Organisations continue to be at risk from cybersecurity incidents – with each incident potentially costing millions of dollars.
This risk – and cost – is only likely to increase as the social engineering and technical elements of cyber-attacks become more sophisticated. To help organisations respond effectively to these threats, the Australian Cyber Security Centre and the Australian Signals Directorate have developed the "Essential 8" baseline mitigation strategies. According to the ACSC, these strategies can be customised according to each organisation’s risk profile and the cyber threats they are most concerned about.
The "Essential 8" incorporates four mitigation strategies to prevent the delivery and execution of malware. We’ve summarised these here:
The "Essential 8" also features three strategies to limit the extent of cyber security incidents. These are summarised below:
Finally, the "Essential 8" incorporates – as a mitigation strategy to recover data and system availability – backing up important new or changed data, software and configuration settings daily and keeping the backups for three months. This will help an organisation recover from a cyber security incident.
Your organisation should strongly consider applying the "Essential 8" as the foundation of a mature, robust cybersecurity strategy. If you would like to learn more, please contact us at firstname.lastname@example.org.
By Roger Carvosso, Product and Innovation Director
Several countries and jurisdictions are increasing the protection afforded to personal information. The European Union’s General Data Protection Regulation (GDPR) is one of the most comprehensive measures worldwide to rebalance the data relationship between individuals and businesses.
The consequences for Australian businesses – of any size – that have an establishment in the European Union, offer goods and services in the European Union or monitor the behaviour of individuals in the European Union are potentially profound.
Under the GDPR data protection requirements – which came into effect on 25 May this year – businesses must meet obligations covering accountability and governance; consent; mandatory data breach notification; expanded rights for individuals; privacy notices; expanded rights for individuals; data control and processing; and overseas transfers of personal data.
For example, as a brief from the Office of the Australian Information Commissioner points out, ‘data controllers’ – typically businesses or organisations that decide why and how data should be processed – must advise supervisory authorities within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in a high risk to individuals’ rights and freedoms).
If a data breach is likely to result in a high risk to the rights and freedoms of ‘natural persons’, the data controller needs to notify the individual without undue delay – unless exceptions to this notification requirement apply.
Affected businesses also need to be aware the GDPR gives individuals the right to require data controllers to delete their data in some circumstances – including when the information is no longer necessary for the purpose it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
The penalties for non-compliance are severe – many contraventions can attract fines of up to €20 million or 4% of annual worldwide turnover. For organisations that do business in the European Union and have not fully accounted for GDPR, the message is clear: review data management and control practices against GDPR requirements and, where required, take remedial action as quickly as possible. Talk to Neil or the FirstWave team today on +61 2 9409 7000 to discuss your GDPR requirements.
By Neil Pollock, COO and Head of International