All these articles about the need for proper data security and poor privacy regulation have been said and said again…by me… for years. The coverage is belatedly welcome but does not bode well for serious reform
March 29, 2023 |
In Greek mythology Cassandra was a Trojan priestess who was fated by Apollo to utter true prophecies which were never believed. When writing on privacy and data security matters on this page over the past 15 years I feel like Cassandra. Raising concerns about poor privacy legislation, ineffective regulation, a lack of proper data security, no training and no risk management have raised not even a shrug. But last year all of a sudden journalists and politicians have talked and written about privacy and data security as it appeared with the Christmas Amazon delivery. That has produced some truly trite pieces, such as the Australian’s Hack attack on all business ‘inevitable’, says Michael Sentonas. The article could have been written almost a decade ago with almost no changes. But journalists weren’t interested and companies would prefer to deal with the cyber attacks quietly, the Privacy Commissioner was out to lunh and governments had no interest in improving regulation. It is just that now that with 3 massive data breaches the issue cannot be avoided and this revelatory piece finds its way into a National paper.
It provides:
Australian businesses are being urged to immediately improve their cyber security defences as a cyber expert warned that it was “inevitable’’ every business would be attacked by wannabe hackers.
The Australian Cyber Security Centre revealed cyber criminals were pouncing “within minutes’’ of vulnerabilities being discovered, and company boards needed to understood their “crucial role’’ in ensuring companies invested appropriately to make their networks resilient to attacks.
With some Australians now having had sensitive data stolen three times – as customers of Medibank, Optus and Latitude – the ACSC urged companies to ensure cyber security was a core part of each business’s strategic planning and risk management.
“Companies need to lift their focus and ensure they protect not only their business but the trust of customers,’’ a spokesperson said.
The comments come after another big Australian company, the Harry Triguboff-founded Meriton, revealed it had been hacked.
Michael Sentonas, president of the global cyber security company CrowdStrike, said every company would be targeted by cyber criminals, and each must take steps to ensure those attacks were not successful.
Asked whether attacks on companies were inevitable, Mr Sentonas said “absolutely’’, and businesses needed to prepare accordingly. He said the apparently faster tempo of cyber attacks in Australia in recent months was “business as usual’’ but there were several dynamics at play.
“You’ve got a strong economy, you’ve got seemingly easy targets so there are a lot of people who are targeting Australian companies for financial benefit,’’ he said.
“And geo-politically, we have neighbours to our north who don’t necessarily agree with our government’s policies and the positions (it’s) taking.
There are no major instances reported where people have been the subject of fraud as a result of having identification documents stolen, and in some cases posted online. Few, if any, personal medical records stolen from Medibank made their way into mainstream social media.
Mr Sentonas said that did not mean the danger was over, and such hacks “had a long tail.’’
“Definitely could happen …. it will get used down the track,’’ he said. “It doesn’t happen necessarily immediately but here’s the thing: no one is going to go to that much effort and not use the data.
“They’re not going to dump the data and someone else isn’t going to be opportunistic in using it.
“The reality is also that sometimes it’s better for the adversary not to use it straight away because people are on heightened alert.
“So you wait … before you deal with that data or leverage that data maliciously.’’
Mr Sentonas would not discuss any individual company’s cyber situation. According to an online case study, CrowdStrike works with Latitude, but the company declined to comment on who its clients were.
Meanwhile, the Tasmanian government confirmed it was investigating claims it had been hacked by Russian cyber gang Cl0P. “The government is aware of these reports and they are being investigated,’’ a spokesman said.
Crown Resorts continues to investigate what data was accessed by Cl0P, although it has ruled out customer records, while the University of Melbourne has determined the group accessed nothing more than cost codes.
Home Affairs Minister Clare O’Neil said the threat of cyber crime was “relentless’’ but most cyber attacks could be prevented.
“We share the frustration of millions of Australia who have been involved in recent cyber incidents,’’ she said.
“Businesses and organisations across the country must work with government agencies to harden their defences.”
There is nothing wrong with what is in the article but that has been said for years. The problem is the willingness of governments to give the law proper teeth, have a strong and forceful regulator and be prepared to take action. So far none of that has happened. This year will tell whether the government will properly amend the Privacy Act.
A second piece ponders in the most basic and general way that data laws are ineffective. The SBS piece The Latitude hack exposed personal details of millions. Are our data laws too lax? doesn’t even come close to analysing the law and where the problems lie.
The SBS article provides:
Skeeve is a convicted hacker. Here’s what he thinks Australia lacks in cyber security
How has the government responded?
How safe is our data?
A cybercrime is reported every seven minutes in Australia. How can we protect ourselves?