In February, when the Office of the Australian Information Commissioner (OAIC) released its final report on Notifiable Data Breaches for 2018, it revealed a frightening sense of déjà vu. After almost a full year of reported breaches, it found enterprise data security in Australian businesses is still seriously wanting. In the last quarter of 2018, the number of data breaches suffered by Australian companies jumped 7% to 262, with malicious criminal attacks, human error, and system faults leading the way.
In all, OAIC received 168 notifications of malicious or criminal attack stemming from phishing and brute-force attacks through compromised usernames and passwords. There were 85 notifications of human error which was to blame for unauthorised disclosures of personal information, emailing personal information to the wrong recipient, as well as insecure disposal of personal information. There were also nine system errors.
While the majority of these breaches were small in scale, the largest breach reported to OAIC affected between one million and 10 million people. And another breach compromised the data of up to 500,000 people.
Enterprise data security controls
Maximising customer convenience and optimising employee productivity at the same time as ensuring sophisticated security protocols are followed is a fine balancing act. But, in 2019, it’s a fundamental business requirement. A relaxed attitude to enterprise data security is a significant business risk.
With the fast growth of enterprise mobility and cloud-based applications and services being used by businesses, without the right enterprise data security measures in place, businesses become prime targets for advanced attacks.
In fact, upon the release of the latest data by OAIC, Angelene Falk, Australian Information Commissioner and Privacy Commissioner reiterated the need to prioritise enterprise data security. She said that any organisation entrusted with people’s personal information needs to make preventing data breaches and improving cybersecurity a primary concern.
It’s important for IT professionals to understand the value and effectiveness of the right enterprise data security technology for their businesses. Modern authentication solutions provide the means to secure the enterprise while enabling customers, partners and employees to access whatever they need, whenever they need it.
Part of a security culture involves bolstering employee awareness of cyber security issues and threats. It’s vital to help employees identify common tricks used by cyber criminals to steal usernames and passwords.
Regulatory action for non-compliance
As a word of warning, Falk reminded businesses that regulatory action can be taken in cases of non-compliance with data breach notification obligations. And with the healthcare sector having the ignominious honour of leading the way on data breaches, there is a real and urgent need to prioritise data security to avoid hefty penalties, and severe reputational damage.
As one of the most vulnerable sectors when it comes to cybersecurity, it’s true that the health sector faces a unique challenge of providing accessibility to patient records to support a patient-centric approach while beefing up data security.
Yet this must be done. Of the 812 breaches reported in 2018, 163 came from private health service providers. In the last quarter alone, private health service providers accounted for over one fifth of all breaches. Given the very nature of health information, it is more likely to result in serious harm for affected individuals when exposed to unauthorised access.
Incidentally, the financial and superannuation industry was also widely compromised, with 40 separate attacks, while legal, accounting and management services and education organisations reported 23 and 21 incidents, respectively.
Managing human error
As cyberattacks continue to grow both in frequency and sophistication, businesses need to allocate sufficient funds to cover security protection measures in line with their risk profile.
Organisations can reduce the risk of data breaches by instigating appropriate cyber security awareness programs for all employees and upgrading internal protocols for handling data. Training needs to educate employees on how to recognise potential threats, and adopt responsible data protection behaviour.
Whereas employees may feel burdened by having to periodically reset passwords to reduce the ongoing risk of credential compromises, this is a basic security requirement which needs to be enforced.
Likewise, you need to follow best practices for password length and complexity requirements to mitigate the risk of successful brute-force attacks. It’s also important to ensure employees know the dangers of reusing the same password across critical services.
Of course, for all remote access to business systems, it’s essential to use multi-factor authentication and for all users. And, at all times, ensure operating systems, browsers and plugins are fully up-to-date with current patches and fixes.
In our increasingly mobile world, the only secure path forward involves taking a comprehensive approach to security. You need to put identity governance at the centre, ensuring visibility and governance over all users and their access to all devices, applications and data.
With OAIC expected to take a more active approach to compliance with the NDB Scheme in the future, all businesses need to ensure they have robust and tested procedures in place to respond to a data breach and avoid attracting the attention of the regulator. Taking practical measures to prevent a breach is important, for example:
- Identify where sensitive personal data resides
- Minimise the number of locations housing sensitive data
- Leverage encryption and encryption key management to establish data confidentiality and integrity
- Control access to sensitive data with multi-factor authentication
- Implement rigid policy controls, and all staff are adequately trained and tested.
With the ongoing mix of human errors and malicious attacks the source of data breaches in Australia, it’s time to implement and test your data breach response plan.