Can the channel capitalise on Australia’s new mandatory data breach notification laws?

Within one week, the conversation across the country will have changed, for both customers and partners.

Australia's data breach notification laws -- which will come in effect by 22 February 2018 -- impose mandatory investigation and notification requirements on most businesses with an annual turnover greater than $3 million.

Yet most local IT executives remain unprepared to handle the requirements, creating a need for external guidance and advice.

Step forward the channel, who will be called upon to deliver outcome- driven solutions, solid security insights and unparalleled levels of ongoing service.

"This should have been carried out a long time ago but it's better late than never," F5 Networks manager of northern partners Wade Smith said. "But there's a lot of grey areas around the legislation which means that market education is required.

"Will the government come out with a heavy hand? Will the government seek out a large organisation to make an example of?

"We've seen government laws come out before and they traditionally focused on the top end of town, but this will impact both the mid-market and small business sectors, and they will require the most help because they don't have IT departments or resources. There's huge opportunity for partners to take a leadership position within the market."

Specifically, the new scheme is designed to strengthen the protections afforded to everyone's personal information, while improving transparency in the way that the public and private sectors respond to serious data breaches.

In addition, the move will also give individuals the opportunity to take steps to minimise the damage that can result from the unauthorised use of their personal information.

"Is this simply a case of the government being seen to be doing something?" WebSecure Technologies owner Stewart Sim asked. "The trigger point is that this needs to show significant personal harm and from a legal perspective, what does that mean?

"From a compliance perspective, and cynically speaking, is the government only acting because this is causing a lot of pain for a lot of people?

"Until somebody is impacted and is taken to the cleaners, that is when the market will change."

Currently, the legislation relates to personal information, tax file number information, credit card information, and credit eligibility information deemed to pose "real risk of personal harm".

Despite the government taking an apparent positive step in a bid to fight cyber crime, the legislation has so far received mixed reviews among channel partners.

"The job of government is to instil confidence," Intalock cyber security leader James Wootton said. "Whether that means they will pay lip service to it, or spout the same line until somebody sticks to it, nobody quite knows at this stage.

"The law is so woolly which creates opportunities for partners because there will be so much case law developed. There are so many ins for the channel to capitalise on this."

Customer impact

With the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 establishing a Notifiable Data Breaches (NDB) scheme in Australia, the initiative requires organisations covered by the Australian Privacy Act 1988 to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendations about the steps that individuals should take in response to the data breach, alongside notifying the Australian Information Commissioner.

Consequently, organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.

"Most of the customers we work with aren't aware of the legislation," Outcomex security practice lead Darren Lynn added. "Within the past 12 months, they have either forgot about it or hold the opinion that their security architect is sufficient enough that they can get around the breach requirements.

"The conversation doesn't come up from customers at this stage.

The government needs to take this step forward but it will take an organisation being hit for any change to occur."

According to the government, the NDB scheme will strengthen the protections afforded to everyone's personal information, while improving transparency in the way that organisations respond to serious data breaches.

This in turn supports consumer and community confidence that personal information is being respected and protected.

Furthermore, it also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

"This could have an impact for a short period of time but it could end up being a blip on the radar," Sophos sales director David Sykes said. "What the government decides to be will determine how impactful this law will be initially.

"I think it will be necessary from a consumer point of view because people need to have confidence. But the conversations we are having with our customers centre on reputation and revenue damage.

"If you're being fined, chances are you have a whole bunch of other problems that are a lot bigger and more expensive to worry about, and that's the conversation that partners should be having."

Going forward, recommendations are in place advising organisations to review internal practices, procedures and systems for securing personal information in preparation for the scheme.

But despite a flood of information and awareness, is the end-user prepared?

"One of the scary parts of the industry that we're seeing is the targeting of utility providers, such as water and energy," Trustwave senior vice president Robert Pizzari added. "This represents the fundamentals of how any economy across the world operates and runs.

"If any of those facilities are compromised, then forget about how strong your cyber protection is if you're a bank or ecommerce website, because this will have serious implications.

"The government must be seen to put a platform in place and start a process around education. But it's not just about educating the enterprise, it's also their own departments around having the correct security posture."

Organisations that suspect an eligible data breach may have occurred are required to undertake a "reasonable and expeditious" assessment to determine if the data breach is likely to result in serious harm.

