Securing and Protecting Data in the Digital Age

Key considerations to prevent unauthorised access OAIC

 

Several large-scale data breaches in Australia recently highlighted the importance for organisations to constantly review, maintain and adapt their data security and protection measures. The Office of the Australian Information Commissioner (OAIC) was alerted to 396 data breaches involving companies with a revenue of over $3 million during the first half of 2022. With our increasing reliance on technology, organisations must take the necessary steps to protect sensitive data from unauthorised access, use or disclosure.

Dave Tormey, Comtrac’s Chief Technology Officer and Chief Information Security Officer shared his insights into how organisations can safeguard sensitive information from potential threats.

Australian Data Protection Laws and Regulations

Before we discuss the steps organisations can take to protect their data, we need to outline the applicable Australian legislation and its implications.

The Privacy Act 1988 establishes the obligations of organisations in Australia to protect the personal information that they collect, use and disclose. This legislation includes implementing appropriate security measures to protect against unauthorised access or misuse. The Australian Securities and Investments Commission (ASIC) has also issued guidelines on protecting personal information for businesses, including requirements for secure storage and disposal of personal information.

There are also industry-specific data security regulations in Australia. These include the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector and the Payment Card Industry Data Security Standard (PCI DSS) for organisations that accept credit card payments.

6 Key Considerations for Securing Organisational Data

In the wake of the 2022 Optus and Medibank data breaches, it is crucial for organisations to implement robust data protection policies and to regularly review and update their security measures.

“There are a number of measures that organisations can implement to proactively address these threats. These include training employees on data security best practices and monitoring for potential vulnerabilities,” according to Dave.

1. Implement strong passwords and password policies

One of the most important steps organisations can take to protect their data is implementing strong passwords and password policies. These measures include using complex passwords that are difficult to guess, requiring employees to change their passwords regularly, and using two-factor authentication whenever possible. It is also crucial to educate employees on the importance of password best practices and to enforce strict policies for password management.

2. Use secure networks and encryption

Organisations should ensure their staff are using secure networks that are protected by firewalls and that any sensitive data transmitted over the internet is encrypted. These security measures provide an additional layer of security that helps in preventing unauthorised access to sensitive information.

For example, Comtrac recently launched a new virtual private network (VPN) connectivity, providing our clients with additional security when using our software for their investigations.

“A VPN is a type of network connectivity that allows devices to connect to a private network over the internet. This connection is secured and encrypted, which helps to protect the data that is transmitted over the network,” outlined Dave.

3. Authenticate API endpoints

Following recent data breaches in Australia, the Australian Cyber Security Centre (ACSC) has recognised weaknesses around Application Programming Interface (API) endpoint authentication as a potential mechanism for breaching corporate systems and obtaining access to sensitive data.

The December 2022 edition of the ASCS Information Security Manual (ISM) added a new security control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain.”

API endpoint authentication is critical to ensuring that the threat of a breach is mitigated. Penetration testing should be adopted as a standard practice for all systems that are exposing endpoints over the internet.

4. Use secure servers and storage solutions

Another important consideration is the use of secure servers and storage solutions. It is best practice for organisations to regularly back up their servers and storage systems to prevent data loss in the event of a system failure. Organisations should use secure servers and storage solutions compliant with industry standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).

5. Implement data protection policies and procedures

In addition to technical measures, organisations should also consider implementing policies and procedures to protect their data. These policies include employee access to sensitive information, training programs to educate employees on data security best practices, and incident response plans to deal with potential data breaches. For example, Comtrac employees must comply with information security policies and procedures, including those associated with our ISO 27001 and ACSC Essential 8 accreditation.

6. Stay informed about emerging threats and vulnerabilities

Recent data breaches, including those of Optus and Medibank, reinforced the importance for organisations to stay informed about the latest threats and vulnerabilities. This includes regularly reviewing and updating their data security measures, as well as staying informed about new threats and vulnerabilities that may emerge.

“Taking a proactive approach to data security is fundamental to not only to keep an organisational data secure but to reduce the significant operational disruptions that occur as a result of data breaches and other security incidents,” according to Dave.

“Individuals also have a role in protecting personal data from unauthorised access or misuse by being cautious about sharing personal information online and using strong passwords for their accounts,” he added.

By implementing strong passwords and password policies, using secure networks and encryption, using secure servers and storage solutions, implementing policies and procedures, and staying up to date with the latest threats and vulnerabilities, organisations can safeguard sensitive data and protect their operations from potential threats.

