Information Technology

The cyberattacks that targeted multiple US government agencies and companies in recent months have raised the alarm in developing Eastern European countries regarding their own cybersecurity capabilities.
During the past year, some of them, like North Macedonia, have already experienced breaches of their state IT systems: last summer, the country had its electoral process disrupted by massive DDoS attacks that happened on election night. Hackers targeted the website of the state electoral commission, which went down for a few days before the election results could finally be made available to the Macedonian public.

More on privacy

In 2019 in neighboring Bulgaria, more than five million people had their personal data stolen in a breach of the national tax agency. The hacked database was then also shared across various hacking forums, as ZDNet reported at the time.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Shorty after those attacks, Bulgarian officials acknowledged the need for further investments in cybersecurity. Bulgarian foreign minister Ekaterina Zaharieva said the country would aim to increase the number of IT specialists in the state administration. The country also signed a 10-year roadmap with the US, aimed at bolstering the modernization of its army and cybersecurity.
Bulgaria’s neighbor Romania also faced several cyberattacks the same year, as ransomware attacks targeted computer systems across hospitals in the country. Should this have happened during the current COVID-19 pandemic, the consequences for the health system in the country could have been dire.
The cybersecurity community, as well as experts and IT professionals across the Balkans, are sounding the alarm regarding the cybersecurity capacities of various state institutions in these countries.

The fragile state of cybersecurity in countries across the region could yet be exploited by hacker groups and malign actors. By targeting multiple state agencies or institutions, such attacks could also have consequences on their economies – for instance, an attack on the banking system could cause a major disruption. And most of these countries do not have the resources like their Western counterparts to invest in strengthening their cyberdefences, despite their desire to do so.
Even if they did, attacks such as those in the US show that there are no guarantees when it comes to the potential that various cyber threats can have.
When it comes to implementing an efficient cybersecurity strategy, many factors can play a critical role in this process, experts argue. In most cases, the human factor proves to be the weakest link that needs to be trained on how to defend from such attacks.
“The weakest link on the internet is the human factor – the human firewall,” says Berlin-based cybersecurity researcher Predrag Tasevski. “It requires a lot of time and resources to be able to develop policies, guidance and knowledge for how to deal with such threats.”
However, raising awareness about these issues also needs to run deeper and on more levels, Tasevski points out.
“We can’t just only focus on boosting the awareness on the national level, and on the end-user. We need to raise awareness among the political leaders too, and on the institutional level as well.”
One of the solutions for developing Balkan countries would be to introduce centralized protection systems that would cover various state agencies and ministries.
“A protection system should be built for all government e-services, including agencies, ministries, local governments and any legal entity or state body,” says Mane Piperevski, cybersecurity consultant based in Skopje, North Macedonia.
Investing in such projects should be a priority for most of these countries, experts agree. The recent example of Romanian capital Bucharest being chosen to host the EU’s new cybersecurity center could also offer a new perspective and encouragement for the region, when it comes to hardening its critical infrastructure.
Support from international organizations, as well as an enhanced regional cooperation, could be crucial in the fight against cybercrime that the region is facing. Most countries in the region, with the exception of Serbia and Bosnia & Herzegovina, are NATO members. In March 2020, North Macedonia became the Alliance’s newest member. Faced with the possibility of repeated cyberattacks, the tiny nation is now also putting its hopes on NATO’s assets and expertise.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
According to Bilyana Lilly, assistant policy researcher at Los Angeles-based thinktank RAND Corporation, it is well within NATO’s mandate to assist its Balkan members.
“In 2016, NATO formally recognized cyber as an operational domain and has made progress in developing centers and platforms that can facilitate the coordination and sharing of cyber capabilities among NATO members and even partner nations.” Lilly tells ZDNet.
One example is the NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) in Tallinn, which was created not long after the major cyberattacks that Estonia suffered in 2007. The CCDCOE is responsible for identifying and coordinating education and training on cyber defense for all NATO institutions across the Alliance.
Well aware of what similar attacks could to do the smaller and more fragile Eastern European countries, NATO maintains that it has all of its capacities available for allies.
“Cybersecurity is a priority for NATO, and our networks are defended 24/7. Our cyber experts regularly offer support and share information, including through our Malware Information Sharing Platform.” a NATO official tells ZDNet in a statement.
“NATO also has cyber rapid reaction teams on standby to assist allies 24 hours a day, and our Cyberspace Operations Centre is operational. For NATO, cyber defence is a core part of our collective defence.” More

Interpol has warned of a new investment scam targeting users of mobile dating apps.

