NDIS Cyber Security Compliance

What this means for you…

Cyber Security is an often neglected area in any sector, but particularly so in Disability Services.

According to Element Two of the NDIS Code of Conduct, NDIS providers both registered and unregistered( including sole traders) are required to “respect the privacy of people with a disability” – including comprehensive compliance with the Commonwealth Privacy Act 1988 and State and Territory privacy laws.

With the increase in hacking, phishing and scamming, the NDIA has released a guideline for Registered Service Providers, SMEs and Sole Traders to better protect Participant’s data. Many Sole Traders don’t realise that they are obligated under the NDIS Practice Standards to safeguard a Participant’s privacy; including electronic transit and storage, along with securing any devices from which sensitive information may be sent.

This can best be broken down into three main areas of concern:

Endpoint Protection:

Sole Traders and Small Businesses are required to secure their devices from possible incursions by a third party. This is generally achieved by either a software (Layer 7) or hardware firewall, anti-virus protection, and the implementation of best practices pertaining to the opening of data from untrusted sources.

It has been my experience that most sole traders and small businesses simply don’t have the budget for expensive cyber security audits by third parties. Thus I have developed a budget solution that will bring them into compliance. This is achieved using reliable and free software that I have used on my own devices for nearly two decades – in conjunction with Microsoft Office 365.

Transit Security:

The NDIS Cyber Compliance requirements stipulate that data in transit must be protected by adequate encryption, at a minimum TLS 1.2, but preferably TLS 1.3.

TLS, or Transport Layer Security, is a protocol designed to facilitate privacy and data security for communications over the Internet. The primary application of TLS is to encrypt communications between web applications and servers, such as web browsers sending data to and from a web application. Common examples of this are OneDrive, Google Docs and Dropbox – all of which use HTTP over TLS, commonly known as HTTPS, to protect data whilst in transit from the user’s computer to the data storage application.

I have a variety of free browser extensions that I can recommend that enforce HTTPS, but it is vital that any cloud-based file transfer/storage application utilises TLS 1.2 as a minimum to ensure NDIS cyber compliance.

Storage:

The NDIS has stipulated that storage must AES256 as a minimum. The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the Australian government to protect classified information located on storage devices, both local and remote (the Cloud). The 256 in AES256 demotes how many bits the encryption key uses to “hash” the text data into a cipher. Both Windows and OSX have local vault systems that use AES256 encryption, as do the cloud based solutions mentioned above.

Ring Andy on 0424 656 973 to book a 90-120 minute security audit for only $200.00*

I can help sole traders achieve compliance for a fraction of the cost of cyber security companies.

About Andy Taylor

I have worked in technology for over 38 years, starting my career as a touring audio engineer with many of Australia’s top acts. Progressing into corporate audio-visual, I became a Technical Director and Project Manager of many of Sydney’s premier corporate staging companies, specialising in IP based technologies, culminating in owning my own successful audio-visual staging company. After three decades in the industry, and after discovering that I have six damaged vertebrae, I liquidated my small warehouse full of equipment to focus on my parallel career in programming and web development, a secondary source of income since 1998.

About ten years ago, I moved into networking and completed certifications at the Associate and Professional levels in Cisco technologies, before moving into Offensive Security after completing Certified Ethical Hacker v9 (penetration testing/hacking), which remains an interest of mine. I worked in the Network Operations Centre of Cirrus, Australia’s largest Wireless Internet Service Provider (WISP) as a Level 3 Engineer and I have contracted to Defence and NSW Government Departments, before moving to the Gold Coast in 2017.

Qualifications

Bachelor I.T. (Network Security/Software Development)
Griffith University (currently completing)
CCENT – Cisco Certified Entry Level Technician
CCNA R+S – Cisco Certified Network Associate (Route + Switch)
CCNA Security – Cisco Certified Network Associate (Security)
CCDA – Cisco Certified Design Associate
CCNP SWITCH – Cisco Certified Professional
CCNP ROUTE – Cisco Certified Professional
CEHv9 – Certified Ethical Hacker (Version 9)
MTA Network – Microsoft Technology Associate Networking
MTA Security – Microsoft Technology Associate Network Security
MTA Windows – Microsoft Technology Associate Windows
AFCA – Adobe Flash 8 Certified Associate

Frequently Asked Questions

What is cyber security in everyday language?

