Australia’s new Notifiable Data Breach (NDB) laws came into effect in February this year, raising the prospect of big fines for companies – and individuals – failing to notify the Privacy Commissioner when they are aware private information has leaked into the public domain.
The new laws are timely, given the high tempo of new security threats directed at Australian and international businesses particularly in the last year, with nefarious activity expected to grow exponentially this year and next.
In May this year the General Data Protection Regulation (GDPR) laws come into effect in the EU, requiring similar levels of oversight and accountability for EU companies, as well as organisations that transact with the economic block of countries.
More stringent laws around data protection and IT systems compliance are important as they help contribute to greater peace of mind and certainty for businesses.
But there is a growing tension between this intent and the mounting pressures on today’s CIOs and IT managers to let users essentially do what they want.
Mobile devices, apps and social media platforms have set a course for business communications that could last decades. At the same time technology managers – and the tools of their trade – are factoring more in core business decisions.
Smart applications of mobile and other digital technologies like the cloud have big business implications: Having more connected, engaged and productive workers creates a virtuous cycle of greater productivity, happiness, motivation and creativity.
Therefore, having current and robust polices for things like Bring Your Own Device (BYOD) or Work from Home (WFH) are no longer options – they are a fundamental business requirements.
So much so that even if a CIO decided they wanted to take back control, it simply wouldn’t work in today’s modern workspace. At best staff would simply go rouge and find their own work arounds, or at worst, leave to work somewhere else that lets them be more ‘themselves’ at work.
BYOD and WFH are the new norms
Now that ideas like of BYOD and WFH have evolved from debatable notions to being a fact-of-life for most businesses, let’s discuss some of the things you, an IT manager, can to do to find the right balance between gaining and ceding control at the same time.
It’s important to have the right cultural and behavioural settings within your organisation. Staff should understand their responsibilities, especially when it comes to taking responsibility outside of the office. Losing phones, tablets or laptops on trains or busses simply shouldn’t happen. But when it does, you as the IT manager should reserve the right to have the capabilities to wipe that device remotely while it’s in the field.
You also need to develop a rapport and have the trust of your frontline staff so that they’ll likely ask your permission before asking your forgiveness.
All that said, the core elements of a robust security and data breach compliance framework are first-and-foremost technical.
Building for security and for freedom
Californian cyber security firm, Fortinet notes six core pillars needed to build a state-of-the-art security architecture:
1- Next generation firewalls
2- Endpoint security
3- Email gateway security
4- Web application security
5- Comprehensive management and reporting
6- Secure access layer
Almost all of these relate in some way and address different levels of freedom and access. For example, Endpoint security is a fundamental consideration for staff working remotely and / or out in the field.
Can devices be properly locked down and controlled? Can security and other applications be managed and updated remotely? Are they able to be wiped of all data if they are lost or fall into the wrong hands?
Web application security is important as staff become more reliant on cloud-based applications, while comprehensive management and reporting is especially important in the dynamic world of mobile.
Fortinet also provides a 5-point checklist to help CIOs can better meet their obligations under the new NDB laws.
1. Routinely take inventory of company devices, both authorised and unauthorized.
2. Inventory all the authorised and unauthorised software that is in use across the network.
3. Ensure that all hardware and software configurations are secure.
4. Continuously assess vulnerabilities across their network and remediate any problems that they find.
5. Carefully control the use, assignment, and configuration of administrative privileges on all devices and software on their network.
More information on what Australian companies need to do with the passing of the NDB laws – as well as how to ensure compliance with the EU’s new GDPR laws – is available online at the Australia’s Office of the Information Commissioner (OAIC) website.
Contact Brennan IT today and book a consultation to discuss your organisation’s requirements for greater mobility and how best to align them with your current legal obligations.