Give them nothing: Data governance practices to stop hackers in their tracks
The high-profile Optus and Medibank Private data breaches exposed the public to Australia’s vulnerability to hackers.
“All parts of the Australian economy are at risk from cyber incidents,” says Professor Matt Warren, director of the RMIT University Centre for Cyber Security Research & Innovation.
“From government, large to small organisations to individual citizens. No one will be immune. This is the new normal.”
The federal government has introduced measures to reduce the likelihood of personal data being exposed, exemplified by the recent Prime Minister Cyber Security Roundtable and the release of the 2023-2030 Australian Cyber Security Strategy discussion paper.
“The government is using Optus and Medibank Private hacks as a rationale to review the existing cybersecurity situation in Australia,” Warren says.
What’s changed since these hacks is the awareness of risk. This has caused a realisation within public and private organisations that they need better practices to reduce their vulnerability.
This includes better data governance standards.
Good data governance and sovereignty practices
Professor Richard Buckland from the University of NSW says it is important organisations review data holdings and governance practices. They should only hold data that is required for business purposes.
“With data lakes and centralised data repositories, there is this idea that all data is required,” says Buckland, who is a professor of cybercrime, cyberwar and cyberterror at the School of Computer Science and Engineering. “But when you start questioning what is needed and what the risk is if that data is exposed, there is a realisation that is not the case.”
To assist organisations in determining data that is needed, Buckland conducts training sessions where he asks participants to draft a media release explaining personal data that has been hacked and why that information was held by them.
“They quickly realise how bad it looks,” Buckland says.
Good data governance practices, he says, mean understanding what is needed, when it is needed and having risk assessments associated with them.
Data should only be held for the time it is needed and destroyed when no longer required. It should only be accessible by people with a need to know, and not open by default in case it is handy in the future. It should also be held in systems where Australian laws and cyber security standards apply.
Australia is moving towards a cybersecurity regulation pathway that organisations will need to comply with based on outcomes of the Australian Cyber Security Strategy discussion paper, which aims to strengthen the system.
“The sovereignty of data is important,” Buckland says. “If you are dealing with a different country, that is different laws and rules.”
This can result in losing control of your own data.
