A must-read on data security prepared by Daryll Holland, Portfolio Manager – Privacy & Risk, Education Horizons Group.
As you will probably already be aware, a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Whilst there is a huge focus on hardening company networks against cyber threats to avoid data breaches, the largest threat is still human behaviour. The Office of the Australian Information Commissioner (OAIC) have stated that 37% of data breaches reported in Q3 2018 were the direct result of human error. The most common mistake involved sending personal information to the wrong email recipient. The largest proportion of breaches were related to malicious or criminal attacks at 57%, however half of those were a direct result of phishing attempts. The remaining 6% of breaches were a result of system faults. That puts an interesting perspective on things!
Taking into account the above, I thought it would be useful to recommend some basic points that you can follow in order to protect any personal information in your possession.
1. It might sound obvious but…
- Beware of social engineering. If you didn’t expect the email, chances are it could be a phishing attempt. If you didn’t expect the call, validate the person’s identity and call them back on their registered office number. If you didn’t expect the person, don’t let them in until validated.
2. Be secure
- Beware the dangers of working on public WiFi. Put your laptop away and enjoy your latte instead.
- Always make sure your computer is receiving updates to its antivirus, speak to your IT team if you have any doubts.
3. It’s not just digital
- Be careful what you leave laying around in the office, ensure your desk remains clear of confidential or personal information.
- Always collect your printouts. You will be surprised at what you can sometimes find left on a printer!
- Having visitors is lovely, just be careful what they can see and ensure they are accompanied wherever possible.
4. Get in the habit
- Always lock your computer when you walk away from it, even if it’s for a couple of minutes. It can take seconds for someone to access something they shouldn’t have access to – imagine the consequences in a school environment. Have you ever had to investigate a situation where a student changing their own behaviour record on a staff computer when it was left unlocked? I have!
5. Transferring data
- Always transmit data containing personal information securely.
- If you have to use email then password-protect files that contain personal information before transferring out of you organisation’s control. Deliver the password via another means such as a phone call to the individual.
- Double check your To: field and always remember to use BCC if contacting large numbers of people.
6. USB/removable media
- Avoid using USB sticks altogether for storage of any data that contains personal information. With modern cloud technologies at your disposal, think about changing your habits in this area.
- If you have to use a USB stick in your role, consider purchasing an encrypted USB stick. Remember, a lost USB stick with lots of personal information on it could easily become a notifiable breach.
7. Embed security into your work pattern
- Consider security at the start of a project, rather than as an afterthought. A Privacy Impact Assessment is a very good way of risk assessing a project at the early stages and ensuring the necessary security controls are in place to protect personal information.
- Consider keeping a departmental risk register. Using a risk register can help you remain transparent about any security concerns you have and quickly decide on ways to mitigate the risk. It’s also very useful evidence that you are considering security in your work.
8. Get to grips with your passwords
- Consider using a password manager where appropriate and make your passwords suitably complex. On that note, the US National Institute of Standards and Technology (NIST) announced last year new recommendations on password management. In short, they recommend 8-64 characters, not forcing a routine password change and using a combination of random words instead of your traditional complex password. It will take a while for this to be generally accepted as it’s a significant change to current practice almost everywhere.
Finally, did you know:
The maximum penalty that can be issued by the OAIC for a breach of the Australian Privacy Act is 2000 ‘penalty units’ which equates to $420,000. However, failures to comply with the notifiable data breach scheme can attract fines of up to $2.1 million. By contrast, a breach of the European GDPR can attract a fine of up to 20m Euros or 4% of global turnover, whichever is greater. I predict that over time Australia will seek greater parity on the world stage when it comes to privacy law. One thing I’ve learned through watching others struggle with GDPR, is that if you aren’t compliant with current law then the gap to any new regulation will be that much greater.