Experts in the Media

Thomas Jreige – The West Australian

Cyber Security Expert | CEO/Senior Executive at Shimazaki Management Group

Thomas Jreige: If I give out my data, will it be safe from breaches?

With two major data breaches at Optus and Medibank recently, people have every right to ask, if I give out my data, will it be safe?

The answer is multi-layered and depends on who you’re giving the information too, but I believe as individuals we need to be more careful with our data and as organisations all data should be managed by a third party information experts, not internally.

A data breach occurs when your organisation’s security controls (people, processes, and technology) are insufficient for protecting the information it stores and processes. Regardless of the size of the organisation, the owner or director is responsible for its data.

In the wake of the latest cyber security scandals, many small businesses are probably thinking, “we’re not that big, it won’t happen to us.” Unfortunately that’s not true. Data breaches can happen to anyone. It has nothing to do with the size of your organisation and everything to do with how easy you are to hack.

As a result of the Optus breach, the Australian Federal Government is considering a change in privacy legislation. Will this be sufficient? Absolutely not.

As part of a proposed change to the Privacy Act, the Government may change the number of records that can be stored about an individual. But why should this be an issue if the organisation implements controls to protect the data in the first place? The number of records stored should not determine the robustness of the security regime. Legislation changes are not going to solve the core problem and raising fines will only increase insurance costs at the end of the day.

Legislation changes won’t solve the core problem.

No matter what processes, legislation, security certifications, auditing and soft controls an organisation has, cybercriminals will continue to compromise them because organisations are often not prepared to do what it takes to battle cybercriminals. Cyber security is implemented within the confines of a budget, which means organisations are already operating with one hand tied behind their back.

Cyber security is currently the responsibility of IT departments. This is because executive teams and business owners are relying on IT to implement controls that will safeguard their information through security tools and processes. In addition, organisations are spending millions of dollars creating security programs to comply with what’s considered best practice standards. But what about small businesses who don’t have the same budgets?

I believe Australia’s cyber security standards are flawed.

Cybercriminals do not care about fancy auditing. Many businesses and consulting firms sell compliance with information security standards as a way to solve security problems. Take

Optus as an example. They have countless certifications related to cyber security, yet they were still compromised.

The problem is humans design standards and humans implement them. Cybercriminals, however, do not adhere to these standards, they make up their own rules and evolve at a faster rate than organisations can keep up with.

Cybercriminals do not care if you possess a certification or are cyber resilient. If they see something they want, they will obtain it by breaking the rules.

Organisations have to think beyond these standards and be creative about cyber threats to stand a chance of being able to beat them.

The stereotype of the hacker outside of your organisation and the malicious insider threat continues to be used. Cybercrime is not limited to this and it’s necessary to understand that cybercriminals think way beyond this. They have an incentive to gain access to your information, so they will resort to any length to accomplish their goal.

Cybercriminals play the long game and work at a rate we are not able to comprehend. To beat them at their own game, we must first shift our mindset.

Cyber security is not always given the necessary attention and urgency it deserves, by an organisation as it’s often viewed as just an IT or risk function rather than a protective function for the entire organisation.

Compliance is achieved through prescriptive audit controls. However, compliance will never win if you are fighting against cybercriminals who operate with a non-conformist and non-compliant mindset.