Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Office of the Australian Information Commissioner (OAIC) released its latest statistics on notifiable data breaches covering the period from January to June 2020. Interestingly, this report showed a 3% decrease in the number of breaches in this period, compared to the previous report covering July to December 2019. By all accounts, the pandemic seems to have had no significant difference on the number of breaches that were reported, even though the volume of phishing attacks and criminal cyber activity purportedly skyrocketed.
The OAIC’s latest report provides a solid comparison to the previous reporting period, showing the number of malicious criminal attacks had dropped by 7%, while the number of human error related breaches went up by the same value (7%). In total, organisations notified the OAIC 518 times during January to June 2020, and while down from the previous period, this number was up by 16% on the same quarter in 2019. Overall, malicious or criminal attacks (inclusive of cyber incidents) was the leading cause of breaches, totalling 61% of all notifications, while breaches resulting from human error made up much of the rest (34%). Healthcare was the worst hit sector (22%), followed by finance (14%) and in most cases, breaches affected less than 100 individuals, which is a consistent finding of all preceding reports.
The question is, what does this tell us? Does it help us make better security investment decisions? Does it highlight what activities we should focus on within our own organisations to improve our security posture and better manage information risk? The problem is, every organisation is different, and individual circumstances account for much of the nuance in decision making, so while these statistics show us at a high level that healthcare organisations are more of a target than some other sectors, it’s more likely that it’s because many healthcare organisations are underfunded and stuck with old technology systems, so a breach is easier to carry out and personal patient data is easier to acquire.
What about the pandemic and its effect on cyber breaches? The statistics here might suggest that COVID-19 has not caused any rise in malicious cyberattacks, in fact this report shows an overall reduction by 7%. However, the 7% rise in human error related breaches shows that during this period of disruption, more mistakes were made by users leading to a breach.
An ACSC report published in April 2020 shows a massive rise in phishing attacks, mostly themed around COVID-19, and using multiple mediums such as SMS and email to dupe victims into giving up their personal information or stealing credentials. Yet, cross referencing this with the OAIC’s report, it seems that the overall rise elevated threat from phishing didn’t have any effect on number of successful breaches that were reported. How can this be? Were users better informed during the crisis, so they knew not to click on links and open malicious attachments? Or perhaps organisations were better placed to prevent serious harm occurring and so avoided the need to report the breach.
It’s likely there are many factors at play and a simple answer is impossible to hypothesise. The first point is that the OAIC’s report relies on organisations knowing they were breached and properly reporting all the facts. During the pandemic, it’s likely that in some organisations distracted IT teams were focused on shifting users into a remote working environment and could easily have missed a breach or successful cyberattack. Certainly, the fact that the volume of phishing campaigns rose would suggest a higher degree of success on the part of the criminals, especially with the underlying backstory of COVID-19 and people’s appetite for information relating to the virus’s spread, along with possible vaccines and cures.
The fact that breaches relating to human error rose during this period is no surprise at all. During time of mass disruption like the pandemic, people are generally distracted, unsure of how to operate and going though struggles in their personal life that mean their normal levels of security awareness were likely affected.
One thing is for certain, malicious actors are still the number one cause of data breaches, so nothing has changed in terms of ensuring key security controls are in place and operating effectively. Security operations teams must remain vigilant and organisations should continue to raise cyber security awareness across their workforces.
The OAIC report demonstrates that the overall focus of Australian cyber defences doesn’t need an overhaul. Organisations may want to adopt a broader emphasis on security awareness training, but most should be doing this anyway, so all that’s needed is raising awareness about COVID-19 related phishing. Since malicious cyber-attacks are the most likely cause of a breach, then the best approach is to use the ACSC’s Essential Eight Strategies to Mitigate Cyber Security Incidents and ensure all eight controls are fully implemented across your business and monitored for ongoing compliance. With these eight controls, ACSC suggests that organisations can fend off around 85% of targeted attacks, so the impact on these notifiable data breach numbers would be significant if all Australian organisations moved to implement them.
ACSC Essential Eight Security Controls
The most important consideration when you implement the Essential Eight security controls is ensuring you monitor their compliance to a chosen benchmark. Huntsman Security’s Essential 8 Auditor provides a full point in time assessment of your compliance against the Essential Eight Cyber Maturity Framework, reporting in such a way that external auditors can see exactly how aligned you are to ACSC’s recommendations.
Huntsman Security also provides a technology platform, the Essential 8 Scorecard, that delivers ongoing, real-time assessment of compliance to the Essential Eight. This means your internal teams can instantly see when a control drifts off the required security target. The solution continuously measures the effectiveness of your organisation’s controls against the Essential Eight Framework and displays the results on dashboards designed to communicate with the IT and Security Operations teams. It also produces and distributes regular reports to designated stakeholders across the business – providing visibility of the organisation’s current security and risk status.
Staying focused on building and maintaining cyber resilience is important, and it is worth pointing out that COVID-19 has not resulted in any necessary changes from existing recommended technical security controls. By using the Essential Eight Framework as your baseline security target, to achieve and maintain, you minimise the risk of your organisation becoming yet another statistic in an OAIC Notifiable Data Breach Report.
To request more information on how Huntsman Security can help you uplift the security of your organisation and monitor for ongoing compliance, please click the button below.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.