The Times Australia
The Times World News

.
Times Media

.

Why do organisations still struggle to protect our data? We asked 50 professionals on the privacy front line

  • Written by Jane Andrew, Professor, Head of the Discipline of Accounting, Governance and Regulation, University of Sydney Business School, University of Sydney

More of our personal data is now collected and stored online than ever before in history. The rise of data breaches should unsettle us all.

At an individual level, data breaches can compromise our privacy, cause harm to our finances and mental health, and even enable identity theft.

For organisations, the repercussions can be equally severe, often resulting in major financial losses and brand damage.

Despite the increasing importance of protecting our personal information, doing so remains fraught with challenges.

As part of a comprehensive study[1] of data breach notification practices, we interviewed 50 senior personnel working in information security and privacy. Here’s what they told us about the multifaceted challenges they face.

Read more: The Australian government has introduced new cyber security laws. Here's what you need to know[2]

What does the law actually say?

Data breaches occur whenever personal information is accessed or disclosed without authorisation, or even lost altogether. Optus[3], Medibank[4] and Canva[5] have all experienced high-profile incidents in recent years.

Under Australia’s privacy laws[6], organisations aren’t allowed to sweep major cyber attacks under the rug.

People walking in front of an Optus store
Optus suffered a major data breach in 2022. Detail from Bianca De Marchi/AAP[7]

They have to notify both the regulator – the Office of the Australian Information Commissioner (OAIC) – and any affected individuals of breaches that are likely to result in “serious harm[8]”.

But according to the organisational leaders we interviewed, this poses a tricky question. How do you define serious harm?

Interpretations of what “serious harm” actually means – and how likely it is to occur – vary significantly. This inconsistency can make it impossible to predict the specific impact of a data breach on an individual.

Victims of domestic violence, for example, may be at increased risk when personal information is exposed, creating harms that are difficult to foresee or mitigate.

Enforcing the rules

Interviewees also had concerns about how well the regulator could provide guidance and enforce data protection measures.

Many expressed a belief the OAIC is underfunded and lacks the authority to impose and enforce fines properly. The consensus was that the challenge of protecting our data has now outgrown the power and resources of the regulator.

As one chief information security officer at a publicly listed company put it:

What’s the point of having speeding signs and cameras if you don’t give anyone a ticket?

A lack of enforcement can undermine the incentive for organisations to invest in robust data protection.

Only the tip of the iceberg

Data breaches are also underreported, particularly in the corporate sector.

One senior cybersecurity consultant from a major multinational company told us there is a strong incentive for companies to minimise or cover up breaches, to avoid embarrassment.

This culture means many breaches that should be reported simply aren’t. One senior public servant estimated only about 10% of reportable breaches end up actually being disclosed.

Without this basic transparency, the regulator and affected individuals can’t take necessary steps to protect themselves.

Closeup person holding credit card using laptop
Affected individuals can’t take steps to protect themselves if breaches aren’t reported. Yuri A/Shutterstock[9]

Third-party breaches

Sometimes, when we give our personal information to one organisation, it can end up in the hands of another one we might not expect. This is because key tasks – especially managing databases – are often outsourced to third parties.

Outsourcing tasks might be a more efficient option for an organisation, but it can make protecting personal data even more complicated.

Interviewees told us breaches were more likely when engaging third-party providers, because it limited the control they had over security measures.

Between July and December 2023 in Australia, there was an increase of more than 300%[10] in third-party data breaches compared to the six months prior.

There have been some highly publicised examples.

In May this year, many Clubs NSW customers had their personal information potentially breached[11] through an attack on third-party software provider Outabox.

Bunnings suffered a similar breach[12] in late 2021, via an attack on scheduling software provider FlexBooker.

Bunnings Warehouse carpark and signage
In 2021, Bunnings had outsourced some customer booking tasks to third-party provider Flexabooker. Dave Hunt/AAP[13]

Getting the basics right

Some organisations are still struggling with the basics. Our research found many data breaches occur because outdated or “legacy” data systems are still in use.

These systems are old or inactive databases, often containing huge amounts of personal information about all the individuals who’ve previously interacted with them.

Organisations tend to hold onto personal data longer than is legally required. This can come down to confusion about data-retention requirements, but also the high cost and complexity of safely decommissioning old systems.

One chief privacy officer of a large financial services institution told us:

In an organisation like ours where we have over 2,000 legacy systems […] the systems don’t speak to each other. They don’t come with big red delete buttons.

Other interviewees flagged that risky data testing practices are widespread.

Software developers and tech teams often use “production data” – real customer data – to test new products. This is often quicker and cheaper than creating test datasets.

