Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Office of the Australian Information Commissioner’s fourth quarterly report shows an increase in the percentage of attacks attributed to malicious or criminal activity, as well as a continuing trend of growth in the overall number of attacks.
“Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information.”
Angelene Falk, Australian Information Commissioner and Privacy Commissioner
OAIC started publishing its quarterly data breach summary in early 2018, providing insight into the number and nature of cyber incidents reported throughout the preceding three months. The fourth summary report was released on the 7th February 2019, and covers the months of October, November and December 2018.
This latest instalment of the breach report completes OAIC’s first year of reporting and shows consistent growth in the number of incidents reported, as well as some interesting observations across different industries.
Following the same trendline as the previous reports, the leading cause of notifiable data breaches in the December quarter was malicious and/or criminal attack, with a total of 168 notifications. From the total number of notifiable breaches (262), 85 of them were attributed to human error, while just nine reports suggest system error was the root cause.
Most data breaches resulted from compromised credentials (usernames and passwords). Of these, an expectedly high percentage were directly attributed to phishing attacks (43%), with a further 24% caused by compromised credentials through some other means.
In total, 67% of all attacks focused on credential theft, hence the Australian Information Commissioner and Privacy Commissioner’s comment that organisations need to secure their personal information better by improving the way they safeguard credentials. The Commissioner, Angelene Falk, followed on to say, “Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.”
The second similarity to the previous quarter’s report is that health service providers continued to top organisations reporting data breaches (21%). This was followed by the finance sector with 15% of the total number of breaches, followed again by legal, accounting and management services (9%), private education (8%), and then mining and manufacturing (5%).
This ranking reflects the same ordering as with previous quarter reports, thus it appears to be a pattern that is truly reflective of the effort threat actors are putting into attacking those sectors.
Australia’s finance sector: 70% of breaches caused by malicious or criminal attacks
One interesting consequence of gathering these sorts of statistics is organisations can use them to help inform their security plans and development programmes. Take for example, the healthcare sector. 54% of healthcare data breaches resulted from human error.
This is contrasted with reports from the finance sector, where 70% of breaches were caused by malicious or criminal attacks. The healthcare industry needs to focus on security awareness and making people more accountable for protecting credentials, while the finance sector needs better security controls in place to prevent malicious activity.
The objectives of criminals may not be changing – they still want personal data that can be onward sold for the purposes of identity fraud – but the risks the healthcare sector is facing that relate to something it can completely control (employee behaviour) are greater, so a concerted campaign of security awareness seems in order.
Once you get into the finance and legal sectors, however, things are different. They are usually very good at following protocols and have good security measures in place to ensure insiders don’t make mistakes – multifactor authentication, separation of duties, compartmented networks, and delegation of administrative rights to those they trust. Therefore, these sectors need to focus on their technical security countermeasures and find ways to detect and respond better to attacks when they occur.
Finance organisations, along with legal and insurance organisations and mining organisations have much to lose when a successful attack occurs. They often hold critical personal information relating to their customers, as well as direct access to their financial assets.
The mining sector may hold commercially sensitive contracts or prospecting reports that nation states outside of Australia would find invaluable. So, it’s vital that security programmes take this OAIC report into consideration and focus on detecting and responding to cyber attacks, especially those resulting from credential compromise.
The problem most organisations face is that the volume of data their security systems produce can be enormous. Literally billions of security events are generated every day by network systems, operating systems and applications, so sifting through all that data is a Herculean task. Technology systems that can analyse this data and determine what might constitute an attack are vital.
A Security Information and Event Management (SIEM) system is the best way an organisation can process all this data, since it’s purpose to ingest security events and correlate them (find patterns of activity) with known attacks. Furthermore, next generation SIEM technologies can create profiles of normal user behaviour and use these profiles to spot unusual activity – often a vital clue when credential theft is happening, since the volume of events coming from authentication systems under loading from a brute-force attack will shoot up.
A SIEM helps address this technical side of security, allowing security managers and CISOs to focus on user education and general security awareness training. But what happens when there is a breach, be it malicious or accidental?
Incident response is one of the most important stages of cyber threat management, but it’s the least well understood or rehearsed. In the same way that organisations use fire drills to educate their staff on what to do if their building goes up in flames, the security team needs to factor incident response drills into their organisation’s preparedness.
Response drills should factor into security awareness programmes, since knowing what to do if there is an incident (or even if a user clicks on a phishing link) will oftentimes be the difference between stopping an attack before it causes damage and a devastating outcome that could be existential to the organisation.
As Angelene Falk said, “Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.” This extends to knowing exactly what to do if an attack happens. “If a data breach occurs, early notification can help anyone who is affected take action to prevent harm. By changing passwords, checking your credit report, and looking out for scams using your personal information, you can help minimise the harm that can result from a data breach.”
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.