Data protection laws are enforcing businesses to transform


With the introduction of General Data Protection Rules (GDPR) and the Notifiable Data Breach Scheme (NDB), businesses are waking up to the new reality where they are being held accountable for any attack or breach on their enterprise data. Yet, many businesses still are in the dark about what their response should be and where to even start. However as difficult as it is, they are left with no option but to set up some kind of structural framework to ensure regulatory compliance, even if there is no straightforward guidance available on the Dos and Don'ts.

Coming to terms with the change

As businesses are coming to terms with the new paradigm shift, the Financial Services industry and Healthcare sector are among those being most stringently regulated. Primarily, because of high customer influx, and consequentially high profitability of those sectors. Organizations in general, are mainly concerned about the overall rise in costs due to compliance requirements, such as replacement of IT system infrastructure. Not to mention, there is bound to be more intense regulatory scrutiny. However, the cost of non-compliance could be as high as 3 times of that to comply, and therefore, it is prudent to invest around $5.5M today, instead of incurring approximately $14.8M in fines, penalties and settlements.

Governance framework for ideal transformation

Modern businesses have long been aware of the power of data in today’s digital market landscape. However, what businesses are just beginning to realise is that success of transformation programs are directly tied to operational efficiencies, cost savings and improved customer experiences. Therefore, security, compliance, regulation and legal requirements are all key contributors to the overall stakeholder suite. 

This is precisely why a sturdy governance framework is crucial to execute the transformation program. This entails the adoption of a ‘secure by design’ approach to the program. This approach entails confirming executive sponsorship and accountability, along with an active stakeholder's participation. Starting from there, the program will proceed to develop healthy communication between the teams, while simultaneously implementing a strict control over the changes being made. Early identification and mitigation of risks, before they go on to become an issue, is also essential for successful transformation.

Impact of digital identity on the transformation program   

Whether intentional or not, there is always a fundamental risk associated, wherever there is human involvement. So obviously, it is the first order of business to know the person you are dealing with. Hence, Know Your Customer (KYC) is paramount.

The majority of high-profile attacks on corporate data centres and institutional networks have originated outside of the victimized organizations, in several cases, from halfway across the world. But the network openings that allow outside cyber attackers to burrow in, infect databases and potentially take down an organization’s file servers, are overwhelmingly a result of missteps of trusted insiders.

Thus, it is important to note that even though there are ill-intentioned attacks that might occur due to insider access to sensitive information, there are ample human errors as well.

The Office of the Australian Information Commissioner (OAIC) reported that within one quarter, from 1st July to 30th September 2018, out of 245 cyber-attack email notifications, a good 92 of them were the result of human error. And because 90% of cyber-attacks worldwide start with an email, this example shows that approximately 1/3 of all cyber-attacks succeed because of human error, that is most often not even malicious. The top 5 breaches in the US, reportedly didn’t include malicious attacks, which further underlines this fact.  

Effectiveness of the Insider Threat Program

From an outlook of a transformation program, it certainly makes sense to incorporate an Insider Threat Program as part of the security strategy. Certain regulations in the US, such as Nispom change 2, already mandates the implementation of an Insider Threat program for some organizations. Through this program, businesses can manage malicious, negligent or accidental breaches, by employing appropriate prevention, detection and response mechanisms.

The following four groups of employees are considered the most vulnerable when it comes to cyber threats:

  • Privileged users such as admin and DBA are at the most risk of breaching data.

  • Remote subcontractors are often not able to properly secure their systems, hence risking a data breach.

  • Disgruntled former employees may intentionally breach enterprise data.

  • Inadvertent insiders may end up accidentally sending emails to the wrong people, leading to a data breach. 

According to a Ponemon Institute study, the global average cost of the data breach was up by 6.4% between 2017 and 2018 at $3.8m. It may not seem a lot on the surface, but the average cost of each stolen record with sensitive or confidential information was up by 4.8% in the same period to $148 per transaction. This indicates that the magnitude of the losses depends entirely upon the size of the organisation. Hence, organizations must do everything in their power to avert data breaches, as the consequences could be insurmountable.

At Braintree, we offer online cyber-security and data privacy training programs, as well as self directed risk assessments which recommended mitigation tasks. Our courses are short and easy to follow. They include elements aligned to your organisation and the employee or individual taking the course, so there is something in it for everyone. Find out more.

By: Cindy Nicholson GAICD ACC -

Pioneer of Consumer Centric Digital ID | Digital Transformation | Coach | Training | Mentor | Speaker | Board Member