Senetas Non-Executive Chairman Franics Galbally was one of hundreds of thousands of customers impacted by the Medibank data breach.
As part of its breach response, Medibank sent letters to its customers, advising them of the remedial action they were taking. Having received this missive, Francis was motivated to write something of his own. What follows is a copy of what was subsequently published in the Herald Sun.
Insuring our data from cyber attacks ahead
I received an email from Medibank not long ago. Many readers would also have received one. For those that did not, let me paraphrase its contents.
Medibank promises to strengthen the way it handles data. It understands that its customers want reassurance that what happened will not reoccur. It has a data protect initiative to enhance security measures. These include multifactor authentication when we call them. 24/7 monitoring to look for suspicious behaviour on its network and enhanced testing to check its network’s weaknesses. And… there is more to come.
If this is all that a publicly listed company entrusted with the most private information of citizens can offer then its board and senior executives should hang their heads in shame!
It is a BS strategy to pretend that it is taking care of its data. It provides a motherhood statement with no detail. And it fails to address the actual issue that resulted in the failure of Medibank to protect its customers data.
All companies with sensitive public data should have multifactor authentication. This was an initiative that banks lead more than a decade ago. The failure of Medibank to do this goes to poor corporate governance about its cyber risk profile. 24/7 monitoring is simply BS. It would have already had the systems in place to do so but never used them. Ditto for testing the network. If they didn’t do this in the past, it’s negligence.
What was missed in the latest communication? A total lack of understanding the present cyber security risk environment. I do not want to pick on Medibank, but its own communication makes it a “straw man” for a whole-of-country cybersecurity initiative. Medibank’s failure to protect private data is the thin edge of the wedge.
We have already seen the chaos created by the Optus data breach, plus the loss of identity data from Latitude Financial. Now we hear from Meriton that the personal details of staff and guests has likely been stolen. These issues were known, preventable and the data could have been protected. So why wasn’t it?
I suspect a combination of lack of understanding by boards of the risks, accepting management reports that “all is well” when management did not know (or was incompetent) and a reluctance to spend money on preventing something they never understood was a major risk.
Taking the latter point, cyber security risk management is like insurance. Many of us will self-insure, but that is a personal decision. Corporations and governments hold data relating to third parties. Not just their own. They should never have the option to “self-insure”. They must use best practice to protect the data.
Cybersecurity Minister Clare O’Neill has flagged a cybersecurity policy focusing on securing our economy and critical infrastructure. Government must have a sovereign and assured capability to counter cyberthreats and lead the charge to enhance cybersecurity resilience, particularly in our region.
I would add the need to uplift training and education in cyber awareness and require all ASX companies and private companies who hold sensitive personal data to have a documented cyber risk strategy.
Cybersecurity risks are just another version of the physical security risks we face in our daily lives. They need to be mitigated. We cannot stop a physical attack, but we can mitigate the risk. We use locks and cameras at home. We are cautious about where we walk in the dark. We do not confront people behaving badly etc. And we have insurance in case something goes wrong.
Let’s translate that to the cyber world. All data held by major corporations, government and critical infrastructure providers should be mandated to be encrypted, so that if it were stolen it could not be used. Encryption should be applied to data whether at rest, in motion or in use. It’s simple really. Thieves do not rob houses with installed CCTV, alarms, guard dogs and roving security personnel. Hackers will not bother to attack companies that publicly announce that their data is encrypted. For organisations that hold sensitive information, the encryption needs to be defence grade.
This in turn leads to what next? Technology is constantly changing and one cannot simply rest on having ticked a regulatory requirement. Too often we see this with corporations and the response from Medibank appears to be just that. There needs to be a requirement for organisations that hold critical data to ensure they continuously apply best cybersecurity practices and publicly report how this is achieved.
Finally, they need to be quantum resistant. Quantum computing is just a few years away and we need to be quantum resilient now. Data that is encrypted today (if not quantum resilient) will be useful to nefarious characters tomorrow once quantum computers are available.
The US and European Commission have already taken legislative action to ensure companies protect against these risks. For example, the US Quantum Computing Cybersecurity Preparedness Act passed in December 2022. Minister O’Neil must ensure that we follow suit.