As organisations across Australia scramble to prepare for the Notifiable Data Breaches scheme, efforts are going into protecting sensitive data from external threats, but what about the threats posed by internal staff?
The insider threat
A recent study from the Ponemon Institute1 found that 28% of data breaches are caused by a negligent employee, which could include clicking on a malicious link in an email, losing an unencrypted device or even sending an email to the wrong person. One careless mistake by an employee could result in costly fines, reputational damage or lost sensitive corporate information. Most importantly, how would your customers feel if they found out that you hadn’t properly protected their data?
Research conducted by OnePoll on behalf of Egress, the UK-based provider of secure data sharing solutions, found that a third of staff admitted to sending an email to the wrong person and one in four admitted they had intentionally leaked sensitive business information. Neil Larkins, COO at Egress, explains that “While it may cause red faces, accidental or intentional sharing of sensitive information can amount to a data breach and could be taken advantage of by the email recipient.”
Protecting against the insider threat
While investments in anti-virus software, malware scanning, firewalls and endpoint security are important to protect data from malicious outsiders, they can’t do anything when someone mistypes an email address, adds the wrong person to a group email, accidentally sends an email to multiple recipients using To/Cc instead of Bcc or intentionally sends sensitive information outside of the organisation.
“Data breaches are becoming much more prevalent and organisations are struggling to mitigate the risks caused by unpredictable user behaviour,” says Larkins. “With intelligently applied machine learning and big data analysis, misaddressed emails and the insider threat can become a thing of the past.”
When it comes to insider threats, data breaches and regulatory compliance, a key challenge for organisations is to understand what sensitive data they hold, who has access to it and what security measures can contribute to preventing a breach. By adopting a comprehensive set of solutions such as Email and Document Classifier, Threat Protection, Secure Email and File Transfer, Secure Workspace and Secure Vault, organisations can reduce the chance of unauthorised disclosure of sensitive data – intentional or accidental.
Regulations create new urgency
Australia’s new Notifiable Data Breaches (NDB) scheme will come into play on 22 February 2018 and will require organisations to report data breaches that may result in serious harm. The NDB scheme will apply to companies with an annual turnover of more than $3 million or those that have existing obligations under the Privacy Act 1988. Any entity that fails to report data breaches could be faced with fines of up to $360,000 for individuals and $1.8 million for businesses, not to mention significant reputational damage and possible revenue loss.
From 25 May 2018, Australian organisations will face further data protection requirements under the European Union’s General Data Protection Regulation (GDPR). The GDPR may see firms here needing to comply if they have a presence in the EU, offer goods or services in the EU or monitor the behavior of EU citizens, regardless of their size or turnover. While there are some similarities to the NDB scheme, the penalties are even tougher – up to 4% of annual worldwide turnover or €20 million, whichever is greater.
“With the introduction of the NDB scheme in Australia, and EU GDPR this Spring, it has never been more important to get a grip on risk points within our businesses” says Larkins. Talk to Toll today about how SDX can support your compliance efforts.
The Office of the Australian Information Commissioner (OAIC) will oversee the NDB scheme and have published a guide to securing personal information which recommends data encryption as a mitigating factor for breaches. Further information about the NDB scheme can be found on the OAIC's website, which also includes GDPR guidelines for Australian organisations.
1 2017 Cost of Data Breach Study: Australia - Ponemon Institute, June 2017