Australia has a reputation for being home to dangerous things, whether it be a snake a spider or a crocodile sharing the beach. However, it seems that the digital world is not safe either, with reports in late 2022 pointing to Australia having the highest data breach density in the world in the last quarter of the year.
Like every country around the world, Australia has not been immune to data breaches. In 2019, the online design and publishing tool – Canva was breached, with reports suggesting up to 139 million users’ details (usernames, email addresses and hashed passwords) were stolen. In October 2022, the health insurer Medibank was breached and personal customer information was posted on the dark web.
In response to such breaches, the Australian government has taken steps, introducing legislation that follows in the footsteps of the EU’s GDPR. On 29th November 2022, the Office of the Australian Information Commissioner (OAIC) announced on its website that the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, had been passed.
A day earlier, the Hon Mark Dreyfus KC MP stated in a media release: “The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced and delivered legislation in just over a month. These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”
The maximum penalty that can be administered by the OAIC has risen from AU$ 2.22 million to AU$ 50 million. It echoes the headlines around Europe in the lead-up to GDPR enforcement on 25th May 2018.
GDPR has certainly had a financial impact with fines totalling €832m in 2022 (interestingly this is 36% lower than the €1.3 billion in 2021). So, the world will watch when the OAIC will show its new sharp teeth.
However, prevention is preferable to penalties, and if GDPR did one thing, it propelled data privacy and protection high on the boardroom agenda. Organisations in Australia must now think carefully about the systems they have in place to protect personal information. Should they fall foul of a data breach, how will they demonstrate to the OAIC that they deserve leniency?
A key recommendation is made by the Australian Cyber Security Centre (ACSC), the organisation leading the Australian Government’s efforts to improve cyber security. In December 2021, the then Australian Defence Minister, Linda Reynolds, launched a campaign to promote the use of Multi-Factor Authentication (MFA) by organisations, businesses, and individuals. The campaign highlighted MFA as ‘one of the most effective ways to protect your valuable information and accounts against unauthorised access.’
The reality today is that many data breaches (large and small) have their origins in poorly managed passwords. And, whilst it is possible to improve passwords through the use of systems such as Password Security Management, MFA is the next step in providing a defence against a breach, whether it be a targeted attack or the result of negligence. However, a word of warning. Not all MFA solutions are made equal, and many continue to rely on passwords as one of the factors, bringing into question how ‘multi’ they really are.
For any organisation that is looking to protect themselves, their customers, employees, and suppliers in 2023 the end goal needs to be a shift towards passwordless MFA that provides single sign-on login options to applications, regardless of whether they are on-premises or cloud-based. What is more, such systems can be quick to deploy and far more cost-effective than many expect, especially when the cost of administering passwords and the loss in productivity that results are taken into account. Then there is the potential reputational damage and fines that can accompany a breach, which few organisations have the pockets to absorb.
To learn how you can begin your journey to passwordless MFA speak with one of the Authlogics team today.