As COVID-19 continues to severely restrict our daily lives and in many places, makes social interaction and meeting new people in person impossible, dating apps have experienced a surge in users. 
As the only possible method of anything akin to dating at the current time, scam artists have decided to capitalize on this trend in order to push an investment-based scam that deprives victims of their cash. According to Arkose Labs research, four million online dating fraud & abuse-related attacks were recorded in 2020, with many taking place through fake account registrations. 
On Tuesday, the International Criminal Police Organization (Interpol) said the agency had issued a “purple notice” — the provision of data on criminal groups’ methods, objects, devices, and concealment methods — to 194 member countries. 
The notice describes a new modus operandi on dating applications, which Interpol says “takes advantage of people’s vulnerabilities as they look for potential matches, and lures them into a sophisticated fraud scheme.”
This is how the scam, documented globally, works: users sign up to a dating app such as Tinder, eHarmony, or Bumble, and unknowingly end up matching with a scammer. 
Once a level of trust has been established, the scam artist will then turn the conversation over to finance and potential investments, encouraging their ‘match’ to join them in a financial venture. 

To appear genuine, the scammer will give their victim investment “tips” and lure them to download a fake trading app, sign up for financial products, and “work their way up a so-called investment chain” — all under the supervision of their connection on the dating app. 
In order to encourage the victim to part with their cash, the fraudster will provide incentives, such as promising their victim can reach a premium “Gold” or “VIP” status under their tutelage. 
However, nothing is as it seems. 
“As is often the case with such fraud schemes, everything is made to look legitimate,” Interpol says. “Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
Once the match has been milked for their cash, victims are locked out of their ‘investment’ accounts and the scam artist vanishes, cutting off all contact. 
“They’re left confused, hurt, and worried that they’ll never see their money again,” Interpol added. 
When feelings become involved, there may be more of a chance for someone to be persuaded to part with their money. This relates to phishing emails — many examples of which will pretend to be from a tax office, loan company, or bank — with panic and fear used as triggers. 
Dating app fraudsters prey upon the heart, and we’ve heard, time and time again, of lonely users being swindled out of their life savings by individuals who appeared to be genuine love interests. 
As many of us are using dating apps as an alternative to meeting in-person during the pandemic, it is even more important that we remain cautious. 
You should never part with any money to someone you don’t know and haven’t met in person — no matter what the apparent opportunity is or whatever claimed ’emergency’ situation someone is in — and when it comes to investment opportunities, research first. 
After all, if a financial investment appears to be too good to be true, it usually is. 
Earlier this week, UK police highlighted another form of scam that preys upon lonely hearts — the exploit of online video chats and remote dates. In a case documented by Thames Valley police, a video session between a man and a woman that turned intimate was recorded by the latter, who pretended to have a romantic interest in her victim in order to extort a blackmail payment in return for the footage not being shared with friends and family. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

After releasing Chrome 88 this week, Google has announced a host of new password protection features it will begin rolling out to Chrome 88 in coming weeks. 
Chrome 88 includes a new feature to quickly check for weak or compromised passwords and remediate the issue. After clicking on the profile avatar, there’s now a key icon that can be clicked to begin checking for weak passwords. 

More on privacy

Also in Chrome 88, users can manage and edit all passwords in Chrome Settings on the desktop and iOS. Google is planning to bring this feature to the Android Chrome app soon. The feature is meant to make it easier to update saved passwords in a central place, as opposed to relying only on Chrome prompts to update single passwords when logging into websites. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
Thanks to Chrome’s Safety Check that alerts users to any compromised credentials they have, Google says it’s seen a 37% reduction in comprised credentials stored in Chrome. Additionally, Safety Check is used 14 million times each week, according to Google. 
Google last year enabled iOS users to autofill passwords saved in Chrome into other apps and browsers. It’s now doing this for three million sign-ins across iOS apps every week.   
Last year, Google added biometric authentication for the autofill feature on iOS and it will soon be bringing this additional protection to Chrome on Android. Before autofilling, iOS users need to use Touch ID, Face ID, or the phone’s passcode before autofilling a saved password into another app or website.  

