The Office of the Australian Information Commissioner (OAIC) recently released their bi-annual Notifiable Data Breaches Report: July–December 2020. The key finding: human error is a major —and growing— source of breaches. It is also a dominant theme in many malicious or criminal attacks, which as a whole remain the leading source of breaches.
Key findings on data breach trends over the 6-month period
The OAIC’s key findings for July to December 2020 were reported as follows:
- 539 breaches were notified under the scheme, an increase of 5% from the 512 notifications received from January to June 2020.
- Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58% of notifications.
- Data breaches resulting from human error accounted for 38% of notifications, up 18% from 173 notifications to 204.
- The health sector remains the highest reporting industry sector, notifying 23% of all breaches, followed by finance, which notified 15% of all breaches.
- The Australian Government entered the top 5 industry sectors to notify data breaches for the first time, notifying 6% of all breaches.
- 68% of data breaches affected 100 individuals or fewer.
- 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.
Threat vectors and incident analysis highlights
Malicious or criminal attacks are the largest source of data breaches and accounted for 310 or 58% of breach notifications in this time period. They are deliberately crafted to exploit known vulnerabilities for financial or other gain. Examples of a malicious attack include external threats: phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices. They also include actions taken by a malicious employee – also known as an insider threat.
Human error continues to be a growing, major source of breaches, accounting for 204 notifications or 38%, up from 173 notifications in the previous period. Also of note, during this time period human error breaches increased both in terms of the total number of notifications received (up 18% to 204) and proportionally (up from 34% to 38%). Simple mistakes marked the top 6 incidents involved in a human error breach, including:
- Personal Information (PI) sent to wrong recipient (email) (92)
- Unauthorised disclosure (unintended release or publication)
- Failure to use BCC when sending email
- PI sent to wrong recipient (mail)
- PI sent to wrong recipient (other)
- Unauthorised disclosure (failure to redact)
Industries Impacted the Most
While data breaches impact all industries, the report indicates the top 5 industries with the most notifications from July to December 2020 as:
- Health service providers
- Finance (incl. superannuation)
- Legal, accounting & management services
- Australian Government
It’s important to note these same industries ranked the same for Malicious or Criminal attacks. It’s not surprising, since the value of the data each of this industries holds (Intellectual property (IP), financial information, personal information, trade and military secretes, etc.) makes them an attractive target for malicious outsiders like hackers and nation-states, as well as rogue insiders looking for personal and financial gain.
How can you protect your organisation’s critical data?
In a nutshell—trust no one. That’s why technologies that empower Zero Trust methodologies are becoming the gold standard for cybersecurity. Zero trust dictates that organizations should not automatically trust anything – inside or outside – its perimeters. Instead, verify anyone and everything trying to connect to your systems before granting access. Zero trust is traditionally associated with access to your networks and applications, but it doesn’t take into consideration what authenticated users can do with the data within the application once access is granted.
That’s where archTIS’s solutions differ. They offer data-centric zero trust model that evaluates each file’s attributes including security classification, organisation and country releasability, as well as the users’ attributes, date, time, locations, etc. to determine who is able access, edit, download and share the file. Using attribute–based access control (ABAC) and sharing polices offers more complete and effective control over information to ensure human error is no longer part of the breach risk equation.
Learn more about our data security solutions and the advantages of ABAC driven information protection:
Kojensi is a highly secure and trusted platform for sharing sensitive, classified and top secret files and document collaboration. It is accredited to provide multi-level, multi-coalition, and multi-domain collaboration on information classified up to TOP SECRET.
NC Protect is uses data and user attributes to automatically find, classify and secure unstructured data on-premises, in the cloud and in hybrid environments. The platform is fully integrated with Microsoft Office 365, SharePoint, Teams, Yammer, Dropbox and files shares to centrally secure your collaboration and data.