Yet despite directives at government level, many businesses still believe such legalisation is applicable.

"The mentality that we still see is that organisations don't believe they are at risk," InfoTrust director of enterprise cyber security services Nick Lowe said. "It will take another organisation in a similar vertical or of a similar size to take a hit before they take notice.

"We see businesses of all sizes in the same boat in that respect but the ASX 100 Cyber Health Check report is forcing organisations to think. They can't afford to be exposed in the media, therefore they are now looking for guidance around where to start.

"There's a role for the partner to start from the ground up with the customer to help these businesses prepare, which can be through consultancy services."

Published in April 2017, the ASX 100 report addressed six key areas: understanding the threat, leadership, risk management, awareness of help, cyber incidents, investment and customer data.

Of the top 100 companies invited to participate on a voluntary basis, 76 companies took part, with findings reporting a high level of risk awareness among directors, but gaps in organisational preparedness and resilience.

"Who in the organisation accepts responsibility?" SecureSoft Distribution national business manager Steve Cronan asked.

"What is risk and what level of risk should we accept? And what are we going to do about it when that happens?

"It's very easy to talk about legislation but these are the questions that require answers. It's about continuing the work of the ASX 100 survey, which suggests that there's still a great deal of opportunity for the channel to pursue."

It's very easy to talk about the legislation, there might be grey areas but the education piece, it's continuing the work that has been done -- ASX100 survey -- there's still suggests there is a great deal of opportunity for the channel."

How partners can step up in security

With security risk now an everyday reality for organisations across Australia, customers are facing a daily barrage of malicious cyber activity.

In general, the majority are unsophisticated and unsuccessful but as countless media headlines demonstrate, the potential for breaches to cause significant reputational and financial remains.

Therefore, and as outlined through the ASX 100 report, management teams are spending more time and resources on developing a deeper understanding around how to effectively address cyber risks.

But there is more to be done, with only 11 per cent of boards holding a clear understanding of where the company's key information or data assets are shared with third parties.

Furthermore, and according to ASX 100 findings, just 11 per cent of companies are taking proactive approaches to reassuring investors and customers about the organisation's cyber security.

"We've been working towards this legislation for three years, and engaging with lots of legal firms around this space," Sententia cyber security practice manager Tony Vizza said. "In response, I'm currently completing my law degree because this particular piece of law will be a fascinating way to add value.

"And if you have an IT background also, this will help immensely. There's lots of opportunities for integrators who are skilled in the security space, but I feel for vendors, there is genuine concern in the market.

"Every second day another new vendor enters the markets and we're getting flooded in partner land with new opportunities. Vendors must evaluate their value proposition in the market and why they are compelling to both partners and customers."

With 66 per cent of companies reporting appropriate levels of security investment in Australia, they also acknowledge the need to dive deeper as threats become more frequent and sophisticated.

"Security forms a key part of our business strategy," Meridian IT sales manager Louise Bremberg added. "Our value is around providing the most relevant expertise for our customers.

"We must be able to provide advice and guidance that is valuable to their business in the long run to ensure we remain relevant."

In looking ahead, partner value can be found in the channel chasing opportunities outside of the enterprise market, with mid-market and small businesses struggling to keep pace with legislation and regulations.

"It's a challenge to educate the small to medium sized market and because of that, I see a huge opportunity for the channel to adopt an advisory role," GRC Institute managing director Naomi Burley advised.

"There's demand for partners to package up consultancy services because customers of that size are looking for solutions.

"Anyone who is the business owner, chances are they won't have IT departments or risk officers, therefore partners can assume that responsibility.

"Regarding the legislation, this is step one in an approach that is going to take data somewhere else."

But as partners adopt in response to changing market demands, vendors must also step up within the context of security.

"One of our biggest challenges is the notion that when all you have is a hammer, everything looks like a nail," Content Security manager of consulting and pre-sales Ken Pang added.

"There are some vendors out there who are very pushy and are focused only on their own product, and because of this they don't realise that they are part of a larger ecosystem.

"Vendors must become more educated on what cyber security means, and not just want it means for their company."

This roundtable was sponsored by F5 Networks; SecureSoft; Sophos and Trustwave. Photos by Leila Berney.