The password management features with Chrome 88 will be rolled out over the coming weeks, Google says. 
Chrome 88, released earlier the week, was the first version of Chrome in years to not include Adobe Flash Player in the browser. Flash reached end of life at the end of 2020, so Mozilla, Google, Apple and Microsoft have also dropped support for Flash in their respective browsers. 
SEE: Using Chrome on Windows 7? Google just gave you another six months of support
FTP support was also disabled in Chrome 88, which also now blocks HTTP file downloads from HTTPS web pages. 
Chrome 88 ships with an experimental feature for searching all tabs via a new popup window that can be accessed by clicking a downward arrow above the user avatar. To test tab search, users can go to chrome://flags/ and search for “Enable Tab Search”. 
Users can also test out a new “Force Dark Mode for Web Contents” feature in Chrome 88. Again, it’s an experimental feature in chrome://flags/ that can help ensure websites with white backgrounds have black backgrounds instead. More

Image: Hanson Lu
A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera.
Believed to be operating in the interests of the Chinese state, the group’s activities were first described in a report [PDF] and Black Hat presentation [PDF] from CyCraft in 2020.
The initial report mentioned a series of coordinated attacks against the Taiwanese superconductor industry.
But in a new report published last week by NCC Group and its subsidiary Fox-IT, the two companies said the group’s intrusions are broader than initially thought, having also targeted the airline industry.
“NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020,” the two companies said.
These attacks targeted semiconductor and airline companies in different geographical areas, and not just Asia, NCC and Fox-IT said.

In the case of some victims, the hackers stayed hidden inside networks for up to three years before being discovered.
Hackers scraped user data from the RAM of flight booking servers
While the attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead on something else.
“The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR),” the two companies said.
“How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.”
A typical Chimera attack
The joint NCC and Fox-IT report also describes the Chimera group’s typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies.
This data is used for credential stuffing or password spraying attacks against a target’s employee services, such as email accounts. Once in, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for “adversary emulation,” which they use to move laterally to as many systems as possible, searching for IP and passenger details.
The two security firms said the hackers were patient and thorough and would search until they found ways to traverse across segmented networks to reach systems of interest.
Once they found and collected the data they were after; this information was regularly uploaded to public cloud services like OneDrive, Dropbox, or Google Drive, knowing that traffic to these services wouldn’t be inspected or blocked inside breached networks.
Tracking targets of interest
While the NCC and Fox-IT report didn’t speculate why the hackers targeted the airline industry and why they stole passenger data, this is pretty obvious.
In fact, it is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.
Past examples include Chinese group APT41, which targeted telcos with special malware capable of stealing SMS messages. The attacks were believed to be related to China’s efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers’ movements.
Another Chinese group that targeted telcos was APT10 (or Gallium), whose activities were detailed in Cybereason’s Operation Soft Cell report.
In addition, Chinese state-sponsored hackers were also linked to the Marriott hack, during which they stole troves of hotel reservation details going back years.
But China isn’t the only one engaging in these types of attacks.
Iranian group APT39 has also been linked to breaches at telecommunication providers and travel companies for the purpose of tracking Iranian dissidents, while another Iranian group, known as Greenbug, has been linked to hacks against multiple telecom providers across Southeast Asia.
Then there’s Operation Specialist, a UK GCHQ operation that targeted Belgian telco Belgacom between 2010 and 2013. More

Google believes individuals should not be penalised for exercising their privacy rights, but said some choices offered to individuals may affect the ability of a business to earn revenue.
The comments were made in a submission [PDF] to the Attorney-General’s review of Australia’s Privacy Act 1988.
“[We] urge the government to think clearly through the issue of under what conditions businesses and organisations may make services contingent on a user’s acceptance of some processing of their personal information,” it wrote.
“Individuals should not be penalised for exercising their privacy rights, but some choices offered to individuals may affect the ability of a business to earn revenue, and even the financial viability of products and services that are of tremendous benefit to users and to society.”
See also: Google sued by ACCC for allegedly linking data for ads without consent
Google considers a one-size-fits-all approach to mandating how personal information can be handled to be not overly applicable, as people have different preferences about how they want their information to be used.
How the Act currently requires businesses and organisations to provide appropriate mechanisms for individual control does not require a specific consent or toggle for every use of data. Google said inserting such a requirement could overburden the experience.

