Privacy Bill: Act now to minimise data breach risk

With the upcoming amendments to the Privacy Bill in New Zealand, and the recent introduction of the General Data Protection Regulation (GDPR) legislation in Europe, New Zealand businesses need to take a more proactive approach to cyber security and data protection, says Barry Brailey.   

Recent data breaches have taught us that cybercriminals are increasingly looking for new ways to gain access to data.  Credit card details, financial records and personal details of customers are all highly sought after by cyber criminals. If you look behind the ‘curtain’ of the Dark Web, you’ll see data is a very hot commodity – one that sells for top dollar. This is why it is so valuable to cybercriminals and why they are so relentless in their quest to get their hands on it. It’s also why businesses need to be extra vigilant when it comes to protecting the data they hold – both their own, and that of their customers.

With almost every business operating and trading in a digital environment, virtually every New Zealand business is at risk of attack. 

In the past, small to medium-sized businesses may have been able to get away with doing the bare minimum. The shift to the cloud – which has a layer of security ‘built in’ – the widespread adoption of Firewalls, and introduction of two-factor authentication have all helped to add a layer of security; however these protective measures alone aren’t enough anymore. 

With the upcoming changes to the Privacy Bill expected to come into effect over the coming year, those businesses that have previously taken a relaxed approach to data protection will be forced to dedicate more thought, time and resource to it. 

It’s no longer enough to lock away data and throw away the key. Data needs to be closely monitored and its security should be assessed on an ongoing basis. This is part and parcel for larger businesses, however for smaller businesses that don’t have dedicated resource or budget, it can be challenging.

At Aura Information Security, one question myself and my team are often asked is ‘How can I better protect the data held within my business?’. The answer to this may be as simple as reducing the amount of data your business holds. 

Less data, less risk

One of the more effective and simple strategies to reduce the risk of data loss is to decrease the amount of data a business is holding in the first place. 

It may sound simple but it’s a strategy that is often overlooked – particularly as the declining cost of digital storage makes it very tempting for businesses to retain everything. By keeping only what is necessary, businesses can significantly lower the chance of a breach because, put simply, there is less data to be taken.

An example of this is the personally identifiable data many businesses require to establish the identity of a new customer, for example, a scan of a passport or drivers licence. 

Once the customer’s identity has been confirmed, that sensitive data is no longer required and should be deleted from storage. Destroying the data means it can’t be stolen by cyber criminals and the risk to the customer and the business is significantly reduced.

Plan to be breached

All businesses make appealing targets for cybercriminals and this in turn means all businesses are at risk. Data loss may be the result of a targeted attack, or it could be as simple as an employee leaving an unencrypted laptop in the back of a taxi.

What’s important is the way in which a data breach is managed. How a business responds to a breach will have a lasting impact on a business and its reputation. For this reason it’s important to be prepared and have some sort of incident response plan in place.

Below are some tips on how businesses can ensure they are prepared for a cyber-attack:

1. Create an incident response plan: To be prepared, you first need a plan. CERT offers some basic guidelines on what should be covered and recommended steps to ensure it is as effective as possible. It should be noted, however, that this is not a one-size-fits-all exercise, and time should be invested to ensure the plan matches the specific needs and requirements of the business.

2. Appoint a response team: Developing the plan should identify the likely people that could be involved in response, the next step is to engage those staff and share the plan. This team should include people from a range of different areas including IT, customer relations, communications, legal and senior management. Ensuring each person is aware of their responsibilities means they will be able to respond quickly and effectively in the event of an incident.

3. Test, test, test!: Planning is not a set-and-forget exercise. At the very least, the plan should be tested on an annual basis to determine whether it still meets the requirements of the business. An effective way to do this is to stage a fake breach so the team has a chance to practice.  This can be carried out internally or by a third party, for example Aura Information Security regularly runs simulation exercises for a wide range of businesses to test their response capability and advise on areas for improvement.

What do I do if I’ve been breached?

While your first reaction may be to put your head in the sand, one of the most important things your business should do in the event of a breach is be transparent with its stakeholders. 

Through clear and timely communication with customers, businesses can work towards rebuilding trust. If customers can see that an organisation has responded quickly and effectively to an incident, they are much more likely to maintain their relationship. If, on the other hand, they find themselves left in the dark, chances are they will move to a competitor.

If you are breached, it’s also important to ensure you stop to assess how it occurred – for example was it due to a lapse in the security measures that are in place? Is there a need for more staff training? Should data be stored in a different way or in a different location? This information can then be used to ensure any holes in your business’ cyber security defences are plugged.

When to seek help

If your business has fallen victim to a breach, sometimes it’s best to call in the experts. Cyber security professionals live and breathe this sort of thing. We are across the latest techniques being used by cybercriminals and are trained to both help businesses protect their data; and to guide them should they be breached. 

Barry Brailey (pictured) is Principal Virtual Security Officer at Aura Information Security.