X
Tech

Don't feel too ashamed to report data breaches: AFP

Reputation damage doesn't happen when companies are breached, according to the AFP; it happens when they fail to disclose that fact and seek help.
Written by Michael Lee, Contributor

If businesses are putting in place the right security, they shouldn't feel ashamed about reporting their data breaches, according to Australian Federal Police (AFP) High Tech Crime Operations detective superintendent Brad Marden.

Speaking at IBM's Security Symposium in Sydney today, Marden said that it was still very early days yet, but the public was beginning to see that organisations, in many cases, aren't to blame for security breaches. Marden likened a breach to a home robbery, where if an organisation had taken the right steps to protect themselves, they shouldn't have an issue letting others know.

"If your house is broken into, nobody thinks worse of you, because you got broken into. It's not your fault. If you've got everything done, everything right, there's no fault here. People are starting to see that. If you try and hide it, you're going to get far worse publicity in the long run."

Marden said that the last thing organisations should do is attempt to cover up the fact that something went wrong, stating that it's better to get on the front foot and inform the public that they were compromised and get law enforcement involved early.

As an example, Marden brought up the case where one hacker broke into two separate organisations. Initially, one of the organisations went in alone, and the other had AFP involved from the start.

"One of the companies was completely destroyed, 10 people lost their jobs, about 25,000 websites went offline — 4000 permanently — and that company now no longer exists. The same person attacked another company ... [but] that company came to us and worked with us. In the end, they didn't actually suffer any reputation harm and the offender was recently sentenced to three years jail."

He said that the AFP was even willing to chat about how it could help or provide advice, hinting that businesses didn't necessarily have to disclose all their secrets.

"If you've got some hypotheticals or some things you want to throw around, [we're] more than happy to interact over email."

He did admit, however, that even within AFP, it was sometimes difficult for people to take online crimes seriously, with businesses sometimes being turned away when they called up to report a crime. He advised businesses to persevere when this occurs, stating that there is always someone that businesses can turn to. In AFP's case, it always has someone on-call to deal with online crimes, but failing that, the state police can also get involved.

"Essentially, any cybercrime — an unauthorised access, modification or impairment — is pretty much a Commonwealth offence and we can investigate it from AFP's perspective. We don't, because we don't investigate everything; we don't have the capability, and individuals or small businesses may well come under the purview of the state police."

Although Marden said that the AFP tends to deal with crimes that affect the national interest, he said that, if in doubt, businesses should contact both state and federal police.

"We work together in this space. It's not like how you see in the movies where the federal or the state come in and try and take it off each other. We actually work very, very cooperatively. The main thing is [to] report it, and then we'll work out how to deal with it between us."

Cooperation with law enforcement organisations in other countries is also an important task for the AFP, due to legislation hampering AFP's efforts to prosecute a criminal in another country. To stop a US-based hacker from attacking Australians, it is often more beneficial for the AFP to hand the case off to US law enforcement, with information that will result in prosecution under US laws.

The AFP's other option is to go through a full mutual legal assistance process, but that can take up to two years, far longer than the three months the AFP have to ready its full brief, if it is to make an arrest.

"In cybercrime, that's no good, so we don't generally pursue that mutual legal assistance [route]. It just doesn't work, hence, we will actually work police to police, investigate the crime, work out what happened, and then decide who is going to end up prosecuting that matter."

Editorial standards