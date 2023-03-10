Give them nothing: Data governance practices to stop hackers in their tracks

The high-profile Optus and Medibank Private data breaches exposed the public to Australia’s vulnerability to hackers.

“All parts of the Australian economy are at risk from cyber incidents,” says Professor Matt Warren, director of the RMIT University Centre for Cyber Security Research & Innovation.

“From government, large to small organisations to individual citizens. No one will be immune. This is the new normal.”

The federal government has introduced measures to reduce the likelihood of personal data being exposed, exemplified by the recent Prime Minister Cyber Security Roundtable and the release of the 2023-2030 Australian Cyber Security Strategy discussion paper.

“The government is using Optus and Medibank Private hacks as a rationale to review the existing cybersecurity situation in Australia,” Warren says.

What’s changed since these hacks is the awareness of risk. This has caused a realisation within public and private organisations that they need better practices to reduce their vulnerability.

This includes better data governance standards.

Good data governance and sovereignty practices

Professor Richard Buckland from the University of NSW says it is important organisations review data holdings and governance practices. They should only hold data that is required for business purposes.

“With data lakes and centralised data repositories, there is this idea that all data is required,” says Buckland, who is a professor of cybercrime, cyberwar and cyberterror at the School of Computer Science and Engineering. “But when you start questioning what is needed and what the risk is if that data is exposed, there is a realisation that is not the case.”

To assist organisations in determining data that is needed, Buckland conducts training sessions where he asks participants to draft a media release explaining personal data that has been hacked and why that information was held by them.

“They quickly realise how bad it looks,” Buckland says.

Good data governance practices, he says, mean understanding what is needed, when it is needed and having risk assessments associated with them.

Data should only be held for the time it is needed and destroyed when no longer required. It should only be accessible by people with a need to know, and not open by default in case it is handy in the future. It should also be held in systems where Australian laws and cyber security standards apply.

Australia is moving towards a cybersecurity regulation pathway that organisations will need to comply with based on outcomes of the Australian Cyber Security Strategy discussion paper, which aims to strengthen the system.

“The sovereignty of data is important,” Buckland says. “If you are dealing with a different country, that is different laws and rules.”

This can result in losing control of your own data.

What does best practice look like?

While there isn’t one ‘best practice’ that works for all organisations – size, sector and context matter – Professor Lyria Bennett Moses, director of the UNSW Allens Hub for Technology, Law and Innovation, says there are practices that help make an organisation aware of the risks and ready to respond.

First, it is critical to have a board, senior executives and other leaders engaged with cybersecurity at a high level.

“That doesn’t mean knowing the technical details,” Moses says. “But it means incorporating cyber and information security into risk management planning.”

For board-level oversight of cyber strategy, ASIC’s list of questions they can use as prompts is recommended.

Second is a culture and mindset around security: “Thinking like an attacker rather than just understanding the defences.”

Degrees in cybersecurity are helping to provide personnel that can do just that. They think outside the box and methodically test system vulnerabilities from the inside. But implementing drills and tests to determine how robust systems and responses to attacks are and preparing the organisation itself for potential attacks are also important.

“Think about training in light of practice,” Moses says. “There is no point telling people not to click on suspicious links. No one clicks on links when they think they are suspicious.

“Instead, change organisational practices so that there are no hidden links in work emails – if that is done, then employees will treat ALL links as suspicious.”

Finally, she says, best practice in an organisation means being aware of legal obligations that relate to cyber, both direct and indirect.

“Understand the legal context for the organisation, including requirements that might relate to particular sectors. Don’t assume there are requirements to retain data – check exactly what the requirements are.”

Despite improved awareness and practices, it is very easy for organisations to fall into the practice of holding unnecessary data.

“It was concerning the number of organisations who received access to the hacked Medibank Private and Optus data for a range of investigation purposes,” Buckland says. “What that means is the data is now in more places and in more hands, and exposed to more risks.”

Determining whether data is needed must always be at the forefront of cybersecurity thinking. And importantly, Buckland adds, best practice means not letting your guard down.

“There will always be risks,” he says. “But continually monitoring, being aware and being prepared will make an organisation better at responding to the risks posed by hackers.”