The Office of the Australian Information Commissioner (OAIC) released a report after the end of March this year to summarise the results of their findings since the inception of mandatory breach notification (Notifiable Data Breach – NDB) in February 2018.
The findings are very interesting as Australian organisations come to terms with regulation around cyber privacy breaches.
As a security consultant who has been working with organisations on cyber security since the early days of the internet, I have some key takeaways from the report:
- 964 eligible data breaches were notified to the OAIC in this period
- This is a 712% increase in notifications from the previous year, pre-NDB
- Majority (60%) were due to malicious intent
- 35% of the reported breaches were due to human error
- Australian organisations are woefully unprepared to deal with this risk
Everyone that knows me will agree that I bang on about cyber incident response planning and testing constantly. That is because the only way to reduce the damage of an inevitable cyber incident is to handle it well.
I have had many conversations with organisations who are focussed on building castles to secure their customer data. I haven’t had many satisfactory conversations. Even with organisations that hold my sensitive data.
I will go as far to say that Australian organisations are woefully undefeated and unprepared for being targeted by organised criminals that make a profit from stealing people’s personal details.
The key things that are missing and thereby not good enough are:
- Organisational understanding of employee cyber risk culture
- Security awareness training
- Board, executive leadership and risk committee understating of the gravity of the issue
- Incident response planning and testing
Also to those organisations that tell me they have the best firewalls and the best endpoint security, look at the stat above – 35% of reported eligible breaches are the result of human error! 60% of the breaches are due to malicious intent.
Organised criminals are coming after the data that you hold. They are committed and they will get in.
We have a 100% success rate for paid red-teaming and capture-the-flag exercises for our customers. If we can do it then so can the crooks. But also at any time Dave the IT guy can lose his laptop. (Sorry Daves.)
A bit of a rant I know, however I am consistently frustrated, here is some advice:
- Profile your cyber risks into a register
- Prepare for the worst – cyber incident response planning
- Integrate your cyber incident response plan with your crisis management and crisis communications plans; you may find there is not too much work to do
- Escalate concerns and strategy to the highest levels of management; seek their support and sponsorship
- Embark on an advanced cyber security awareness program
- Build/modify your response plans and TEST THEM! Your plans are only as good as their last test
- If it is all a bit much engage with consultants (like us); Also consider cyber insurance. All the good cyber insurers have incident response capabilities built in to their policies
- Have experts monitor your security; third part Security Operations Centres will greatly improve your peace of mind
Author: Fergus Brooks, CTRL Group Chief Risk