Story image

Expert comment: Latest NDB report shows Aus is being targeted

07 Feb 2019

The Office of the Australian Information Commissioner (OIAC) has released its latest Notifiable Data Breaches report.

The report, covering the period from October 1, 2018, to December 31, 2018, found that 64% of the reports were the result of malicious or criminal attacks, three percent were the result of system faults, and 33% were the result of human error.

The Commission received 262 notifications in the three months, the highest number since the commencement of the NDB scheme.  

Personal contact information represented 85% of the notifications received.

Here’s what security experts and executives had to says about the latest OIAC report.  

SailPoint chief product officer Paul Trulove 

This is the fourth Quarterly Statistics Report issued by the OAIC, and we are seeing the same patterns continue as in the last three reports.

Health service providers, finance and professional services firms have again made up the top three industries that notified the OAIC of eligible breaches.

And malicious or criminal attacks again accounted for most notifications, followed by human error.

With only four reports issued, spanning a period of less than a year, it’s impossible to say whether we’ll see these patterns continue, especially as Australian businesses are still learning how to report breaches.

However, the report findings do highlight that Australian businesses have a lot more work to do to improve their security posture.

Australian organisations are struggling to see and understand the risks associated with compromised user credentials, as demonstrated by 43% of cyber incidents involving phishing, 8% resulting from brute-force attacks and 24% from compromised or stolen credentials.

The report reiterates that an organisations’ users have become the easiest route into an organisation for hackers.

This is a trend we do not expect will ease up, as hackers now know that users offer them the keys to the proverbial kingdom, once compromised.

The most secure path forward for organisations today continues to be taking a comprehensive approach to security, one that puts identity governance at the centre, ensuring visibility and governance over all users and their access to all applications and data.

I’m not surprised health service providers for the fourth consecutive report had the highest number of notifications of any sector.

Health service providers are a gold mine of valuable personally identifiable information for cybercriminals, especially as more health information is digitised.

Aura Information Security Australia country manager Michael Warnock

As the number of data breaches continues to remain consistent from quarter to quarter, and as we see more companies transitioning to the cloud, business and IT managers should understand that there is sufficient data risk if insecure cloud practices aren’t addressed with robust security measures and ongoing workforce education.  

Many mid-sized businesses will remain a happy hunting ground for cybercriminals as company management continue their reluctance to allocate investment for high tech protection.  

At the same time, they just don’t expect an attack will happen to them so they refrain from elevating the issue on their training agendas.

The harsh reality is, cyber attacks will continue to grow in both frequency and complexity over the coming year and Australian businesses are a target.  

Both business and IT teams should accept the threat is present, implement ongoing training to teach employees to recognise potential threats, adopt responsible data protection behaviour and allocate sufficient funds to cover protection measures commensurate with their organisation’s risk profile.

LogRhythm Asia Pacific and Japan senior regional marketing director Joanne Wong

Companies in 2019 must take a more holistic approach to cybersecurity and practice good IT and security hygiene such as patching systems and applications, updating and modernising their systems, applications and infrastructure, and controlling access to only those that need access.  

They also need to be able to validate identities and encrypt or apply other safeguards to critical business systems and data.

There’s no doubt that any company having anything of digital value will eventually be compromised.  

The question for management and IT teams is how fast can their security operations team detect these compromises and neutralise the threats.  

Ping Identity APAC chief technology officer Mark Perry

This latest report is a reminder of the fact that balancing security with customer convenience and employee productivity has never been an easy exercise and the race is on to secure enterprise resources before hackers have a chance to breach them.  

The good news is that there is really no excuse these days as modern authentication solutions provide the means to secure the most common enterprise attack vectors without getting in the way of the employees, partners and customers who need access.   

Those organisations seeking to build trust and transitioning to a more hybrid IT infrastructure need to safeguard customer, proprietary and partner data.  

As a result, IT professionals need to understand the value and effectiveness of the appropriate security controls for their businesses before taking a one size fits all approach to protecting data.

WatchGuard Technologies A/NZ country manager Mark Sinclair

No organisation has perfect security but successful companies staying out of these quarterly OAIC NDB reports will have business continuity plans and will have put in place a well-balanced cybersecurity strategy that spreads funds across threat prevention, detection and response, user education, business continuity and disaster recovery.  

Why not test that plan in 2019 to see your technology and employee response in the event of a disaster?

Prior preparation could be the difference between picking up the pieces and shutting down.

Zscaler A/NZ country manager Budd Ilic

This quarterly report would suggest that with almost every breach, you can always take it back to poor IT and security hygiene as the root cause.  

At the same time, it's becoming increasingly clear that traditional security solutions are no longer up to the task when it comes to protecting organisations.

Our environments and architectures are now so complex it’s difficult, if not impossible for practitioners to effectively monitor their environments and is a contributing cause to incidents like this.  

The growing usage of mobile devices and cloud-based applications and services means users are not protected, and internet gateways are unable to handle advanced threats. 

Cloud-based security platforms which remove complexity from within the organisation and ensures comprehensive protection are an option for organisations who need to build a perimeter around all users regardless of their location and endpoint device.