In the digital age, businesses constantly transmit sensitive data across networks in the course of doing business. Cyber security describes the methodologies dedicated to protecting said information, and the systems used to transmit, process and store it

What are the main cyber security threats?

Ransomware, phishing, data leak, hacking, and insider threat.

What is a data breach?

A data breach occurs when sensitive or personal information is accessed, disclosed or exposed to unauthorised people. This may be by accident, or the result of a security breach. For example, when an email with personal information is sent to the wrong person, or a computer system is hacked and personal information is stolen.

Organisations collect and store many personal details. You trust them with details such as your address, phone number, identification documents, credit card number, health records and more.

If your information is involved in a data breach, the potential consequences can be far reaching. Depending on the information involved, a data breach may lead to the compromise of your online accounts, including banking. The information could also be used in targeted scams and to steal your identity.

Source: https://www.cyber.gov.au/threats/types-threats/data-breaches

Am I liable if there is a data breach?

Short answer, yes it’s possible – if you haven’t taken all necessary steps to secure your data in line with the NDIS Cyber Guidelines.

Do I have to notify participants and co-workers if there is a data breach?

According to the Privacy Act and the APP, a business that has experienced a data breach must notify the Office of the Australian Information Commissioner (OAIC) and their impacted customers when the breach occurs.

This is in line with the notifiable data breaches scheme.

As the scheme notes, the notification must include the details of your business, a description of the breach and the information that was exposed – as well as the steps being taken to minimise the impact of the breach.

Source: https://sprintlaw.com.au/articles/australian-law-data-breaches

If I implement the NDIS Cyber Requirements, will it guarantee the security of both my and my client’s data?

Short answer, no. There is no such thing as impervious security, hackers and scammers are extremely innovative and are constantly developing new exploits and methodologies to illicitly access people’s data. A good cyber security strategy will certainly mitigate your risk, but there is no such thing as impervious protection.

Is information collected by NDIS service providers consider Health Information under the Privacy Act?

The Privacy Act 1988 regulates the way individuals’ personal information is handled.

As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:

know why your personal information is being collected, how it will be used and who it will be disclosed to
have the option of not identifying yourself, or of using a pseudonym in certain circumstances
ask for access to your personal information (including your health information)
stop receiving unwanted direct marketing
ask for your personal information that is incorrect to be corrected
make a complaint about an organisation or agency the Privacy Act covers, if you think they’ve mishandled your personal information.

Source: https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities

Do you implement the "Essential Eight" with sole traders and SMEs?

The Essential Eight is more applicable to larger companies that have servers on site, however i recommend that any mitigation strategy is adopted to better secure both your endpoint devices (computers, mobile phones, tablets etc) and your client’s data.

For a detailed explanation on the Essential Eight please reference the ACSC.

Source: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained

Do you provide risk mitigation strategies for websites, and it is included in the cost of the audit?

Yes, as a web developer with 25 years of experience, I am fully versed with strategies to secure static websites and dynamic database-driven WordPress websites. I don’t audit other CMS platforms such as Joomla, but I can provide advice on how to find the information on plugins required to secure them.

Do you guarantee your work and accept liability for any successful intrusion post audit?

Due to the constantly evolving nature of cyber security, cyber security consultants do NOT offer a guarantee that your data won’t be compromised. However, I do take a lot of personal pride in the experience that I have accumulated over many years, and I strive to provide effective strategies that bring sole traders and SMEs into alignment with NDIS cyber guidelines. I require all of my clients to sign a waiver indemnifying me to this effect.

Will a software firewall protect me in different locations?

Yes, the firewall resides on your computer or other endpoint devices and, unlike hardware firewalls, will work on any network outside of your home or office network.

Do the anti-virus and firewall software automatically update to prevent new threats, or do I have to do it manually?

Yes, both of my recommended solutions are set up to keep their rules and heuristics up to date automatically, allowing you to focus on your work.

an SME audit is 3-4 hours and costs $500.00 – a hardware firewall is recommended at $995.00 using pfSense open source software.