“In many cases, the processing of personal information is necessary to simply operate the service the user requested,” it wrote. “Requiring individuals to control every aspect of data processing can create a burdensome and complex experience that diverts attention from the most important controls without corresponding benefits.
“Individual control over data processing should apply wherever it can be reasonably offered, not just certain categories.”
Google wants more “narrow and specific consent requirements”, saying they would avoid “consent fatigue”; that it would promote innovation; and allow regulators to focus on “priority issues”.
On the issue of default settings, Google said strict rules requiring “extensive” opt-in actions limit its ability to provide “meaningful options that support ideal product functionality while also being comprehensible to Google users”.
“Much like consent-fatigue, requiring a lot of ‘opt-in’ settings can overwhelm users and diminish the significance of the most important settings,” it wrote.
The search giant also welcomes the introduction of an explicit age threshold which parents or guardians could exercise on behalf of their children, making the suggestion that this be set to 13 years of age.
Google is supportive of a right to delete data that is provided to an organisation and the ability for a user to request data be ported to another service.
In contrast to Google’s view, the Cyber Security Cooperative Research Centre (CSCRC), which is based out of Edith Cowan University in Western Australia, said in its submission [PDF] that it is “appropriate and necessary” that under the Act, entities must take “reasonable steps to notify individuals of the collection of their personal information”.
“While amendments should be made to better define ‘reasonable steps’ in a bid to ensure the wording is fit-for-purpose, a key advantage of the proliferation of communication technologies ultimately means that notification of collection is easier to achieve than ever before,” it wrote.
The CSCRC supports the idea that a regulated entity be required to provide a notice for all collections of personal information, with limited exceptions. It said this would build consumer confidence and awareness of when information is being collected.
It said an individual should always be provided with notice when their personal information is being collected, and cited the ACCC’s action against Google for its third-party data collection activities.
The CSCRC also called for the definition of personal information to be amended to align with the EU’s General Data Protection Regulation (GDPR).
Under this definition, personal data is: “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person”.
“Adopting such a definition would effectively expand the constitution of ‘personal information’ and help allay concerns related to privacy risks arising from new forms of ‘personal information’ like IP addresses and social media profiles,” CSCRC CEO Rachael Falk said.
ANZ Bank, meanwhile, is questioning whether defining personal information in line with the GDPR would provide legal certainty in Australia and cautions against imposing obligations which overly restrict the use and disclosure of de-identified information.
“We believe the current scope of regulating personal information in the Privacy Act is appropriate and that the constraints in the law are sufficient to protect the privacy of individuals,” it said in its submission [PDF].
HERE’S MORE More

Trump signs an executive order earlier in his presidency.
On his way out the door, outgoing and twice-impeached United States President Donald Trump has signed an executive order mandating that American cloud companies need to maintain records on foreign clients to help US authorities track down people committing cyber crimes.
Among the information to be retained, American cloud providers are expected to keep names, physical and email addresses, national identification numbers, means and sources of payment which could be credit card or bank account details, phone numbers, and IP addresses used to access services each time services are accessed.
“Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities,” Trump wrote in a letter to House Speaker Nancy Pelosi and Vice President Mike Pence in his role as President of the Senate.
“Foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection.”
Although the executive order and letter use the infrastructure as a service (IaaS) term, the order explains the definition also includes other cloud services.
“The term [IaaS] means any product or service offered to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications,” it states.
“The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘managed’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘unmanaged’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer.

“The term is also inclusive of ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (eg, ‘virtual private servers’), and ‘dedicated’ products or services in which the total computing resources of a physical machine are provided to a single person (eg, ‘bare-metal’ servers).”
The order gives the Secretary of Commerce the ability to restrict access to US cloud services if a country is deemed to have “any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities” or limit the access of certain foreigners. This section and the record-keeping obligations will kick in after 180 days.
In 120 days, the US government will need to consult on how to increase information sharing among cloud providers themselves, as well as with the government, to “deter the abuse of US IaaS products”. After 240 days, a report and recommendations will be presented to the President.
Earlier on Tuesday, US Secretary of State Mike Pompeo tweeted that China has been engaged in genocide and crimes against humanity against its Uyghur population and other minorities.
“These acts are an affront to the Chinese people and to civilized nations everywhere. The People’s Republic of China and the CCP must be held to account,” he said.
On a very active day of posting on Twitter for Pompeo, only three hours earlier, the outgoing Secretary of State decried the idea of multiculturalism.
“Woke-ism, multiculturalism, all the -isms — they’re not who America is. They distort our glorious founding and what this country is all about. Our enemies stoke these divisions because they know they make us weaker,” he posted.
Without a sense of irony over the US Capitol riots, Pompeo said visa restrictions were being introduced for those that were “involved in election interference in Tanzania”.
“There are consequences for interfering in the democratic process,” he said.
The issue of Uyghur forced labour in the tech industry has been slowly bubbling away for some time.
At the time of writing, just under 13 hours were left until Trump and Pompeo leave office, to be replaced by the Biden administration.
Related Coverage More

