Privacy Awareness Week 2024: Tips for organisations to 'Power Up' their Privacy
Avocado is proud to support Privacy Awareness Week (6 to 12 May 2024), an annual campaign led in Australia by the Office of the Australian Information Commissioner (OAIC) that highlights the importance of protecting personal information.
This year’s theme focuses on privacy and technology and the key principles of transparency, accountability and security – but what do these principles mean in practice?
In this blog, Tony Rabottini, GM Cyber Security at Avocado (pictured left), looks at key points from OAIC, the most recent data breach statistics and Avocado’s proactive privacy measures you should be implementing within your organisation.
Key privacy points from OAIC
With privacy reform on the way, businesses and other organisations need to make sure they are well positioned to meet the privacy standards customers will expect. The Office of the Australian Information Commissioner promotes ‘powering up’ privacy through three core areas: transparency, accountability and security, as outlined below:
- Transparency: The best privacy practice starts with transparency. If your business is collecting personal information from people, you must be open and transparent about how you will handle it.
- Accountability: Privacy is a human right and it’s one Australians value highly. Maintaining strong privacy practices should be a foundation of your business.
- Security: Power up the security of personal information in your organisation by using the right tools and guarding against known and emerging threats.
Explore their fact sheet on what you can do to enhance your privacy protections here.
Why Privacy Awareness is important - the data breach statistics telling the story
The most recent statistics from the Australian Signals Directorate paint the privacy picture and the need for transparency, accountability and security. This is especially true for organisations who must uphold Australian’s right to privacy and take steps to protect their reputation and revenue.
74 Percent believe data breaches are one of the biggest privacy risks they face today
Around three-quarters of Australians believe that data breaches are one of the biggest privacy risks they face today, with close to half (47 per cent) saying they would close their account or stop using a product or service provided by an organisation that experienced a data breach.
1 in 5 critical vulnerabilities being exploited within 48 hours.
Significant breaches result in millions of Australians having their information stolen and leaked on the dark web – such as the more recent Latitude, impacting 14 million customers. These data breaches result in 1 in 5 critical vulnerabilities being exploited within 48 hours.
34 per cent of data breaches involved exploitation of internet-facing applications
Common vulnerabilities and exposures were often exploited, and so was human misconfiguration of devices like unsecured application programming interfaces, or bugs and flaws in software such as insecure direct object references.
41 percent of data breaches involve valid accounts and credentials
41 per cent of data breaches involve malicious cyber actors exploiting valid accounts and credentials to access cloud services, local systems, or entire networks.
.
483 Data breaches in the last 6 months
The OAIC’s data breach report stated that third parties are an increasingly growing risk. There were 483 notifications in the past six months related to direct data breaches, and 121 secondary data breaches – that is, where another company has suffered a data breach, and a company is affected by it, due to their reliance on them.
Gartner predicts that by 2025, 30% of critical infrastructure organisations will experience a security breach
Critical Infrastructure is increasingly being targeted for data theft for information-gathering campaigns and disruption, especially through Operational Technology connected to the internet.
Avocado’s privacy measures for your organisation
With the statistics highlighted above, organisations need to recognise that a data breach might precede the destruction or encryption of data resulting in risk to their business and customers – an organisational approach should look at overall operational resilience which includes minimising the potential of breach. This is especially true for those operating within Critical Infrastructure.
Some proactive privacy measures to enhance organisational accountability and security include:
- Creating secure software: Software supply chains which include the components, libraries, tools, and processes used to develop, build, and publish a software artifact are increasingly at risk without robust security and privacy by design considerations, as highlighted in breaches of Okta, SolarWinds and Apache Log4j. Organisations should be assessing the risks in their supply chain such as malicious code insertion, compromised signing keys, dependency chain attacks, unpatched vulnerabilities, insider threats and lack of transparency. Read more about DevSecOps.
- Mitigating ICT supply chain threats: Most entities have some component of their ICT outsourced to a third party, such as hardware supply, web and data hosting, and software-as-a-service or other enterprise resource planning tools. Third Party Risk Management (TPRM) assesses and manages the privacy risks associated with third-party vendors and service providers. Read more about TPRM
- Conducting Threat and Risk Assessments: A Threat and Risk Assessment (TRA) is a process used to identify, assess and prioritise potential threats and vulnerabilities to an organisation’s information assets, and to develop financially justified strategies to mitigate those risks. Organisations need to regularly conduct security assessments and testing to identify and mitigate vulnerabilities before they can be exploited by malicious actors. Read our latest case study on remediating security and privacy risks in a complex environment.
- Proactive Breach Response: If you are breached, timely and decisive action is crucial in minimising the impact of a breach on individuals and your organisation’s reputation. Organisations should develop a comprehensive incident response plan to address data breaches swiftly and effectively. Significantly. Real Time Monitoring tools support proactive breach response by protecting and securing your dynamic multi-cloud and hybrid environments, including hardware and software from attacks using application monitoring tools. These tools have threat detection, incident response, investigation, testing, automation and orchestration capabilities. Read about Observability here.
- Privileged Access and Identity Management: The Australian Signals Directorate Cyber Threat Report 22-23 highlights how malicious actors use varied and complex techniques such as escalating privileges and moving laterally across a compromised organisation to gain access to data. Solutions aimed at protecting unauthorised access and safeguarding personal information are critical to incorporate into your cyber strategy. Securing user identities and privileged access to your data are key in strengthening your organisation’s defenses against cyber threats and data breaches. Read more about Identity Security Solutions here.
- Embed a strong privacy culture: Foster a culture of privacy awareness and responsibility among employees. Provide regular training and resources to empower staff in safeguarding personal data and responding effectively to privacy incidents.
As organisations strive to navigate the evolving privacy landscape, collaboration and partnership with trusted advisors like Avocado Consulting can provide invaluable support and expertise. Avocado Consulting offers comprehensive solutions in these areas, empowering organisations to proactively detect and respond to cyber-attacks while ensuring compliance with privacy regulations.
Together, we can uphold the principles of transparency, accountability, and security, ensuring that privacy remains a top priority in the digital age. Visit the Privacy Awareness Week website to learn more about how your organisation can champion privacy and become a PAW supporter.