Get exclusive insights on investigative best practices, data security and topical content delivered straight to your inbox. Sign up to our newsletter, Comtrac Connect!

John Kilburn

Head of Commercial and Business Strategy

As Head of Commercial and Business Strategy at Comtrac, John is responsible for developing Comtrac’s Partnerships within Public Justice, Government, Regulators and Law Enforcement in Australia and Internationally. He leads a dynamic team that advise heads of investigation, agency leaders, and transformation officers on strategies to revolutionise their digital investigative culture through rationalisation and adoption of new technology.

Following a 27-year career in Law Enforcement specialising in criminal investigations, security intelligence and counter-terrorism, a career change saw a move to commercial relationships, focusing on Digital Intelligence with agencies throughout Australia, New Zealand and the Asia Pacific Region.

With over 30 years of experience in security, public safety and intelligence industry, John is focused on long-term partnerships and guiding agencies that lead to agency growth and increased capability.

Anastasia Lihou

Head of Operations

Anastasia is a seasoned professional with over a decade of experience in operations and customer experience roles across diverse industries. Currently serving as the Head of Operations at Comtrac, Anastasia plays a pivotal role in supporting CEO Craig Doran by spearheading the implementation of strategic programs while overseeing the Professional Services and Customer Experience teams.

Since joining Comtrac in 2022, Anastasia has demonstrated her leadership and strategic planning expertise, contributing significantly to the company’s growth and success. Her extensive background in operations management has equipped her with the skills necessary to drive operational excellence and enhance customer satisfaction. Anastasia’s passion for leadership and talent development is evident through her active involvement in mentorship programs aimed at nurturing emerging professionals. Moreover, her expertise extends beyond the realm of operations, as she is also a trained graphic designer and art director. 

With a keen business acumen and a knack for innovative thinking, Anastasia continues to make strides in her career, leveraging her diverse skill set to achieve organizational objectives and foster a culture of excellence at Comtrac. She remains committed to driving sustainable growth and delivering exceptional value to both internal stakeholders and external clients.

Jason Chase

CTO

Jason joined Comtrac with over two decades of experience designing, building and managing information systems for government and private sector organisations of all shapes and sizes.

He has experience in software design, development, delivery, support, technical leadership, pre-sales support, stakeholder engagement and vendor management. Jason is a technologist at heart, and has a continuing passion for technology to drive business outcomes.

Prior to joining Comtrac, Jason worked with and lead many teams delivering software solutions for Federal, State and Local Government. He has also delivered commercial products in the audio, financial, mining and aerospace industries.

Dave Tormey

CIO/CISO

As the Chief Information Officer (CIO) at Comtrac, Dave leads the technology and data strategy for the organisation. Leveraging Dave’s experience as the former CTO at Comtrac for 9.5 years, he now oversees the organisation’s digital transformation, technology architecture, data management, cybersecurity, and compliance initiatives.

In addition to this and since assuming the role of Chief Information Security Officer (CISO) at Comtrac in January 2021, Dave has overseen the implementation of an ISO 27001-compliant Information Security Management System (ISMS) and successfully led the organisation through an IRAP assessment. This achievement has enabled Comtrac to host Australian government workloads at the PROTECTED level, solidifying its reputation as a trusted partner for both public and private sector entities. Dave’s strategic leadership and dedication to cybersecurity excellence have significantly bolstered Comtrac’s defences in the face of evolving threats.

Dave is passionate about driving digital transformation, fostering a culture of innovation, and building high-performing technology teams. His expertise spans software development, data management, cybersecurity, and strategic leadership, supported by a strong technical background.

Craig Doran

Founder & CEO

Craig Doran has over 22 years of experience in complex investigations from the Qld Police Service within the Fraud & Corporate Crime Unit, State Drug Investigation Group, Property Crime Unit and the Crime and Corruption Commission. During that period Craig received an Assistant Commissioners Certificate for conviction of an international fraud syndicate and later a Commissioners Certificate for the first ever successful dismantling and removal of an outlaw motorcycle gang from Queensland.

From 2008 to 2011, Craig led a team at the Crime and Corruption Commission, designing a digital evidence and brief management system that was quickly accepted by the Director of Public Prosecution Office and resulted in a Corporate Award for the digital transformation of briefs of evidence.

In 2016, Craig became the Founder and CEO of Comtrac. Comtrac is a digital brief of evidence application designed to streamline the criminal justice process by automating the brief of evidence through a digital and brief management methodology known as Elementising Evidence™.