However, this practice exposes real customer information to insecure testing environments, making it more vulnerable. A senior cybersecurity specialist told us:

I’ve seen it so much in every industry […] It’s literally live, real information going into systems that are not live and real and have low security.

What needs to be done?

Drawing insights from professionals at the coalface, our study highlights just how complex data protection has become in Australia, and how quickly the landscape is evolving.

Addressing these issues will require a multi-pronged approach, including clearer legislative guidelines, better enforcement, greater transparency and robust security practices for the use of third-party providers.

As the digital world continues to evolve, so too must our strategies for protecting ourselves and our data.

References

  1. ^ comprehensive study (www.doi.org)
  2. ^ The Australian government has introduced new cyber security laws. Here's what you need to know (theconversation.com)
  3. ^ Optus (www.abc.net.au)
  4. ^ Medibank (www.abc.net.au)
  5. ^ Canva (www.afr.com)
  6. ^ privacy laws (www8.austlii.edu.au)
  7. ^ Detail from Bianca De Marchi/AAP (photos.aap.com.au)
  8. ^ serious harm (www8.austlii.edu.au)
  9. ^ Yuri A/Shutterstock (www.shutterstock.com)
  10. ^ more than 300% (www.oaic.gov.au)
  11. ^ breached (www.rimpa.com.au)
  12. ^ similar breach (australiancybersecuritymagazine.com.au)
  13. ^ Dave Hunt/AAP (photos.aap.com.au)

Read more https://theconversation.com/why-do-organisations-still-struggle-to-protect-our-data-we-asked-50-professionals-on-the-privacy-front-line-236681

The Times Features

Group Adventures Made Easy: How to Coordinate Shuttle Services from DCA to IAD

Traveling as a large group can be both exciting and challenging, especially when navigating busy airports like DCA (Ronald Reagan Washington National Airport) and IAD (Washington...

From Anxiety to Assurance: Proven Strategies to Support Your Child's Emotional Health

Navigating the intricate landscape of childhood emotions can be a daunting task for any parent, especially when faced with common fears and anxieties. However, transforming anxie...

The Rise of Meal Replacement Shakes in Australia: Why The Lady Shake Is Leading the Pack

Source Meal replacement shakes are having a moment in Australia, and it’s not hard to see why. They’re quick, convenient, and packed with nutrition, making them the perfect solu...

HCF’s Healthy Hearts Roadshow Wraps Up 2024 with a Final Regional Sprint

Next week marks the final leg of the HCF Healthy Hearts Roadshow for 2024, bringing free heart health checks to some of NSW’s most vibrant regional communities. As Australia’s ...

The Budget-Friendly Traveler: How Off-Airport Car Hire Can Save You Money

When planning a trip, transportation is one of the most crucial considerations. For many, the go-to option is renting a car at the airport for convenience. But what if we told ...

Air is an overlooked source of nutrients – evidence shows we can inhale some vitamins

You know that feeling you get when you take a breath of fresh air in nature? There may be more to it than a simple lack of pollution. When we think of nutrients, we think of t...

Times Magazine

The Lowdown on Cat Curfews

CAT CURFEWS AND HELPING YOUR CAT TO COPE Australia has one of the highest rates of pet ownership in the world, with over a quarter of Australian households owning a cat. There are approximately 6.5 million cats across Australia, covering some 99%...

FUJIFILM Australia and Igloo Vision Deliver a Fully Immersive Experience at EduTech 2024

FUJIFILM Australia, Optical Devices Division, alongside its partner Igloo Vision, will unveil a fully  immersive 360° booth experience at EduTech 2024, held August 13–14, 2024 in Melbourne at Fujifilm’s  booth 1604. The space was debuted at InfoC...

Racer Holly Espray hits the track with Uniden for V8 SuperUte Series in Bathurst

Leading SuperUte racer Holly Espray is geared up for her next big challenge at Bathurst, and she's relying on support from her new sponsor Uniden, known for its cutting-edge technology, to keep her connected and secure, both on and off the track. ...

Overview of The Prince2 Certification Exam

The Prince2 certification exam is a thorough examination created to evaluate a candidate's knowledge and comprehension of the Prince2 framework, a project management approach. It is widely acknowledged as a globally recognized project management ce...

How to Reduce the Risk of Motorhome Tyre Dry Rot

Motorhomes are large vehicles that may frequently stay out of use for long periods of time while exposed to the weather. As you can expect, the vehicle's weight is always concentrated in one spot on the tyre, and this constant exposure to the wea...

A Guide to the Best Experience at the Monaco Grand Prix

The Monaco Grand Prix is among the jewels that Formula One or F1 owns. The high-speed chase is held in the narrow streets of Monte Carlo. And because little has changed on the race track’s exciting design since the first race was held here, the M...