Australian businesses need to do more to stem data breaches
Overseas, the cost of the data breach at credit-reference agency Equifax is still rising, having already surpassed $439 million. With more costs to come, it’s highly likely this data breach will go down as the biggest in corporate history.
At Equifax, it seems the source of the massive data breach of personal information stems from a litany of errors inside the company. These involve the failure to use well-known security best practices and sub-optimal internal controls.
Routine data security failings
In particular, some of the routine data security failings include:
- Not employing adequate encryption
- Not addressing known IT vulnerabilities
- Not keeping software up to date
- Not undertaking adequate system scans
- Not performing routine security reviews.
It also seems as if the company was not following its own security standards. For example, the company's own cryptography standards specifically require passwords to be stored in encrypted, hashed, masked, tokenised or other approved form. Yet, Equifax appeared not to have been going to this trouble.
Whereas the size of the Equifax data breach far exceeds what could occur on these shores, this does provide lessons for all organisations particularly in the area of mobile data security policies.
Learning to stem data breaches
While it is absolutely essential to have robust mobile data security policies in place, it’s only the first step. It’s important to remember that a policy is only effective if properly communicated to all employees and uniformly enforced across the business.
This means you need to provide training if necessary on your mobile data security policies and ensure your employees understand how to comply with the policy and the consequences if they breach it.
So, have Australian businesses taken these learnings onboard in how they are managing and enhancing their own data security?
Not according to the latest Notifiable Data Breaches (NDB) report from the Office of the Australian Information Commissioner (OAIC).
Notifiable Data Breaches (NDB) report
In fact, high levels of data breach notifications are ongoing, suggesting there is much work to be done. During the second full quarter of the scheme’s operation, the number of notifications received by the commissioner edged higher at 245 compared to 243 in the first quarter with the following five sectors reporting the highest number of breaches.
Top 5 industry sectors |
Data breaches received |
Health service providers |
45 |
Finance (incl. superannuation) |
35 |
Legal, accounting & management services |
34 |
Education |
16 |
Personal services |
13 |
In a statement on OAIC’s website, Australian Information Commissioner and Privacy Commissioner Angelene Falk reiterated the need for ongoing improvements in how businesses need to identify and prevent data breaches.
“Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them. Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day.”
Suspicious emails or texts
She also added that businesses need to be on the alert for suspicious emails or texts. In all, 20% of all NDBs in Australia for the three months between July and September were a result of phishing. And it seems that lawyers, accountants and management consultants are magnets for these attacks. Not only did these professions bear the brunt of phishing attacks in Australia, they were also hit by the highest number of cyber attacks.
Interestingly, when looking at the cost of a breach, a study from Cisco suggests it’s sky high in Australia. According to the Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 52% of businesses in the study indicate that an attack costs between USD$1-5 million.
Remember, the only way you can avoid the fallout of a data breach is to prevent it happening in the first place. Take these key learnings from the Equifax data breach to ensure you are following best practices:
- Employ adequate encryption
- Actively address known IT vulnerabilities
- Ensure software is up to date
- Undertake adequate system scans
- Perform routine security reviews.
Assess your risk
Don’t become another statistic in OAIC’s next quarterly report. Download our data risk calculator to assess data risk in your organisation. Contact us to find out more on how you can enhance security threat defence policies, procedures, and security technologies to mitigate your data security risk.