Human error is a key reason why data breaches occur.
The Office of the Australian Information Commissioner’s (OAIC) first annual report on the notifiable data breaches (NDB) scheme shows it received 964 notifications from 1 April 2018 to 31 March 2019, a 712% increase on the previous voluntary scheme.
While malicious or criminal attacks were the main data breach sources in the scheme’s first year, at 60%, Gerry Power, Head of Sales at Emergence Insurance, said many of those incidents exploited human vulnerabilities, such as clicking on attachments to fake emails or inadvertently disclosing passwords.
The report highlights cyber risk’s magnitude and emphasises the need for employers to educate their employees.
OAIC also released its January to March quarterly report. Below is a snapshot of the results. Emergence encourages brokers to distribute this to clients to alert them to cyber risks’ dangers.
OAIC’s annual report said phishing (when a target is contacted by email or text by someone posing as a legitimate institution to lure people into providing information) and spear phishing (using social engineering to impersonate a trusted contact to obtain information) were the most common and highly effective methods by which entities were compromised in the 12 months.
OAIC said phishing attack techniques continue to evolve, making phishing emails increasingly difficult to detect without “sustained, focused user education”.
In 28% of cases, the notifying entity was unaware of how credentials were obtained, because they had detected no phishing-based compromises. The source could be a concept called “credential stuffing” where criminals use breached usernames and passwords that have been leaked or posted online.
While 35% of data breaches across all sectors involved human error, such as unintended information disclosures or losing data storage devices, in the health sector, the figure was 55% and 41% in finance.
OAIC said entities should understand their data holdings and proactively contemplate mitigation steps to “genuinely protect consumers from further harm” when breaches occurred.
People keep finding new ways to make mistakes, but staff education can materially reduce the potential for data breaches.
Emergence plays a role through conducting in-house education sessions, online webinars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks.
The high rate of notifications highlights the need for cyber insurance.
This article first published by underwriting agency Emergence on 17 May 2019