Millions of Australians have been impacted by several high-profile incidents – Optus and Medibank to name just two – which have exposed their customers’ personal data to hackers. What we are seeing today is a challenge that has been with us for far too long. In my observations, a fundamental issue here has been the deflection of cybersecurity as being solely an IT function and responsibility. Historically, this may have been accurate; but as more transactions are conducted online, issues surrounding the protection of data and personally identifiable information (PII) are really a wider business problem. Business development short-cuts lead to long-term cybersecurity headaches. A common dilemma we have encountered is when businesses hastily sign off on the development of new applications or customer service products, overlooking PII vulnerabilities. This pressure to cut corners might seem unlikely to end up as a breach at the time, but when it does, the consequences are severe. The Optus and Medibank breaches are cases in point, where the number of accounts hit were reportedly equivalent to 56% of the population. When I see leaks that come from testing or development environments with access to production data that’s not been scrubbed of PII, it usually means a short-cut has been taken due to timeframe for delivery or budget. Admittedly, some people do ask – is it not the responsibility of the Security Operations Centre (SOC) to identify unauthorised access to these environments? It’s a valid query which highlights yet more challenges faced by cybersecurity teams.
You must log in to post a comment.Thanks for submitting your comment!