Set a 2023 resolution to get data security and privacy right

Cybersecurity, data security and privacy are all intertwined. As businesses move towards digital business models, exponentially more data is generated and shared, both within the business and with partners and customers through interconnected systems/technology. This digital information has become the lifeblood of this interconnected business ecosystem and is increasingly valuable to businesses – and to threat actors (cyber criminals, competitors, foreign states).

PwC’s 2023 Global Digital Trust Insights survey highlights that two-thirds of organisations consider cyberattacks their most significant threat in the coming year. Cybercriminals are increasingly using off-the-shelf tools to perpetrate and orchestrate a variety of attacks. And yet, many of the breaches we’re seeing are still preventable with sound cyber practices and strong controls.

A business’s key stakeholders – customers, employees, business partners – are increasingly equating any security breach to a breach of trust.

Governments and regulators are becoming increasingly concerned about the theft of personal information from organisations. Looking overseas, the Australian government has introduced a bill that would increase the maximum penalty for serious or repeated privacy breaches to AUD$50 million or 30% of turnover for all businesses that operate in Australia, including foreign companies.

These penalties have increased substantially from the initial proposal of AUD$10 million or 10% of turnover. This is due to several recent major breaches of customer data in Australia including names, dates of birth, email addresses, drivers license numbers, passport numbers and medical claims data for millions of people.

Australian Attorney General Mark Dreyfus said that “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.” This is essential “to ensure Australia’s privacy framework is able to respond to new challenges in the digital era.”

In the UK, the construction group Interserve has recently been fined £4.4m after a cyber attack that enabled hackers to steal the personal and financial information of up to 113,000 employees.

Current NZ privacy legislation only came into force in December 2020 and introduced mandatory disclosure for serious data breaches. However, it has a maximum penalty of only $10,000. Given where international legislation is heading, this level of penalty is significantly lighter than other jurisdictions and will likely come under pressure if further serious data breaches occur in New Zealand.

The recently released Draft National Security Long-term Insights Briefing (DNSLIB) shows that New Zealanders feel particularly at risk of a cyber-attack, with 81% of respondents to the National Security Public Survey saying that there is a real threat of hacking into information systems happening in the next 12 months (compared to a global average of 75%). The Computer Emergency Response Team (CERT NZ) reports that in 2021, incidents rose by 13% for individuals and businesses, with an estimated direct cost of $16.8 million.

Looking ahead the DNSLIB expects to see:

• A growth in more complex and frequent cyber crime challenging our collective ability to respond
• More cyber attacks targeting technology critical for businesses, including supply chains.

Waikato organisations are not immune with the 2021 DHB cyber attack and, more recently, the Pinnacle Health cyber attack in September 2022.

In a world that is increasingly technology focussed and complex, how do you improve your cyber security and data trust?
Technology, in itself is not the answer to simplified security. Security needs to be a concern for the entire business. Ask yourself these four questions:

1. How involved/engaged is your CEO in cyber?
2. How complex are your organisations’ operations?
3. How do you know if you’re securing your organisation against the most important risks to your business?
4. How well do you know your third-party and supply chain risks?

Results of our Digital Trust Insights survey show that those organisations that had the best cybersecurity outcomes are:

• 14x more likely to have CEOs that provide significant and broad support to cybersecurity.
• 5x more likely to have streamlined operations enterprise-wide.
• 18x more likely to say data and threat intelligence are integral to their operating model, especially in relation to cybersecurity and data governance.
• 11x more likely to understand their third-party cyber and privacy risks. (At best only 40% of respondents say they thoroughly understand these risks).

Sound cyber practices and strong controls

For all organisations, there are some key foundational cybersecurity practices that provide a solid baseline. These are the essential eight recommended by the Australian Government Cyber Security Centre (https://www.cyber.gov.au/acsc/view-all-content/essential-eight):

1. Application control
2. Patching applications
3. Microsoft Office macro settings
4. User application hardening
5. Restricting administrative privileges
6. Patching operating systems
7. Multi-factor authentication
8. Regular backups

About

PwC’s community of solvers works with businesses to understand digital risk within their business context, providing insightful advice and innovative solutions,to build confidence and trust in their technology, data and security.