The Office of the Australian Information Commissioner (OAIC) released a report after the end of March this year to summarise the results of their findings since the inception of mandatory breach notification (Notifiable Data Breach – NDB) in February 2018.
Here is the link to the data breach report: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-scheme-12-month-insights-report
The findings are very interesting as Australian organisations come to terms with regulations around cyber data breaches.
As a security consultant who has been working with organisations on cybersecurity since the early days of the internet, below are some key takeaways from the report:
- 964 eligible data breaches were notified to the OAIC in this period
- This is a 712% increase in notifications from the previous year, pre-NDB
- Majority (60%) were due to malicious intent
- 35% of the reported breaches were due to human error
- Australian organisations are woefully unprepared to deal with this risk
Some Australian organisations are woefully undefeated and unprepared for being targeted by organised criminals that make a profit from stealing people’s personal details.
The key things that are missing and thereby not good enough are:
- Organisational understanding of employee cyber risk culture
- Security awareness training
- Board, executive leadership, and risk committee understating of the gravity of the issue
- Incident response planning and testing
Also to those organisations that tell me they have the best firewalls and the best endpoint security, look at the stat above – 35% of reported eligible breaches are the result of human error! 60% of the breaches are due to malicious intent.
Organised criminals are coming after the data that you hold. They are committed and they will get in.
CTRL Group have a 100% success rate for paid red-teaming and capture-the-flag exercises for our clients. Some other advice for the NDB:
- Profile your cyber risks into a register
- Prepare for the worst – cyber incident response planning
- Integrate your cyber incident response plan with your crisis management and crisis communications plans; you may find there is not too much work to do
- Escalate concerns and strategy to the highest levels of management; seek their support and sponsorship
- Embark on an advanced cybersecurity awareness program
- Build/modify your response plans and TEST THEM! Your plans are only as good as their last test
- Consider cyber insurance as good cyber insurers have incident response capabilities built into their policies
- Have experts monitor your security; third party security operations centre will greatly improve your peace of mind
The CTRL Group team are always available to have a chat and discuss how our services can help your organisation.