The Office of the Australian Information Commissioner (OAIC) has asked for amendments to be made to the Privacy Act 1988 that would update its regulatory powers and remove exemptions such as for political parties.
In a 150-page submission [PDF] to the Attorney-General’s review of the Act, the OAIC made a handful of recommendations, including enhancing its own ability to regulate, which it said would bring its powers in line with “community expectations”.
“Through strengthened enforcement powers and new regulator measures, including a direct right of action and statutory tort to provide individuals with greater control of their personal information,” the OAIC wrote.
It said legislative protections must be reinforced by a strong system of oversight that upholds individuals’ rights and holds entities to account.
“The privacy regulator needs the correct tools to respond efficiently and appropriately to new threats and regulate in line with community expectations,” the submission explained.
The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation, and determination. The OAIC has described this nearly 33-year-old function as outdated.
“This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action,” it said.

“While Australia’s current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified.”
It also said the regulator needed appropriate resources to proactively identify and address existing and emerging risks before serious, widespread, or societal harm occurs.
See also: Senators concerned OAIC will remain under-resourced despite hiring 31 staff
The commissioner has also asked that the emerging updated Act provides for global interoperability to allow data to be protected wherever it flows; privacy self-management, so individuals have choice and control; organisational accountability, such as implementing sufficient obligations on entities; and a contemporary approach to regulation, which would entail having the right tools to regulate.
“Strong data protection and privacy rights are both necessary to uphold our human right to dignity in the digital age, and a precondition for consumer confidence and economic growth,” the OAIC wrote.
“They are also critical to achieving other societal objectives such as the protection of health, safety, and security.”
Further recommendations made by the OAIC are aimed at addressing “declining levels of trust” and responding to the community’s desire for “more to be done to protect their privacy”. The OAIC said the Privacy Act must be supplemented with protections that create legal obligations aimed at achieving greater fairness and organisational accountability to address privacy risks and harms.
Flexibility and scalability of the existing principles-based approach should remain, the OAIC said, supported by enhanced abilities for the commissioner to make legally binding instruments.
It also asked for the implementation of stricter guidelines for privacy self-management tools in order to allow individuals to better understand how their information is handled and used. In addition, it wants requirements for regulated entities that ensure all collections, uses, or disclosures of personal information are fair and reasonable, and appropriate safeguards are maintained.
Additional organisational accountability measures were also requested by the OAIC, with the commissioner saying this would ensure entities have implemented actions and controls that demonstrate their compliance with the privacy regulatory framework.
Protections provided currently within the Privacy Act include exemptions in relation to small businesses, employee records, registered political parties and political acts and practices, and journalism.
The OAIC considers it no longer justifiable to exempt major parts of the economy from the operation of the Act.
“The OAIC therefore recommends removing the current exemptions in the Privacy Act … it is appropriate to consider more comprehensive privacy protections for all Australians … regardless of the type of entity that holds their information or particular purpose for which it is held,” it said.
Privacy and information commissioners from New South Wales, Queensland, and Victoria also provided submissions to the Attorney-General’s review, sharing the view that political exemptions must be removed, or at least reconsidered.
“It is the [Queensland Office of the Information Commissioner’s] view that the small business exemption, employee records exemption, and political parties exemption is becoming harder to justify and their relevance questioned in an increasingly digital world,” the Queensland commissioner wrote in its submission [PDF]
“Continuing the exemption creates the potential for increased cybersecurity risks as the small business may be the weakest links in the supply chain to attack larger more valuable information and data assets.
“In the interests of promoting public confidence in the political process, those who exercise or seek power in government should adhere to the principles and practices that are required of the wider community.”
Likewise, the Office of the Victorian Information Commissioner said [PDF] removing such protections would bring the Privacy Act more in line with community expectations, by “ensuring that individuals’ privacy is better protected in circumstances where there is currently little to no privacy protection”.
The NSW commissioner, meanwhile, said [PDF] they support consideration of whether these exemptions should be removed or narrowed in scope.
NSW to implement its own mandatory data breach reporting scheme
The Information and Privacy Commission New South Wales has provided an update on plans to implement a mandatory data breach reporting mechanism that it says will complement the existing Commonwealth mandate.  
Australia’s Notifiable Data Breaches (NDB) scheme came into effect in February 2018, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  
Although it has coverage Australia-wide, the NSW commission said the NDB scheme is aimed primarily at federal government agencies and private sector organisations regulated by the Privacy Act. There are provisions that apply to NSW agencies, however.
“The Information and Privacy Commission has published guidance for NSW agencies to assist them in complying with their obligations to report data breaches, including under the NDB scheme,” it said in its submission. 
The Information and Privacy Commission currently operates a voluntary data breach notification scheme in parallel to the NDB.
“As a matter of best practice, NSW agencies are encouraged to voluntarily report data breaches to the Privacy Commissioner, and to affected individuals as appropriate,” it said.
“Building on these voluntary processes, I support the introduction of a mandatory data beach notification scheme in NSW.”
A draft model for a mandatory reporting scheme in NSW has been developed by a working group that comprises NSW agencies including the Department of Communities and Justice, the Department of Customer Service, the NSW Ministry of Health, and the Information and Privacy Commission.
“Any mandatory data breach notification scheme introduced in NSW would be designed to complement the existing Commonwealth Notifiable Data Breach (NDB) Scheme under the Privacy Act, particularly in areas of jurisdictional overlap,” the commission added.
In 2019-20, the commission received 41 voluntary breach notifications.
State government was accountable for 28, local government for 10, and public universities for three.
RELATED COVERAGE More

