problems they've had. Most organisations keep everything forever and end up scaling the systems to be really big when maybe they don't need to be quite so big and complicated.

"Data has value. It's the new oil, but it's also a liability, trying to store it, trying to keep it.

"Because storage is theoretically cheap, it seems easier just to keep it, but there comes a point in time if your good data is mixed in with your bad data, it becomes harder to find your good data. 

"If you're supposed to keep something for three years and get rid of it, then get rid of it.

"We've had a few examples of where they [organisations] struggle. They're trying to build these massive systems and they break and governments are not always good at building systems to scale.

"The problem is not really getting rid of data ... it's knowing what to get rid of."

View More
  • 0 Comment(s)
Captcha Challenge
Reload Image
Type in the verification code above