NDB notifications grew 19% in 2H19

Businesses reported 19% more data breaches under the Notifiable Data Breach scheme in the second half of 2019 compared to the first, according to the Office of the Australian Information Commissioner.

The number of data breaches reported during the half-year period reached 537, with malicious or criminal attacks accounting for 64% of these.

Phishing remains one of the most popular attack vectors, accounting for at least 15% of the breaches during the reporting period.

According to Australian Information Commissioner and Privacy Commissioner Angelene Falk, emails were also involved in a further 9% of breaches, which involved accidentally sending personal information to the wrong recipient. This was the most common cause among the 32% of data breaches involving human error.

“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts,” Falk said.

“Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files. This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”

The remaining 4% of breaches reported under the scheme were traced to system faults.

The majority of data breaches (77%) during the period involved contact information including home addresses, phone numbers and email addresses. Almost a third of breaches meanwhile involved identity information such as passport or driver’s licence numbers.

Most data breaches involved information on 100 or fewer individuals (60%), with 40% affecting 1–10 individuals.

But 17 breaches affected more than 50,000 individuals, with three involving more than 1 million (although this was the estimated total number of victims worldwide, not just in Australia).

SailPoint VP for APJ Terry Burgess said Australian organisations are now on average reporting 90 breaches per month.

The healthcare sector remained the leading source of NDBs over the period, accounting for an estimated 22% of all breaches. This was followed by the finance sector (14%) and the education sector (9%).

But the report found that a higher than average proportion of breaches in the healthcare sector (42%) were attributable to human error.

Tenable VP for APAC Gary Jackson said the high number of breaches impacting the sector nevertheless shows that it has a target on its back, particularly as a result of the rollout of the My Health Record system.

“But in reality any industry that is using personal data to drive innovation and collaboration is likely to be targeted as criminals look for weaknesses across rapidly expanding attack surfaces,” he said.

Sophos MD for ANZ John Donovan noted that healthcare’s continued presence as the top affected sector demonstrates the need for radical changes to the industry’s approach to cybersecurity.

“Firstly, the industry must invest in the right cybersecurity technology to ensure it has the ability to thwart any malicious or criminal attacks,” he said.

“Additionally, healthcare professionals must increase their understanding of cybersecurity. Alarmingly, 44% of the sector’s data breaches were a result of human error, indicating more training and awareness must be done to develop a more cyber-aware culture.

LogMeIn VP for APJ Lindsay Brown added that the statistics show that passwords and credentials continue to be mismanaged in the workplace.

“What’s most concerning is the vast majority of cyber incidents (74%) reported by the top five industry sectors are linked to phishing or compromised credentials,” Brown said.

“Evidently, the threat to the digital landscape continues to worsen and organisations must be keenly aware of the importance of their employees using strong credentials. The figures are hard-hitting facts that business leaders need to take into account when educating employees on the importance of appropriate security hygiene and establish requirements such as minimum length and complexity for items like passwords.”

WatchGuard Technologies ANZ Regional Director Mark Sinclair said businesses should adopt multifactor authentication as a standard security protocol.

SailPoint’s Burgess added that business leaders must also respond to the growing threat by investing in security defences and staff education.

“Ultimately, good policy and future investments in cybersecurity are contingent upon business leaders having a clear picture of the risks to make informed decisions,” he said. “As threats are increasing, business leaders need to put effort into continuously improving their companies’ cybersecurity postures to reduce the possibility of becoming a statistic.”

Ecosystm Principal Advisor for Cyber Security Alex Woerndle agreed, stating that businesses should take the new year to examine their overall IT environment.

“While no single defence can protect completely, today’s IT security tool box should include firewalls and antivirus software through to network intrusion and advanced persistent threat tools, incident response planning, cloud security solutions and comprehensive awareness training for all staff,” he said.

“By taking a comprehensive and multi-layered approach to security, organisations can reduce the likelihood they will fall victim to malware attacks, data breaches and avoid the disruptive and potentially costly problems they can cause.”

Image credit: ©stock.adobe.com/au/ArtemSam