Key considerations to prevent unauthorised access OAIC
Several large-scale data breaches in Australia recently highlighted the importance for organisations to constantly review, maintain and adapt their data security and protection measures. The Office of the Australian Information Commissioner (OAIC) was alerted to 396 data breaches involving companies with a revenue of over $3 million during the first half of 2022. With our increasing reliance on technology, organisations must take the necessary steps to protect sensitive data from unauthorised access, use or disclosure.
Dave Tormey, Comtrac’s Chief Technology Officer and Chief Information Security Officer shared his insights into how organisations can safeguard sensitive information from potential threats.
Australian Data Protection Laws and Regulations
Before we discuss the steps organisations can take to protect their data, we need to outline the applicable Australian legislation and its implications.
The Privacy Act 1988 establishes the obligations of organisations in Australia to protect the personal information that they collect, use and disclose. This legislation includes implementing appropriate security measures to protect against unauthorised access or misuse. The Australian Securities and Investments Commission (ASIC) has also issued guidelines on protecting personal information for businesses, including requirements for secure storage and disposal of personal information.
There are also industry-specific data security regulations in Australia. These include the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector and the Payment Card Industry Data Security Standard (PCI DSS) for organisations that accept credit card payments.
6 Key Considerations for Securing Organisational Data
In the wake of the 2022 Optus and Medibank data breaches, it is crucial for organisations to implement robust data protection policies and to regularly review and update their security measures.
“There are a number of measures that organisations can implement to proactively address these threats. These include training employees on data security best practices and monitoring for potential vulnerabilities,” according to Dave.
1. Implement strong passwords and password policies
One of the most important steps organisations can take to protect their data is implementing strong passwords and password policies. These measures include using complex passwords that are difficult to guess, requiring employees to change their passwords regularly, and using two-factor authentication whenever possible. It is also crucial to educate employees on the importance of password best practices and to enforce strict policies for password management.
2. Use secure networks and encryption
Organisations should ensure their staff are using secure networks that are protected by firewalls and that any sensitive data transmitted over the internet is encrypted. These security measures provide an additional layer of security that helps in preventing unauthorised access to sensitive information.
For example, Comtrac recently launched a new virtual private network (VPN) connectivity, providing our clients with additional security when using our software for their investigations.
“A VPN is a type of network connectivity that allows devices to connect to a private network over the internet. This connection is secured and encrypted, which helps to protect the data that is transmitted over the network,” outlined Dave.
3. Authenticate API endpoints
Following recent data breaches in Australia, the Australian Cyber Security Centre (ACSC) has recognised weaknesses around Application Programming Interface (API) endpoint authentication as a potential mechanism for breaching corporate systems and obtaining access to sensitive data.
The December 2022 edition of the ASCS Information Security Manual (ISM) added a new security control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain.”
API endpoint authentication is critical to ensuring that the threat of a breach is mitigated. Penetration testing should be adopted as a standard practice for all systems that are exposing endpoints over the internet.
4. Use secure servers and storage solutions
Another important consideration is the use of secure servers and storage solutions. It is best practice for organisations to regularly back up their servers and storage systems to prevent data loss in the event of a system failure. Organisations should use secure servers and storage solutions compliant with industry standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).
5. Implement data protection policies and procedures
In addition to technical measures, organisations should also consider implementing policies and procedures to protect their data. These policies include employee access to sensitive information, training programs to educate employees on data security best practices, and incident response plans to deal with potential data breaches. For example, Comtrac employees must comply with information security policies and procedures, including those associated with our ISO 27001 and ACSC Essential 8 accreditation.
6. Stay informed about emerging threats and vulnerabilities
Recent data breaches, including those of Optus and Medibank, reinforced the importance for organisations to stay informed about the latest threats and vulnerabilities. This includes regularly reviewing and updating their data security measures, as well as staying informed about new threats and vulnerabilities that may emerge.
“Taking a proactive approach to data security is fundamental to not only to keep an organisational data secure but to reduce the significant operational disruptions that occur as a result of data breaches and other security incidents,” according to Dave.
“Individuals also have a role in protecting personal data from unauthorised access or misuse by being cautious about sharing personal information online and using strong passwords for their accounts,” he added.
By implementing strong passwords and password policies, using secure networks and encryption, using secure servers and storage solutions, implementing policies and procedures, and staying up to date with the latest threats and vulnerabilities, organisations can safeguard sensitive data and protect their operations from potential threats.
Get exclusive insights on investigative best practices, data security and topical content delivered straight to your inbox. Sign up to our newsletter, Comtrac Connect!