As 2021 gets underway, there has been significant elevation not only in the influence and importance of cybersecurity, but also in the human element of security. For example, human error is now recognized as a key contributor to the overall risk profile of an organization.  

Unfortunately, as an industry, we’re still struggling to manage this risk.  
Also: Best VPNs • Best security keys • Best antivirus
For years now, CISOs have done a remarkable job of training users to understand security risks by purchasing solutions with extensive content libraries, administrative features, and assessments measuring all manner of user failures. But this focus on creating awareness falls short of changing long-lasting behavior. And CISOs know they need to shift focus to humans on the receiving end of these programs. Many are also acutely aware that organizations with strong security cultures have employees who are educated, enabled and enthusiastic about their personal cybersafety and that of their employer.  
To move beyond perfunctory awareness and training programs to changing behavior and instilling a security culture (the ABC of security), you need to do the following: 

Build a human-centric security program. Move beyond tactics and create a multiyear, sustainable strategy via a four-step plan that includes: 1) Identifying key stakeholder and threat communities; 2) Defining your behavioral baseline and target state; 3) Creating the initiatives that will influence each stakeholder community; and 4) Measuring and continuously improving the plan. 

Focus culture efforts up, across, down, and outside your organization. Move away from point-in-time engagement activities by building a strong culture at four distinct levels within the organization, taking a different approach for each constituent. Advocate at the executive level to get security visibility; rationalize investments with business leaders to assure security buy-in; communicate with employees to create a consistently high level of awareness; and extend your reach by building trust with external stakeholders. 

Design transformative security awareness initiatives. Unless people feel positive about the topic of security, the capabilities of your team and you as a leader, you will struggle to get them to truly buy into the need for security. To do this, your initiatives need to be impactful to resonate with the audience and continuously influence and motivate the audience to behave securely. Consider design principles when creating your transformative security awareness initiatives.  

Start by improving the culture and influence of your own security team. The biggest obstacle to security leaders’ efforts today is the image of security itself. So transform your own team’s culture, create an environment of psychological safety for your organization, and extend your influence with a network of security champions. Above all, hire people with good human-centric skills. They are what’s desperately missing not only in your organization but in our profession. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Jinan Budge, and it originally appeared here.  More