Out of 245 data breaches reported between 1 April and 30 June, almost one-third were the result of human error, with almost two-thirds coming from malicious or criminal attacks.
Those are the disturbing findings in the Office of the Australian Information Commissioner’s most recent Notifiable Data Breaches Quarterly Statistics Report.
With system faults accounting for a mere 4% of data breaches between April and June, the truth is that 96% of these data breaches could have been negated by strong security measures and staff training.
What is a ‘notifiable data breach’?
The Notifiable Data Breaches (NDB) scheme was set up in February 2018. All organisations or agencies covered by the 1988 Privacy Act must inform affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to cause serious harm to someone whose personal information has been breached.
Organisations and agencies include government agencies, businesses and non-profit organisations with an annual turnover of $3 million or more, health service providers and credit reporting authorities.
Personal information involved in data breaches included contact information, financial details, identity information and health information.
Breaches resulting from human error
Human error was responsible for 34% of reported breaches between April and June. Human error includes such incidents as:
- Using ‘cc’ instead of ‘bcc’ when sending an email, therefore revealing an organisation’s entire mailing list to customers or other stakeholders. Someone wishing to remain unknown now have potentially dozens of strangers knowing their name and email address.
- Disposing of personal information in a way that could lead to its unauthorised disclosure. This includes things like throwing customer records into a public rubbish bin instead of using a secure document disposal bin.
- Unauthorised verbal disclosure of information, for example commenting on it in a public place, such as a waiting room. Or inadvertently sending information to Person B instead of Person A.
Breaches resulting from malicious or criminal attack
Criminal attacks are deliberate attacks on an organisation’s systems generally for financial gain. These were responsible for 62% of reported breaches between April and June.
Of these breaches, 69.5% involved phishing, malware or ransomware, brute-force attacks (the use of automated software to guess passwords) or compromised or stolen credentials.
So while criminal attacks can be attributed to ‘bad guys’, many of the reported incidents revealed a human factor – for example employees clicking on a phishing email.
Indeed 78% were due to the compromised credentials of a user being used to gain access to information.
What can organisations do?
When it comes to potential data breaches, it all comes down to awareness and education. Important things to remember include:
- Usernames and passwords are prime targets Strong passwords and, in particular, using two-factor authentication will mitigate the risk of cyberattack.
- The dark web can help Dark web monitoring can be used to alert an organisation if a user’s details appear on the dark web.
- Employee awareness matters Regular staff training will ensure employees are aware of the risks involved in not only cyberattack but in terms of their own careful handling of data.
- Be aware of internal threats While the majority of employees are honest, it only takes one rogue employee to make an organisation vulnerable. Between April and June, 8% of data breaches resulted from rogue employees and insider threats. How does your organisation monitor its staff? Do you know what information your employees have access to right now?
Remember, most of the data breaches between April and June could have been avoided if people had paid attention and had the right procedures in place to handle confidential information.
How can we help?
Unsure about your organisation’s security after reading about the frequency of data breaches in Australia? Have a chat with us and see how we can help.