The Privacy Amendment (Notifable Data Breaches) Bill passed earlier this year, will commence on 22 February 2018 and will require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of a data breach.
Individuals and corporations that fail to comply with the notifications rules risk being fined up to $340,000 and $1.7 million respectively.
The Why, When and Where of Insider Threats report by Forcepoint found that on average, it took 170 days to detect a cyber crime, with the number jumping to 259 days when an insider was involved.
Insider threats are often defined as employees or contractors who have legitimate access to a business’ systems and either use those permissions to maliciously or accidentally expose networks and data.
The report noted that employees were able to side-step security policies or “unwittingly compromise even the most impressive external threat defences”.
Forcepoint CTO of data protection and insider threat, Brandon Swafford, said that because of the large amount of data handled by accountants, practitioners needed to adopt a culture of security to ensure accidental disclosures or malicious fraud from within the firm could be easily identified and stamped out.
“It’s oddly enough the people who don’t think they are doing anything wrong, that people who are just trying to get their job done, like maybe bypassing a control or emailing it through their Gmail account just so it’s easier in their minds. The data is still being disclosed so it’s still a problem,” said Mr Swafford.
“From an accounting perspective there are a lot of issues you can address and talk about that aren’t really malicious in nature but more about just people not really following the rules or not even knowing what the rules are.”
The report noted that one-third of all insider breaches were employees who had access to sensitive data to fulfil their job role.
Mr Swafford, a former US intelligence security advisor to the International Monetary Fund, acknowledged that managing risks were tricky due to human behaviour and intent involved but could be negated with certain strategies.
He suggests that businesses can improve their internal security by diligently understanding their workflow and data residency, creating a culture of security, and ensuring lessons from other case studies have been applied to their practice.
“Understanding human actions at a granular level, what a person did, when they did it is a visibility exercise. Being able to derive intent from those actions is probably the hardest job there is because now you’re trying to proactively understand,” said Mr Swafford.
“A lot of small businesses are organic and just want to grow and get their work done. So part of it is taking a step back and mapping up the workflows, mapping out their data residency, mapping out whether they have any security controls in place, and what makes sense and maybe they can do it themselves or work with consultants to do it for them.”
Jotham Lian is the editor of Accountants Daily, the leading source of breaking news, analysis and insight for Australian accounting professionals.
Before joining the team in 2017, Jotham wrote for a range of national mastheads including the Sydney Morning Herald, and Channel NewsAsia.