Home' ALGY : ALGY Edition 25 2018 Contents 132 • THE AUSTRALIAN LOCAL GOVERNMENT YEARBOOK EDITION 25
Cybersecurity – once the exclusive domain of IT and
security staff – is now, by law and necessity, the domain
of senior executives and non-executives.
Whether by national or state-based data security and privacy
legislation, corporate governance or common law ‘duty of care’,
local councils and their management must apply due diligence
to cybersecurity issues, equally as they must to issues such as
occupational health and safety.
Although Section 6C of the Australian Privacy Act 1988
states that state or territory authorities, or prescribed
instrumentalities – including councils – are not ‘organisations’,
councils are still held responsible for data privacy under
state-based (privacy) legislation – referred to as ‘other privacy’
Importantly, privacy and mandatory breach notification
laws highlight high-grade encrypted data for exemption. If so
encrypted, that data is not considered breached.
Note the term high-grade/strong encryption. It sounds
an alert not to rush into compliance! That risks a sub-optimal
security and performance solution, such as Media Access
Control Security (MACSec) standard-based solutions criticised by
experts (such as PacketPushers.net and Inside-IT ).
Regulatory breaches, however, are just one of the serious
issues councils face in the event of a breach of unencrypted
data. Common law and corporate governance actions may be
brought against councils and their managers, claiming breaches
of duty of care and negligence. Then there are the financial costs
and loss of reputation.
The seemingly endless litany of high-profile successful cyber
attacks in recent years (ransomware, hack attacks, et cetera) have
raised awareness; however, those attacks are just the tip of the
Data at rest and data in motion
While governments and enterprises invest in ‘preventative’ data
security, such as firewalls, this is typically limited to their ‘data at
rest’ – their systems data and data centres – used in day-to-day
Too few invest in protecting their ‘data in motion’ through
high-grade encryption – that is, data moving across high-speed
networks – internally and externally. This unsecure network
data may take three forms – core IT infrastructure, such as data
centre interconnect; wide area network (WAN) data links, such as
location links; and everyday file sharing with third parties, such
as contracts and development plans.
The risk is that a security-diligent organisation may overlook
the value of their network data and fail to encrypt it, making
their networks targets for cyber attacks and the weakest link in
So, how should one protect network data in motion?
Encrypt it! Only by using high-grade encryption methods
can organisations be certain that a network data breach will
simply result in meaningless bits and bytes in the hands of
cybercriminals. It’s why privacy regulations do not require
A consistently underestimated threat
Like enterprises, councils are dependent upon the high-speed
data networks that lie beneath the surface of their IT systems.
They enable core IT infrastructure, and metropolitan area
network (MAN) and WAN links with numerous stakeholders,
providing traditional and new business services, such as cloud
and other business transformation technologies. These business-
critical technologies and applications generate huge volumes of
information-rich data, which are often left unprotected.
Why? Despite high-profile stories of breached network data,
research repeatedly highlights that network cyberthreats are
underestimated. This is because of a false presumption that
networks (and fibre optics) are inherently safe. They are not!
Whether your data network infrastructure is carrier-provided
or corporate-owned, it may be carrying large volumes of data,
streamed at 10 megabits per second to 100 gigabits per second.
As a result, it is a high-value target for cybercriminals. As James
Caplan from McKinsey & Company puts it, ‘The larger the data
volume, the greater the risk’.
Only by using high-
organisations be certain
that a network data
breach will simply result
in meaningless bits and
bytes in the hands of
2298_ALGY Ed 25 2018.indd 132
16/5/18 2:02 pm
Links Archive ALGY Edition 24 2017 Navigation Previous Page Next Page