Notifiable Data Breaches – are they increasing?
The Office of the Australian Information Commissioner (OAIC) released its latest statistics on notifiable data breaches covering the period from January to June 2020. Interestingly, this report showed a 3% decrease in the number of breaches in this period, compared to the previous report covering July to December 2019. By all accounts, the pandemic seems to have had no significant difference on the number of breaches that were reported, even though the volume of phishing attacks and criminal cyber activity purportedly skyrocketed.
What the latest OAIC Data Breach Report tells us
The OAIC’s latest report provides a solid comparison to the previous reporting period, showing the number of malicious criminal attacks had dropped by 7%, while the number of human error related breaches went up by the same value (7%). In total, organisations notified the OAIC 518 times during January to June 2020, and while down from the previous period, this number was up by 16% on the same quarter in 2019. Overall, malicious or criminal attacks (inclusive of cyber incidents) was the leading cause of breaches, totalling 61% of all notifications, while breaches resulting from human error made up much of the rest (34%). Healthcare was the worst hit sector (22%), followed by finance (14%) and in most cases, breaches affected less than 100 individuals, which is a consistent finding of all preceding reports.
High level findings
The question is, what does this tell us? Does it help us make better security investment decisions? Does it highlight what activities we should focus on within our own organisations to improve our security posture and better manage information risk? The problem is, every organisation is different, and individual circumstances account for much of the nuance in decision making, so while these statistics show us at a high level that healthcare organisations are more of a target than some other sectors, it’s more likely that it’s because many healthcare organisations are underfunded and stuck with old technology systems, so a breach is easier to carry out and personal patient data is easier to acquire.
What about the pandemic and its effect on cyber breaches? The statistics here might suggest that COVID-19 has not caused any rise in malicious cyberattacks, in fact this report shows an overall reduction by 7%. However, the 7% rise in human error related breaches shows that during this period of disruption, more mistakes were made by users leading to a breach.
An ACSC report published in April 2020 shows a massive rise in phishing attacks, mostly themed around COVID-19, and using multiple mediums such as SMS and email to dupe victims into giving up their personal information or stealing credentials. Yet, cross referencing this with the OAIC’s report, it seems that the overall rise elevated threat from phishing didn’t have any effect on number of successful breaches that were reported. How can this be? Were users better informed during the crisis, so they knew not to click on links and open malicious attachments? Or perhaps organisations were better placed to prevent serious harm occurring and so avoided the need to report the breach.
It’s likely there are many factors at play and a simple answer is impossible to hypothesise. The first point is that the OAIC’s report relies on organisations knowing they were breached and properly reporting all the facts. During the pandemic, it’s likely that in some organisations distracted IT teams were focused on shifting users into a remote working environment and could easily have missed a breach or successful cyberattack. Certainly, the fact that the volume of phishing campaigns rose would suggest a higher degree of success on the part of the criminals, especially with the underlying backstory of COVID-19 and people’s appetite for information relating to the virus’s spread, along with possible vaccines and cures.
The fact that breaches relating to human error rose during this period is no surprise at all. During time of mass disruption like the pandemic, people are generally distracted, unsure of how to operate and going though struggles in their personal life that mean their normal levels of security awareness were likely affected.
One thing is for certain, malicious actors are still the number one cause of data breaches, so nothing has changed in terms of ensuring key security controls are in place and operating effectively. Security operations teams must remain vigilant and organisations should continue to raise cyber security awareness across their workforces.
Fend off cyber attackers with the Essential Eight
The OAIC report demonstrates that the overall focus of Australian cyber defences doesn’t need an overhaul. Organisations may want to adopt a broader emphasis on security awareness training, but most should be doing this anyway, so all that’s needed is raising awareness about COVID-19 related phishing. Since malicious cyber-attacks are the most likely cause of a breach, then the best approach is to use the ACSC’s Essential Eight Strategies to Mitigate Cyber Security Incidents and ensure all eight controls are fully implemented across your business and monitored for ongoing compliance. With these eight controls, ACSC suggests that organisations can fend off around 85% of targeted attacks, so the impact on these notifiable data breach numbers would be significant if all Australian organisations moved to implement them.
ACSC Essential Eight Security Controls
Continuous monitoring of security control performance
The most important consideration when you implement the Essential Eight security controls is ensuring you monitor their compliance to a chosen benchmark. Huntsman Security’s Essential 8 Auditor provides a full point in time assessment of your compliance against the Essential Eight Cyber Maturity Framework, reporting in such a way that external auditors can see exactly how aligned you are to ACSC’s recommendations.
Huntsman Security also provides a technology platform, the Essential 8 Scorecard, that delivers ongoing, real-time assessment of compliance to the Essential Eight. This means your internal teams can instantly see when a control drifts off the required security target. The solution continuously measures the effectiveness of your organisation’s controls against the Essential Eight Framework and displays the results on dashboards designed to communicate with the IT and Security Operations teams. It also produces and distributes regular reports to designated stakeholders across the business – providing visibility of the organisation’s current security and risk status.
Avoid becoming an Notifiable Data Breach statistic
Staying focused on building and maintaining cyber resilience is important, and it is worth pointing out that COVID-19 has not resulted in any necessary changes from existing recommended technical security controls. By using the Essential Eight Framework as your baseline security target, to achieve and maintain, you minimise the risk of your organisation becoming yet another statistic in an OAIC Notifiable Data Breach Report.
To request more information on how Huntsman Security can help you uplift the security of your organisation and monitor for ongoing compliance, please click the button below.