There was a time when governments and their agencies were at the forefront of cyber-security initiatives. However, the number of high profile data breaches throughout 2015 and 2016 indicate they have picked up some bad cost-cutting or corner cutting habits.
Similarly, the commercial sector has drawn criticism for “risky” behaviour and a minimalist approach to data security. This is set to change, as across the EU, US and Asia, cyber security regulations are being introduced, sounding the warning: Act or pay the price!
The number of serious data breaches hitting the news shows no sign of slowing down. What is more surprising is that, despite all the best-practice advice, the stolen or lost data is almost always unencrypted! Media and security experts have been calling for more robust network data encryption for years. It doesn’t matter if the breach is the result of an unsecured internet connection, vulnerable systems or networks. The only way to secure the data in the event of a successful breach is with encryption.
Network Device Vulnerabilities
In 2016, data breach analysts reported that the largest increases in data security breaches had been driven by the Internet of Things (IoT) – the network connection of devices such as office equipment, webcams, healthcare equipment and routers; which are vulnerable to cyber-attacks. Whether the IoT driven breach has resulted in theft of network data or systems data at rest, the impact of such attacks continues to grow.
Increasing Cyber Security Regulations
It seems that national security leaders in the USA, EU, UK and Asia are determined to push hard against poor data security practices and policies. In many cases the security question has shifted from: “What sensitive data should we encrypt when transmitted?” to “Explain why all transmitted data is not encrypted”.
Similarly, reports indicate significant weaknesses in government agencies’ interpretation of data security policy and subsequent poor actions. In the USA government agencies spent $millions on vulnerable network devices. In Australia federal agencies fail to encrypt sensitive data transmitted on ‘public’ networks and the Australian government still lags behind the rest of the world by failing to produce mandatory breach notification legislation.
On the bright side, there are a number of emerging cyber security regulations that are more relevant in today’s connected world. Across the globe, stricter policies and procedures are being introduced that will force organisations of all types to take data security more seriously – or pay the price:
- The UK Information Commissioner fined TalkTalk US$500,000 for a ‘serious consequence’ data breach that reflected a failure to patch its database systems.
- The newly ratified GDPR seeks to establish a clear set of common standards for data protection across all member states and has the power to levy huge financial penalties for companies found to be in breach of the new regulations.
- The UK commenced operation of its new National Cyber-Security Centre in October 2016. Under its charter, the NCSC is expected to act as a single point of contact to coordinate network and information security issues and manage the cross-border relationship with the EU. The objectives include ‘leadership on national cyber-security issues’.
- The UK National Audit Office reported 8,995 data breaches in one year among the 17 largest agencies. It has recommended significant changes to data security responsibilities.
- In the USA, New York state announced cyber-security regulations focused on businesses. These include requirements that businesses “identify data security risks; protect data; detect security events and restore operations”.
- In Australia, Victoria’s Auditor General reported serious risks to railway transport because the control systems are “not secure”; thus posing risks to life as infrastructure.
- Conversely, in Japan, the government is planning to set up an ‘Industrial Cyber-Security Promotion Agency’ specifically to protect Japan’s critical infrastructure.
- In Hong Kong, the Securities and Futures Commission is focused on the cyber-security preparedness and compliance of ‘brokers’ Internet and mobile trading systems.
- The US Commodity Futures Trading Commission has announced expansion of its cyber-security regulations aiming at protecting the markets from cyber-security ‘melt-downs’.
- Singapore announced its new Cyber-Security Strategy which includes collaboration among ASEAN members and other Asia Pacific nations to help ensure effective data security policies.