The Australian Notifiable Data Breaches Scheme: Are You Prepared to Comply?

This month, the Essential 8 turns one year old, and it’s not an accident that its first anniversary will coincide with the launch of the mandatory data breach notification law in Australia, the Notifiable Data Breaches scheme (NDB scheme). These two acts underscore Australia’s efforts to lift its cyber-security game – but is your organization ready to comply?

What is Australian Notifiable Data Breaches Scheme and who does it apply to?

The NDB scheme of the Privacy Act of 1988 obliges organizations to notify individuals whose personal information has been involved in a data breach that could result in serious harm. Called “eligible data breaches” under the Act, all Australian organizations – government, commercial, not for profit and others with an annual turnover of $3 million or more – must be prepared to conduct an assessment of a suspected breach to determine whether it’s likely to result in serious harm.

Proactive Controls Mitigate Risks

The best way to protect your organisation from the repercussions of a public breach notification is to prevent the breach from happening, or stop the intruders before they cause real damage. Easier said than done, for certain.

Consider a typical attack chain and where the weakest links in that chain are. If you look at the most common pathway that outside attackers take, for example, it’s first to exploit the perimeter in some way; taking advantage of asset vulnerabilities, phishing, other social engineering-type attacks. Next, the attacker hijacks and exploits privileges or passwords in order to move to the final step –lateral movement and their ultimate goal – your customer’s private data.

Shrinking the Attack Surface

Overcoming the weak links in the attack chain involves a multi-layered approach to data protection and security, including:

• Closing perimeter vulnerabilities and gaps through constant scanning, correlation of risks and prioritization
• Eliminating credential sharing – those highly-privileged accounts in use by administrators and power users
• Restricting user administrator privileges and monitoring behaviour
• Monitoring and auditing privileged user sessions and protected files

Adopting the “Essential 8” Mitigation Strategies Recommended by the ASD is a Good Start

The Australian Signals Directorate has identified eight of the most important controls organizations can put in place to mitigate cyber security risks, such as data breaches. This common-sense framework enforces the basics and addresses the weak points in the attack chain noted above, including:

• Application allow listing
• Patching applications
• Restricting administrator privileges
• Patching operating systems
• Disabling untrusted Microsoft Office macros
• Hardening user applications
• Implementing multi-factor authentication
• Backing up important data daily

Accomplishing this feat doesn’t have to be gruelling, expensive or require several vendors. In fact, BeyondTrust’s privileged access management and vulnerability management solutions – unified by a central console – addresses seven of the eight ASD strategies, including all “Top 4.”

Are you ready for the enforcement of the NBD scheme? Start by comparing your cyber security practices against the ASD Essential Eight.