A data security expert says the federal government’s cybersecurity strategy has the wrong end of the stick
The Australian government’s ambition to “become the most cyber secure nation by 2030” is destined to fail unless customers demand “security certifications” from businesses, according to a leading data security expert.
Lisa Byrne, from data strategy firm Notitia, said customers will be the catalyst for businesses to “wake up” to their responsibility to provide effective data security.
“It is the responsibility of every business, small or large, to ensure that their customer data is protected, but not enough businesses have woken up to this fact,” she said.
Byrne’s call comes on the same day ASX-listed consumer finance firm Latitude Financial revealed a major cyber attack affecting more than 300,000 customers saw the drivers licence details of around 103,000 people stolen. The latest hack follows on from last year’s Optus and Medibank data theft incidents involving millions of customers amid a 26% increase in the second half of 2022 compared to the first six months.
While the federal government’s 2023 – 2030 Australian Cyber Security Strategy is currently under development, Byrne argues its focus on business and industry should be flipped.
“Policy-enforcer deterrents, will only take us so far, customers also need to be empowered to hold businesses accountable,” she said
“If Australian consumers expect businesses and institutions to prove their security, before data is handed over, the power of consumer spending will dictate the importance that all businesses place on adequate data security.
“This can only happen if we, as consumers, are prompted to look for that “tick of approval” in the same way we would only buy a child’s car seat from a manufacturer who meets safety standards.”
Byrne, 30-year veteran of business intelligence, data governance and cybersecurity, believes the government needs to roll out a consumer education campaign so people know where to spend their money and who to give their private data to.
“As customers, we all need to be brought into the conversation, educated and informed of what we should expect from any business and institution that we engage with,” she said.
“The first step is educating the public on what the business requirements are for their data to be protected and to be aware of the risks involved in handing their data over to a business that does not have an adequate data security plan.
“Secondly, there needs to be a way for businesses to easily market their compliance and for customers to feel confident in checking – this could look like a public data security compliance register, along with certified compliance logos on website footers or forms.”
Byrne believes businesses want to implement adequate data security measures, but it requires awareness and context.
“When the Optus and Medibank data breaches hit last year, Notitia saw an uplift in interest, around data security and governance, from a large number of our clients who took the events as a wake-up call and wanted to do the right thing,” she said.
“It’s one thing for the government to be the policy messenger and gatekeeper, but if executives understand the actions expected of them, through the lens of their own risk of a crisis and subsequent interaction with their stakeholders – that’s when action to create a secure data environment happens.”