Hundreds of top-secret Australian Government Cabinet documents were exposed after two locked filing cabinets wound up in a Canberra second-hand furniture shop. No, it is not a script from the political satire Utopia — the leak of the documents to the ABC in February has been tagged one of the biggest security breaches in Australian history. Prime Minister Malcolm Turnbull has branded the incident a “disgraceful act of negligence”.
In the digital era, an old-school “analogue” data breach might seem from left field, but it’s surprisingly common. In 2017, a 1000-page manual on future security upgrades at Parliament House was lost by external contractor BAE Systems according to the ABC. In the UK, a lawyers’ papers revealing the personal details of clients accused of serious criminal allegations were found in a dumpster. And in Singapore, an employee at ground services company Asia-Pacific Star threw out the passenger manifesto for a Tiger Airways flight into an airport rubbish bin.
The cost of data breaches to Australian business is great. In IBM Security and Ponemon Institute’s 2017 Cost of Data Breach Study: Australia, the average total cost of a breach to business was $2.5 million. The study revealed 48 per cent of breaches experienced by a company were due to a malicious or criminal attack, 28 per cent involved a negligent employee or contractor, and 24 per cent involved system glitches.
Managing data and securing privacy must be top business priorities, and, under the Corporations Act 2001 (Cth), are areas which Australian directors should have particular regard to.
Babette Bensoussan MAICD, founder and director, The MindShifts Group and a world authority on corporate competitive intelligence, says it’s important for directors to reach an understanding with management about what key information must be protected and how employees are kept aware of their roles and responsibilities in safeguarding data.
4 steps for directors: How to keep your data safe
- Identify what information (digital and paper) needs to be protected, what information may be likely to cause serious harm. This can be done by defining all processes across all business units to identify operational risks and gauge the risk appetite of the organisation.
- Take measures to ensure data is properly stored, transported and disposed, and by whom. Use reputable third-party firms
- Assess your current method of detecting a breach. Do you have the technical expertise to know if a breach has occurred? Directors need to consider implementing auditing processes, security monitoring systems and firewalls
- When a breach is detected, how is it reported to the board and then responded to? Ensure your data-breach response plan is relevant and also covers catastrophic events.
“Incidents like these are a reminder for organisations who are sharply attuned to cyber risk not to forget the security of their physical assets,” she says. “Firstly, directors need to work with the executive team to identify what information is confidential and to what extent it needs to remain protected. Secondly, how are documents being disposed of? Shred anything confidential; it’s simple. And when engaging a contractor or third party to handle or transport your data, ensure it is a reputable firm that understands privacy.”
Bensoussan says it’s important not to be naive about corporate espionage and “dumpster diving”, emphasising two notable cases including Microsoft vs Oracle, and Procter & Gamble vs Unilever, where the companies went after each other’s secrets and IP.
“If you think corporate espionage isn’t happening or your information isn’t out there for the taking, then you’re fooling yourself. Make sure what’s meant to be kept secret, stays secret.”
While misplaced corporate paper files are still a common occurrence, digital data breaches continue to be a substantial issue. Since 2013, over 9.2 billion data records have been lost or stolen globally – and that’s only those disclosed. Closer to home, the data leaks by the ABS, Red Cross, Equifax, and several Federal public service departments last November, are only a few of the notable digital data breaches of 2017.
John M Green FAICD, QBE Insurance Group Deputy Chairman says cyber security, like most security, is exposed to the weakest link. And that can be your own employees. “For example, a study (by Dell and Ponemon Institute) a few years ago (2008) revealed that a huge number of laptops were “lost” in airports: 12,000 in the US alone … not every year, but every week. Scarier still was the data that around 50 per cent of those laptops held confidential information and up to 67 per cent of those either had no security protection at all, or the employees had circumvented or disengaged it,” says Green. “So at the same time these employees were focused on getting themselves a flight upgrade, there’s a chance they were simultaneously degrading their companies' security and endangering their crown jewels.”
From 22 February 2018, organisations must notify the Office of the Australian Information Commissioner and affected individuals (who may be at risk of serious harm) when they experience an eligible data breach under the Notifiable Data Breaches (NDB) scheme. The new law shifts more of the onus onto directors to oversee data and cyber security.
The NDB scheme applies to all organisations required by the Privacy Act 1988 (Cth) to keep information secure including businesses with an annual turnover in excess of $3 million, Australian Government organisations and agencies.
For more information about the NDB Scheme: www.oaic.gov.au.
Are you and your organisation confident you can protect your organisation's data? Take AICD’s half-day Applied Risk Governance course and get a comprehensive overview of risk management at board level. Monday 12 March, Sydney.