First annual DB report highlights cyber risks’ magnitude

The Office of the Australian Information Commissioner’s (OAIC) first annual report on the notifiable data breaches (NDB) scheme shows it received 964 notifications from 1 April 2018 to 31 March 2019, a 712% increase on the previous voluntary scheme.

While malicious or criminal attacks were the main data breach sources in the scheme’s first year, at 60%, Gerry Power, head of sales at cyber specialist underwriting agency Emergence Insurance, said many of those incidents exploited human vulnerabilities, such as clicking on attachments to fake emails or inadvertently disclosing passwords.

“This report highlights cyber risk’s magnitude and emphasises the need for employers to educate their employees,” he said.

Phishing (when a target is contacted by email or text by someone posing as a legitimate institution to lure people into providing information) and spear phishing (using social engineering to impersonate a trusted contact to obtain information) were the most common and highly effective methods by which entities were compromised in the 12 months.

OAIC said phishing attack techniques continue to evolve, making phishing emails increasingly difficult to detect without “sustained, focused user education”.

In 28% of cases, the notifying entity was unaware of how credentials were obtained, because they had detected no phishing-based compromises. The source could be a concept called “credential stuffing” where criminals use breached usernames and passwords that have been leaked or posted online.

While 35% of data breaches across all sectors involved human error, such as unintended information disclosures or losing data storage devices, in the health sector, the figure was 55% and 41% in finance.

OAIC said entities should understand their data holdings and proactively contemplate mitigation steps to “genuinely protect consumers from further harm” when breaches occurred.

Power said: “People keep finding new ways to make mistakes, but staff education can materially reduce the potential for data breaches.”

Emergence plays a role through conducting in-house education sessions, online webinars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks.

The high rate of notifications highlights the need for cyber insurance. “Emergence’s cyber policy gives insureds 24/7/365 access to an Australian-based incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses,” Power said.

Emergence’s policy covers reporting data breaches to OAIC, any subsequent regulatory investigations, costs associated with communicating data breaches to affected individuals, and any fines imposed by the regulator.

An enhanced wording, introduced this month, expands coverage to include social engineering thefts and cryptojacking.

Commissioner Angelene Falk said OAIC, over the next year, would “take a proportionate, evidence-based regulatory approach to the NDB scheme, including exercising enforcement powers, where necessary”.

Power said a cyber insurance policy was part of every successful business’s risk management framework and could assist with recovering from hack attacks or data breach incidents.

“Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” he said.