Hacked... Hacked... Hacked... Oh My!
So now Telstra has been breached! The Shangri La Hotel too. I think this is the start of a new song.
That's two (2) major telecommunication companies and a prestigious hotel in less than a week. Telstra is playing down the compromise and indicating they were not directly compromised. A third party of Telstra was subject to a data breach in 2017, as reported in external sources. The data breach saw Approximately 30,000 records leaked into the public domain.
Where is your information/data stored? It doesn't matter. You, as the risk owner in the organisation, are responsible. When you entrust information to third parties, you are still accountable. You are the one who will front your customers, the press and anyone else wanting answers as to what happened to their information. No matter how severe the data breach is (and between Optus and Telstra, it is chalk and cheese), there is no amount of increased legislation and penalties that will change the root cause of the problem.
The security controls are inadequate to protect the organisation's information/data. We cannot put it any simpler than that.
The Mandatory Data Breach Notification rules and ASIC rules around reporting data breaches carry hefty fines for an organisation, yet data breaches are still occurring. You will be compromised regardless. Introducing new privacy laws is not an effective control to reduce data breaches if you are not taking control of what is yours as the organisation's risk owner. A good analogy is the purchase of a gym membership, working/exercising hard, yet not eating or sleeping properly.
As we keep saying at Cyber Cerberus, cybercriminals don't care about fancy auditing and privacy laws.
"If there is a vulnerability, they will exploit it!"
"They win because their motivation to compromise is higher than our motivation to take charge and take cyber security seriously."
"It is all about mindset. Are we going to keep making excuses about what we can't do instead of taking action and doing?"
Changing privacy laws and imposing more considerable fines is another way of putting money in someone else's pocket. You still have to fix things regardless of paying the penalty. So do the right thing and be proactive with securing your information and data. The mindset around securing our organisations and applying appropriate controls and governance is critical. Cyber Cerberus take a very different approach to secure and protect your organisation. No matter the size. Reach out if you want to know more and how we can help you.