As the number of mobile cybersecurity incidents continues to increase, it’s clear many organisations are failing to protect their mobile assets, even though mobile devices are prone (and potentially more vulnerable) to many of the same attacks as other devices. In fact, mobile users are magnets for phishing attacks, malicious apps and rogue wireless hotspots.
This should come as no surprise to anyone. Yet, every week, another company has to notify its customers (or employees) that their data may have been compromised, and personal information may have been affected. These data breaches could have the potential to inflict serious harm on your customers and employees.
While you would think all business would have been hardening their mobile cybersecurity defences for years, it seems, many organisations, large and small, still have some way to go. Optimising mobile cybersecurity measures must be a priority for all businesses wanting to minimise the potential of becoming a victim of malicious attacks or to avoid common mistakes stemming from human error.
Test your mobile cybersecurity
Financial consequences of poor mobile cybersecurity
According to the Ponemon Institute, the average cost of a data breach per compromised record varies depending on the cause:
- US$157 per record compromised due to a malicious attack
- US$131 per record compromised due to a system glitch
- US$128 per record compromised due to human error.
While this doesn’t look too scary at first glance, when you multiply this out by 500, 1,000 or even 10,000 records, the immediate cost of a data breach quickly adds up to a significant sum. Plus, the reputational damage to your business can be long lasting.
Legal consequences of poor mobile cybersecurity
In addition, beyond the costs of detection, containment, and reporting, there can be significant legal ramifications.
Along with the Office of the Australian Information Commissioner, you may have to report such a breach to the Australian Cyber Security Centre, the Federal Police, the ATO and ASIC.
And while the OAIC has yet to slam major financial penalties on business suffering the consequences of a mobile cybersecurity breach, experts say, this is just a matter of time.
It’s also interesting to have a look at some cases closer to home. There’s an ever-growing list of businesses – of all sizes, across many industries – that have notified the commissioner of serious data fails.
Here’s a round-up of just some of the home-grown data breaches that have impacted thousands of people here in Australia.
Among the first organisations to notify the Office of the Australian Information Commissioner of a data breach, shipping company Svitzer Australia revealed the personal information of half of its employees was leaked outside the company.
Up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts between 27 May 2017 and 1 March 2018.
Impacting more than 400 employees at the shipping company, the emails contained information on employees including tax file numbers, next of kin details, and superannuation account information.
Melbourne-based PageUp People is a talent management and HR software business which provides sensitive HR technology services to some of the Australia’s biggest organisations. This firm found out the hard way how to deal with a cyber security breach.
In June, the company was forced to alert clients, including Commonwealth Bank, ANZ, Telstra, Coles, Target, Reserve Bank of Australia, Medibank, Aldi, Linfox, and Australia Post that their data may have been comprised following a malware infection the previous month. An unknown attacker used the compromise to access the personal details of job applicants as well as the usernames and passwords of PageUp employees.
While I’m not aware of how many client records were compromised, many clients temporarily closed their PageUp-supported careers pages. Others switched providers altogether.
This breach serves as a reminder to all businesses of the enormous ripple-on effects security failures at a software-as-a-service provider could have on its clients.
In November, Australian shipbuilder Austal, which builds patrol vessels and frigates for the Australian Navy, reported it had been the subject of a cyber security breach and extortion attempt. In this case, its Australian data management system had been targeted by an "unknown offender”, accessing staff email addresses and mobile phone numbers. The hackers also accessed drawings and designs of its ships.
The offender then tried to sell some of the stolen data online and engage in extortion. This breach triggered an investigation by the Australian Cyber Security Centre which is ongoing.
Aviation ID Australia
NSW-based Aviation ID Australia issues Aviation Security Identity Cards (ASICs) which help prevent unauthorised people from accessing restricted airport zones, was itself hacked in July.
The company sent out an email to people applying for, or renewing, ASICs advising that a section of the company’s website has been intentionally accessed by an unauthorised entity.
In this case, which became the subject of an Australian Federal Police investigation, the type of personal information that may have been breached includes name, street address, birth certificate number, drivers licence number, Medicare card number and ASIC number.
In Tasmania, a luxury hotel and casino group had to notify guests that their personal information may have been accessed by a third party. Federal Group – who operates the Saffire Freycinet and the Henry Jones Art Hotel – urged guests to delete emails from the company without opening them after hackers compromised a third-party email distribution service sending spam emails to customers. Affected data sets included names, email and physical addresses, and telephone numbers.
News Corp Australia
In December, News Corp Australia found itself in the full glare of the media spotlight after a staff member inadvertently sent a confidential email to 157 employees.
That email shared details of redundancy payouts and salaries relating to some of the firm’s senior staff. While the breach was put down to human error, this case highlights the enormous damage that can be done without rigorous security protocols for handling sensitive data.
Time to ramp up mobile cybersecurity practices
As a matter of urgency, all businesses must get serious about incorporating mobile cybersecurity practices into their operations. Whether you’re the CEO, CIO, or COO, it’s important to understand where your businesses vulnerabilities lie and how you can protect your company, your customer data and your employees.